From mbasti at redhat.com Fri Apr 1 07:15:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 1 Apr 2016 09:15:56 +0200 Subject: [Freeipa-users] Install/promote new CA old one corrupted before backups In-Reply-To: References: Message-ID: <56FE202C.20004@redhat.com> On 31.03.2016 16:09, McNiel, Craig wrote: > I was installing a 7 host IPA with ipa01 being the CA and the others > being replicas of this node. This was to be the production > installation of IPA and the admins/users started using it prior to the > installation being completed and before I had snapshots/backup created > of the servers. > > The ipa01 host disk was corrupted so I no longer have a CA just the > other 6 nodes. How can I install/promote or otherwise recreate the > CA? I have looked online for instructions but, I run into issues > almost immediately with the accuracy for the version I'm using in the > documenation as many of the files it indicates need updates don't even > exist. > > Thanks > > ipa-python-4.2.0-15.el7.centos.3.x86_64 > ipa-admintools-4.2.0-15.el7.centos.3.x86_64 > ipa-server-dns-4.2.0-15.el7.centos.3.x86_64 > sssd-ipa-1.13.0-40.el7_2.1.x86_64 > ipa-server-4.2.0-15.el7.centos.3.x86_64 > libipa_hbac-1.13.0-40.el7_2.1.x86_64 > ipa-client-4.2.0-15.el7.centos.3.x86_64 > > > > > Hello, Several things are not clear to me from you email. Can you please answer following questions? Do you have CA installed on other replicas? Do you have backup of the original server (ipa-backup, or snapshot)? Which documentation did you follow? What did you try? Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Fri Apr 1 08:12:21 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 1 Apr 2016 10:12:21 +0200 Subject: [Freeipa-users] FreeIPA Deployment Proposal (request for recommendations) In-Reply-To: References: Message-ID: <56FE2D65.1070903@redhat.com> Hello, most importantly: - FreeIPA does not support real multi-tenancy - FreeIPA is not a general purpose DNS server and does not (and will not) support DNS views If real multi-tenancy is required or not depends on your use-case and possibilities your users have. Do users join their custom machines into FreeIPA? If not and everything is let's say hidden behind web app, it might be possible to hack it in a way which pretends multi-tenancy. Missing support for DNS views can be worked around with custom scripting or even better: FreeIPA team is looking forward to better integration capabilities with external DNS infrastructure. If you are willing to work with us on it the progress will be faster :-) Petr^2 Spacek On 1.4.2016 00:22, Michael S. Moody wrote: > Hello FreeIPA Devs/Mailing List, > > We use FreeIPA to great success in several places, but we want to roll it > out for us. Thus, we want to ask about best practices for the type of > deployment we?re planning. First, FreeIPA is truly awesome, and the glue > that holds all these pieces together is really a phenomenal achievement. We > want to set up our FreeIPA deployment according to best practices. > > As it stands today, we want to implement FreeIPA to take over the > authentication duties and DNS duties of an infrastructure which we are in > the process of rebuilding from scratch, so we?re not worried about > retroactively making things work on older systems. This is an important > point for us, basically consider that we?re doing everything from scratch, > and re-basing off of CentOS 7. (Apologies in advance for the wall-of-text). > > Who we are: > > We are a Managed Services Provider with multiple clients, and manage our > clients? systems end-to-end. This enables us to have full control over the > infrastructure. > > Topology: > > We currently have 3 (where we?ll place FreeIPA at least) datacenter > facilities in the USA, and are bringing a 4th DC online in the EU shortly. > These datacenters are protected via enterprise-grade hardware firewalls, > and we have VPNs across the DCs to allow our various infrastructure pieces > to communicate on internal subnets vs across the public WAN. Additionally, > we advertise our own IP addresses via BGP. We also have (bind-based) DNS in > each DC, but primarily for external purposes. > > Private: > > US-EAST: 172.29.0.0/19 > > US-WEST: 172.29.32.0/19 > > US-SOUTH: 172.29.64.0/19 > > EU-WEST: 172.29.96.0/19 > > Public: > > US-EAST: 1.1.1.0/24 > > US-WEST: 1.1.2.0/24 > > US-SOUTH: 1.1.3.0/24 > > EU-WEST: 1.1.4.0/24 > > Goals: > > 1. > > We want to have centralized authentication for our entire infrastructure. > 2. > > We want the authentication to be highly available (FreeIPA replicas) > 3. > > We want to have a drastically improved DNS system that handles both > external (domain names) and internal (systems). > 4. > > We want that DNS system to also be highly available (FreeIPA replicas > with bind-ldap as the backend seems to be the best way) > 5. > > We want to use our own SSL certificates if at all possible (wildcard > certificates, letsencrypt, etc) > 6. > > We would like to be multi-tenant with domains/realms/whatever so that > CLIENT1 can have their authentication of their systems centralized through > our FreeIPA. Similar for CLIENT2, CLIENT3, etc. The clients don?t care, so > how this is set up is up to us/best practices. > 7. > > As part of the multi-tenancy, we don?t want all users to be able to see > all users. To be more clear, we want to have 1 FreeIPA infrastructure that > can use our domain (let?s call it GREATMSP.COM), and have systems for > CLIENT1 as part of CLIENT1.GREATMSP.COM or whatever the best way is. We > also want where if they login to FreeIPA, they?ll only see their > users/systems. > 8. > > If we use GREATMSP.COM as the domain, we of course want to still have > all of our normal DNS records (MX, NS, etc, etc). We?re perfectly good with > (and prefer) using the more robust FreeIPA as nameservers for our root > domain name. > 9. > > We would like users to be able to self manage (FreeIPA web ui) > 10. > > We plan to have at least 2 x FreeIPA servers in each DC, with the more > likely scenario being 4 x in each DC. > 11. > > We want to use DNSSEC wherever possible. Because security. > 12. > > Ideally, can we use the FreeIPA servers as NTP servers? > > > Questions: > > 1. > > What services/ports can we safely expose to the outside world, and what > services/ports NEED to be exposed to the outside world for this to work > effectively with systems in multiple DCs? > 2. > > As part of the above, should authentication only be done across the VPN? > 3. > > Can we safely use our main domain name (GREATMSP.COM) as the domain for > FreeIPA? As part of this, we have say, TICKETING.GREATMSP.COM (a web app > which will remain the same), and for systems, we might have > SSH01.US-EAST.PRODUCTION.GREATMSP.COM (or perhaps > SSH01.DC.US-EAST.PRODUCTION.GREATMSP.COM for the internal, and > SSH01.US-EAST.PRODUCTION.GREATMSP.COM for the external). > 4. > > Can we use this as a more generalized DNS system for other customer > domains as opposed to our current bind system? If so, is it as simple as > registering all of the FreeIPA servers (replicas) as NS servers with the > registrar? > 5. > > Since we want to be effectively multi-tenant, can we make it so that all > authentication from the CLIENT1 infrastructure uses external addresses vs > us needing to open holes into our FreeIPA infrastructure via VPN? How safe > is/can this be? > 6. > > We see some notes about CA-Less being somewhat broken. Is this true? > > > (Things we don?t really need/want to do): > > 1. > > Have each Client have their own SSL certs (complete non issue) > > > Things we don?t know we don?t know: > > 1. > > Robustness? > 2. > > Security? > 3. > > Performance? > 4. > > Anything else we haven?t thought of? > > > > Any help you can provide would be wonderful. We have attached a proposed > diagram of what we're thinking of trying to accomplish. > > Thanks in advance, > > Michael > > > -- Petr^2 Spacek From craig.mcniel at pearson.com Fri Apr 1 13:24:44 2016 From: craig.mcniel at pearson.com (McNiel, Craig) Date: Fri, 1 Apr 2016 08:24:44 -0500 Subject: [Freeipa-users] Install/promote new CA old one corrupted before backups In-Reply-To: <56FE202C.20004@redhat.com> References: <56FE202C.20004@redhat.com> Message-ID: Sadly - I don't think that CA is installed on other replica's They were installed following the replica-prepare and replica-install process with nothing else done outside of this process to install CA. I did not have backups yet when the incident occurred so I only have the replica's created from the original CA/master The documentation that I was following was the following http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master I rapidly ran into issues with this on the replica's which I suspect is due to them not having CA installed. Thanks ! Craig On Fri, Apr 1, 2016 at 2:15 AM, Martin Basti wrote: > > > On 31.03.2016 16:09, McNiel, Craig wrote: > > I was installing a 7 host IPA with ipa01 being the CA and the others being > replicas of this node. This was to be the production installation of IPA > and the admins/users started using it prior to the installation being > completed and before I had snapshots/backup created of the servers. > > The ipa01 host disk was corrupted so I no longer have a CA just the other > 6 nodes. How can I install/promote or otherwise recreate the CA? I have > looked online for instructions but, I run into issues almost immediately > with the accuracy for the version I'm using in the documenation as many of > the files it indicates need updates don't even exist. > > Thanks > > ipa-python-4.2.0-15.el7.centos.3.x86_64 > ipa-admintools-4.2.0-15.el7.centos.3.x86_64 > ipa-server-dns-4.2.0-15.el7.centos.3.x86_64 > sssd-ipa-1.13.0-40.el7_2.1.x86_64 > ipa-server-4.2.0-15.el7.centos.3.x86_64 > libipa_hbac-1.13.0-40.el7_2.1.x86_64 > ipa-client-4.2.0-15.el7.centos.3.x86_64 > > > > > > Hello, > > Several things are not clear to me from you email. Can you please answer > following questions? > > Do you have CA installed on other replicas? > Do you have backup of the original server (ipa-backup, or snapshot)? > Which documentation did you follow? > What did you try? > > Martin Basti > -- *Craig McNiel* Assessment and Instruction 2510 North Dodge Street Iowa City, Iowa 52240 D: 319-341-6390 C: 319-430-9252 T: 877-627-2222 (Team On-call Support) Pearson Always Learning Learn more at www.pearsonassessments.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeffrey.armstrong at gasoc.com Fri Apr 1 17:14:06 2016 From: jeffrey.armstrong at gasoc.com (Armstrong, Jeffrey) Date: Fri, 1 Apr 2016 17:14:06 +0000 Subject: [Freeipa-users] using sudo in ipa Message-ID: <3DAC7A5927B8594195EA704FB41255B0658A1A70@Supernatural2.gafoc.com> Hi I would like to know how to configure sudo in the IdM environment. I need to know how to configure sudo access without asking for a password. Jeffrey Armstrong -Senior ECS Engineer ECMS - Application Support Team Office Phone - 770-270-7421 Cell Phone - 404-323-7386 [For Email_GSOC logo_color] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 3624 bytes Desc: image003.jpg URL: From mrorourke at earthlink.net Fri Apr 1 17:38:58 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Fri, 1 Apr 2016 13:38:58 -0400 (GMT-04:00) Subject: [Freeipa-users] using sudo in ipa Message-ID: <9951461.1459532338756.JavaMail.wam@elwamui-polski.atl.sa.earthlink.net> An HTML attachment was scrubbed... URL: From lists at fahrendorf.de Fri Apr 1 18:53:56 2016 From: lists at fahrendorf.de (Martin (Lists)) Date: Fri, 1 Apr 2016 20:53:56 +0200 Subject: [Freeipa-users] start and stop of ipa commands in systemd Message-ID: <56FEC3C4.9000801@fahrendorf.de> Hallo I have a question regarding enabling/disabling separate ipa parts in systemd. Is it necessarry or required to have httpd, directory server, named memcache and all the other ipa services to be enabled in systemd? Or is it recomended to have only the main ipa service enabled (and all the other disabled)? Regards Martin From jeremy at ifuzioncorp.com Fri Apr 1 19:36:07 2016 From: jeremy at ifuzioncorp.com (Jeremy Utley) Date: Fri, 1 Apr 2016 14:36:07 -0500 Subject: [Freeipa-users] Closing off some ports for FreeIPA Message-ID: Hello all on the list. First off, if this is documented somewhere I'm not aware of, I apologize for the noise. I've spent a couple of hours google searching google without success, so pointers to any documentation I've missed would be greatly appreciated! We're in the process of setting up a FreeIPA system within our ultra-secure PCI zone. It's currently working well, and we are very happy with it. However, we know that come our next audit, we're going to get hit on a few things, so I would like to ask about blocking off some additional ports (specifically 80, 389, 53). 53 I think will be safe to block off, as all our clients actually use a dedicated caching DNS system with unbound, which has been configured to forward all queries for the zone "ipa.domain.com" to the FreeIPA servers, so we should be able to block 53 from everywhere but the unbound servers without breakage. However, port 80 and 389 I'm not so sure about. I know most things that hit port 80 get redirected to 443, and 389 provides STARTTLS functionality, but in theory, these ports can provide unencrypted communications, and therefore our auditors will ask that they be closed off. However, in my research so far, I have not been able to find out what the ramifications would be to blocking these ports for the IPA system itself (would it fall back to using SSL on 636? Would API calls fail if port 80 is closed?). I also know that the ipa-client-install script will check to ensure these ports are open - temporarily opening them for the client setup will not be an issue, if we can close it back down after that. We do not add systems within this zone very often, so this is a minor issue. Thanks for any advice you can give! Jeremy -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 1 19:57:51 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 1 Apr 2016 15:57:51 -0400 Subject: [Freeipa-users] Closing off some ports for FreeIPA In-Reply-To: References: Message-ID: <56FED2BF.4090407@redhat.com> Jeremy Utley wrote: > Hello all on the list. > > First off, if this is documented somewhere I'm not aware of, I apologize > for the noise. I've spent a couple of hours google searching google > without success, so pointers to any documentation I've missed would be > greatly appreciated! > > We're in the process of setting up a FreeIPA system within our > ultra-secure PCI zone. It's currently working well, and we are very > happy with it. However, we know that come our next audit, we're going > to get hit on a few things, so I would like to ask about blocking off > some additional ports (specifically 80, 389, 53). 53 I think will be > safe to block off, as all our clients actually use a dedicated caching > DNS system with unbound, which has been configured to forward all > queries for the zone "ipa.domain.com " to the > FreeIPA servers, so we should be able to block 53 from everywhere but > the unbound servers without breakage. > > However, port 80 and 389 I'm not so sure about. I know most things that > hit port 80 get redirected to 443, and 389 provides STARTTLS > functionality, but in theory, these ports can provide unencrypted > communications, and therefore our auditors will ask that they be closed > off. However, in my research so far, I have not been able to find out > what the ramifications would be to blocking these ports for the IPA > system itself (would it fall back to using SSL on 636? Would API calls > fail if port 80 is closed?). > > I also know that the ipa-client-install script will check to ensure > these ports are open - temporarily opening them for the client setup > will not be an issue, if we can close it back down after that. We do > not add systems within this zone very often, so this is a minor issue. > > Thanks for any advice you can give! > > Jeremy > > See this thread from earlier this week, https://www.redhat.com/archives/freeipa-users/2016-March/msg00295.html rob From abokovoy at redhat.com Fri Apr 1 20:10:08 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 1 Apr 2016 23:10:08 +0300 Subject: [Freeipa-users] Closing off some ports for FreeIPA In-Reply-To: References: Message-ID: <20160401201008.GV27275@redhat.com> On Fri, 01 Apr 2016, Jeremy Utley wrote: >Hello all on the list. > >First off, if this is documented somewhere I'm not aware of, I apologize >for the noise. I've spent a couple of hours google searching google >without success, so pointers to any documentation I've missed would be >greatly appreciated! > >We're in the process of setting up a FreeIPA system within our ultra-secure >PCI zone. It's currently working well, and we are very happy with it. >However, we know that come our next audit, we're going to get hit on a few >things, so I would like to ask about blocking off some additional ports >(specifically 80, 389, 53). 53 I think will be safe to block off, as all >our clients actually use a dedicated caching DNS system with unbound, which >has been configured to forward all queries for the zone "ipa.domain.com" to >the FreeIPA servers, so we should be able to block 53 from everywhere but >the unbound servers without breakage. > >However, port 80 and 389 I'm not so sure about. I know most things that >hit port 80 get redirected to 443, and 389 provides STARTTLS functionality, >but in theory, these ports can provide unencrypted communications, and >therefore our auditors will ask that they be closed off. However, in my >research so far, I have not been able to find out what the ramifications >would be to blocking these ports for the IPA system itself (would it fall >back to using SSL on 636? Would API calls fail if port 80 is closed?). You can always disable anonymous bind for LDAP by raising min ssf above zero. You can read in more details how to increase security of 389-ds communications here: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/SecureConnections.html FreeIPA does not require port 80 to be working for its API calls. Switching to LDAPS via port 636 is not recommended. The use of LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003. -- / Alexander Bokovoy From jeremy at ifuzioncorp.com Fri Apr 1 20:11:07 2016 From: jeremy at ifuzioncorp.com (Jeremy Utley) Date: Fri, 1 Apr 2016 15:11:07 -0500 Subject: [Freeipa-users] Closing off some ports for FreeIPA In-Reply-To: <56FED2BF.4090407@redhat.com> References: <56FED2BF.4090407@redhat.com> Message-ID: On Fri, Apr 1, 2016 at 2:57 PM, Rob Crittenden wrote: > Jeremy Utley wrote: > >> Hello all on the list. >> >> First off, if this is documented somewhere I'm not aware of, I apologize >> for the noise. I've spent a couple of hours google searching google >> without success, so pointers to any documentation I've missed would be >> greatly appreciated! >> >> We're in the process of setting up a FreeIPA system within our >> ultra-secure PCI zone. It's currently working well, and we are very >> happy with it. However, we know that come our next audit, we're going >> to get hit on a few things, so I would like to ask about blocking off >> some additional ports (specifically 80, 389, 53). 53 I think will be >> safe to block off, as all our clients actually use a dedicated caching >> DNS system with unbound, which has been configured to forward all >> queries for the zone "ipa.domain.com " to the >> FreeIPA servers, so we should be able to block 53 from everywhere but >> the unbound servers without breakage. >> >> However, port 80 and 389 I'm not so sure about. I know most things that >> hit port 80 get redirected to 443, and 389 provides STARTTLS >> functionality, but in theory, these ports can provide unencrypted >> communications, and therefore our auditors will ask that they be closed >> off. However, in my research so far, I have not been able to find out >> what the ramifications would be to blocking these ports for the IPA >> system itself (would it fall back to using SSL on 636? Would API calls >> fail if port 80 is closed?). >> >> I also know that the ipa-client-install script will check to ensure >> these ports are open - temporarily opening them for the client setup >> will not be an issue, if we can close it back down after that. We do >> not add systems within this zone very often, so this is a minor issue. >> >> Thanks for any advice you can give! >> >> Jeremy >> >> >> > See this thread from earlier this week, > https://www.redhat.com/archives/freeipa-users/2016-March/msg00295.html > > rob > Thank you, Rob! I think that will answer my questions, and hopefully the auditors! Jeremy -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Apr 4 02:16:19 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 4 Apr 2016 12:16:19 +1000 Subject: [Freeipa-users] Install/promote new CA old one corrupted before backups In-Reply-To: References: <56FE202C.20004@redhat.com> Message-ID: <20160404021619.GF18277@dhcp-40-8.bne.redhat.com> On Fri, Apr 01, 2016 at 08:24:44AM -0500, McNiel, Craig wrote: > Sadly - > > I don't think that CA is installed on other replica's They were installed > following the replica-prepare and replica-install process with nothing else > done outside of this process to install CA. > > I did not have backups yet when the incident occurred so I only have the > replica's created from the original CA/master > > The documentation that I was following was the following > > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > > I rapidly ran into issues with this on the replica's which I suspect is due > to them not having CA installed. > Correct; the "promote CA to renewal master" means promoting an existing CA replica to be the default replica for certificate renewal and CRL generation. Have you kept any of the *replica files* with with the replicas were created. The replica file is what is produced by the `ipa-replica-prepare' command, and is supplied to `ipa-replica-install' to actually install the replica. From any one of these files you can extract the CA signing certificate and run `ipa-ca-install' on one of the replicas to reinstate the CA. I have never attempted this but some of the gotchas might be: - some manual updates in IPA directory might be necessary to "trick" it into believe it is a hitherto CA-less deployment - some config changes may be needed to ensure the new CA instance issues certificates starting from an appropriate serial number (how many certs were previously issued by the now-lost CA?) If you can confirm that you do have a replica file I will spend the time to work out exactly what you need to do. Cheers, Fraser > Thanks ! > > Craig > > On Fri, Apr 1, 2016 at 2:15 AM, Martin Basti wrote: > > > > > > > On 31.03.2016 16:09, McNiel, Craig wrote: > > > > I was installing a 7 host IPA with ipa01 being the CA and the others being > > replicas of this node. This was to be the production installation of IPA > > and the admins/users started using it prior to the installation being > > completed and before I had snapshots/backup created of the servers. > > > > The ipa01 host disk was corrupted so I no longer have a CA just the other > > 6 nodes. How can I install/promote or otherwise recreate the CA? I have > > looked online for instructions but, I run into issues almost immediately > > with the accuracy for the version I'm using in the documenation as many of > > the files it indicates need updates don't even exist. > > > > Thanks > > > > ipa-python-4.2.0-15.el7.centos.3.x86_64 > > ipa-admintools-4.2.0-15.el7.centos.3.x86_64 > > ipa-server-dns-4.2.0-15.el7.centos.3.x86_64 > > sssd-ipa-1.13.0-40.el7_2.1.x86_64 > > ipa-server-4.2.0-15.el7.centos.3.x86_64 > > libipa_hbac-1.13.0-40.el7_2.1.x86_64 > > ipa-client-4.2.0-15.el7.centos.3.x86_64 > > > > > > > > > > > > Hello, > > > > Several things are not clear to me from you email. Can you please answer > > following questions? > > > > Do you have CA installed on other replicas? > > Do you have backup of the original server (ipa-backup, or snapshot)? > > Which documentation did you follow? > > What did you try? > > > > Martin Basti > > > > > > -- > > *Craig McNiel* > > Assessment and Instruction > > 2510 North Dodge Street > Iowa City, Iowa 52240 > > D: 319-341-6390 > C: 319-430-9252 > T: 877-627-2222 (Team On-call Support) > > Pearson > Always Learning > Learn more at www.pearsonassessments.com > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mrorourke at earthlink.net Mon Apr 4 02:10:41 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Sun, 3 Apr 2016 22:10:41 -0400 (EDT) Subject: [Freeipa-users] FreeIPA Deployment Proposal (request for recommendations) Message-ID: <10521688.1459735842212.JavaMail.wam@mswamui-andean.atl.sa.earthlink.net> An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Mon Apr 4 07:06:50 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 4 Apr 2016 09:06:50 +0200 Subject: [Freeipa-users] start and stop of ipa commands in systemd In-Reply-To: <56FEC3C4.9000801@fahrendorf.de> References: <56FEC3C4.9000801@fahrendorf.de> Message-ID: <5702128A.2080302@redhat.com> On 04/01/2016 08:53 PM, Martin (Lists) wrote: > Hallo > > I have a question regarding enabling/disabling separate ipa parts in > systemd. Is it necessarry or required to have httpd, directory server, > named memcache and all the other ipa services to be enabled in systemd? > Or is it recomended to have only the main ipa service enabled (and all > the other disabled)? > > Regards > Martin > Hi Martin, ipa.service actually calls `ipactl` command which starts/stops all individual components at once (dirsrv, http, kdc, kpasswd, memcache, pki-tomcat etc.). All of these services (which are listed in `ipactl status`) must be up and running for IPA server to work correctly in all aspects. So in this sense 'ipa.service' is just an umbrella that groups all the components of FreeIPA installation. -- Martin^3 Babinsky From abokovoy at redhat.com Mon Apr 4 08:01:20 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 4 Apr 2016 11:01:20 +0300 Subject: [Freeipa-users] start and stop of ipa commands in systemd In-Reply-To: <5702128A.2080302@redhat.com> References: <56FEC3C4.9000801@fahrendorf.de> <5702128A.2080302@redhat.com> Message-ID: <20160404080120.GA25690@redhat.com> On Mon, 04 Apr 2016, Martin Babinsky wrote: >On 04/01/2016 08:53 PM, Martin (Lists) wrote: >>Hallo >> >>I have a question regarding enabling/disabling separate ipa parts in >>systemd. Is it necessarry or required to have httpd, directory server, >>named memcache and all the other ipa services to be enabled in systemd? >>Or is it recomended to have only the main ipa service enabled (and all >>the other disabled)? >> >>Regards >>Martin >> >Hi Martin, > >ipa.service actually calls `ipactl` command which starts/stops all >individual components at once (dirsrv, http, kdc, kpasswd, memcache, >pki-tomcat etc.). All of these services (which are listed in `ipactl >status`) must be up and running for IPA server to work correctly in >all aspects. > >So in this sense 'ipa.service' is just an umbrella that groups all the >components of FreeIPA installation. I think Martin's question was more about those services being enabled in systemd by themselves. The answer is 'no', because ipa.service takes care of that based on the state of services we keep in LDAP. Unfortunately, all init systems to date only care about a single host's status. In IPA case we have multinode environment where different services may be activated on the nodes depending on what was enabled. You can have base IPA (dirsrv, KDC, httpd) running on majority of masters but then some of them would be also running CAs and potentially they can run Samba services for AD integration. The status of these services is recorded in LDAP because this is what we have as a replicated store that all IPA masters know about. This information is needed for more uses than just init system on a specific host, though. -- / Alexander Bokovoy From jpazdziora at redhat.com Mon Apr 4 08:18:17 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Mon, 4 Apr 2016 10:18:17 +0200 Subject: [Freeipa-users] start and stop of ipa commands in systemd In-Reply-To: <5702128A.2080302@redhat.com> References: <56FEC3C4.9000801@fahrendorf.de> <5702128A.2080302@redhat.com> Message-ID: <20160404081817.GP16196@redhat.com> On Mon, Apr 04, 2016 at 09:06:50AM +0200, Martin Babinsky wrote: > On 04/01/2016 08:53 PM, Martin (Lists) wrote: > > > >I have a question regarding enabling/disabling separate ipa parts in > >systemd. Is it necessarry or required to have httpd, directory server, > >named memcache and all the other ipa services to be enabled in systemd? > >Or is it recomended to have only the main ipa service enabled (and all > >the other disabled)? > > ipa.service actually calls `ipactl` command which starts/stops all > individual components at once (dirsrv, http, kdc, kpasswd, memcache, > pki-tomcat etc.). All of these services (which are listed in `ipactl > status`) must be up and running for IPA server to work correctly in all > aspects. > > So in this sense 'ipa.service' is just an umbrella that groups all the > components of FreeIPA installation. For production operation, what Martin B. has said is the recommended way. It the future, native systemd approach is likely to be used: https://fedorahosted.org/freeipa/ticket/4552 At the same time, we will likely explore the possibility of running various pieces on different machines (or in different containers). If you are interested in exploring those areas and helping us develop them, we'll be happy to hear about your findings. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From mkosek at redhat.com Mon Apr 4 08:16:22 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 4 Apr 2016 10:16:22 +0200 Subject: [Freeipa-users] using sudo in ipa In-Reply-To: <3DAC7A5927B8594195EA704FB41255B0658A1A70@Supernatural2.gafoc.com> References: <3DAC7A5927B8594195EA704FB41255B0658A1A70@Supernatural2.gafoc.com> Message-ID: <570222D6.606@redhat.com> On 04/01/2016 07:14 PM, Armstrong, Jeffrey wrote: > Hi > > I would like to know how to configure sudo in the IdM environment. I need to > know how to configure sudo access without asking for a password. > > */Jeffrey Armstrong/*/?Senior ECS Engineer/ > > ECMS ? Application Support Team > > Office Phone ? 770-270-7421 > > Cell Phone ? 404-323-7386 > > For Email_GSOC logo_color Hi, There is some documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sudo.html As for preventing asking the password, you can use "!authenticate" SUDO option that is set in the FreeIPA SUDO rule. From prasun.gera at gmail.com Mon Apr 4 10:04:34 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Mon, 4 Apr 2016 06:04:34 -0400 Subject: [Freeipa-users] Disabling passwd NIS map Message-ID: I have a master + replica setup on RHEL 7.2 (ipa 4.2). When this was setup, most of the clients were on NIS, and hence the nis compatibility and migration mode was enabled. The NIS maps in use right now are passwd, group and autofs. Passwords were set to CRYPT for this to work. I have managed to join all the clients to ipa now. So I would like to disable the passwd maps, or at least make them benign. I would also like to switch back to SSHA for passwords, or whatever else is recommended. However, I don't want to disable the other NIS maps yet. autofs doesn't work well on old clients with sssd, and regularly gives trouble with new clients too. I think there are some uses for the group map too. I think group and autofs aren't major security issues right ? How do I go about achieving this ? I have no experience with modifying ldap files directly. If I have to modify files manually, do I have to do it on the master and replica ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at fahrendorf.de Mon Apr 4 11:40:22 2016 From: lists at fahrendorf.de (Martin (Lists)) Date: Mon, 4 Apr 2016 13:40:22 +0200 Subject: [Freeipa-users] start and stop of ipa commands in systemd In-Reply-To: <5702128A.2080302@redhat.com> References: <56FEC3C4.9000801@fahrendorf.de> <5702128A.2080302@redhat.com> Message-ID: <570252A6.4090702@fahrendorf.de> Am 04.04.2016 um 09:06 schrieb Martin Babinsky: > On 04/01/2016 08:53 PM, Martin (Lists) wrote: >> Hallo >> >> I have a question regarding enabling/disabling separate ipa parts in >> systemd. Is it necessarry or required to have httpd, directory server, >> named memcache and all the other ipa services to be enabled in systemd? >> Or is it recomended to have only the main ipa service enabled (and all >> the other disabled)? >> >> Regards >> Martin >> > Hi Martin, > > ipa.service actually calls `ipactl` command which starts/stops all > individual components at once (dirsrv, http, kdc, kpasswd, memcache, > pki-tomcat etc.). All of these services (which are listed in `ipactl > status`) must be up and running for IPA server to work correctly in all > aspects. > > So in this sense 'ipa.service' is just an umbrella that groups all the > components of FreeIPA installation. > For starting and stopping all neccessarry parts this is OK. But if I have enabled some of these services directly in systemd (lets say memcached or the ldap server) does that make problems during startup or shutdown. May be it is just a coincidence, but I had several warnings (up to thousands) in the past from the LDAP Server at a simple restart of the server: DSRetroclPlugin - delete_changerecord: could not delete change record 553423 (rc: 32): 1 Time(s) An I have not found any reason for this. Therefore the question: can this be due to a false shutdown or startup sequence by systemd? Last time I run "ipactl stop" before restarting the server and had no such warnings. As I said may be its just a coincidence. I run ipa on a up to date fedora 23 server. Regards Martin From lkrispen at redhat.com Mon Apr 4 12:02:10 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 04 Apr 2016 14:02:10 +0200 Subject: [Freeipa-users] start and stop of ipa commands in systemd In-Reply-To: <570252A6.4090702@fahrendorf.de> References: <56FEC3C4.9000801@fahrendorf.de> <5702128A.2080302@redhat.com> <570252A6.4090702@fahrendorf.de> Message-ID: <570257C2.3090301@redhat.com> On 04/04/2016 01:40 PM, Martin (Lists) wrote: > Am 04.04.2016 um 09:06 schrieb Martin Babinsky: >> On 04/01/2016 08:53 PM, Martin (Lists) wrote: >>> Hallo >>> >>> I have a question regarding enabling/disabling separate ipa parts in >>> systemd. Is it necessarry or required to have httpd, directory server, >>> named memcache and all the other ipa services to be enabled in systemd? >>> Or is it recomended to have only the main ipa service enabled (and all >>> the other disabled)? >>> >>> Regards >>> Martin >>> >> Hi Martin, >> >> ipa.service actually calls `ipactl` command which starts/stops all >> individual components at once (dirsrv, http, kdc, kpasswd, memcache, >> pki-tomcat etc.). All of these services (which are listed in `ipactl >> status`) must be up and running for IPA server to work correctly in all >> aspects. >> >> So in this sense 'ipa.service' is just an umbrella that groups all the >> components of FreeIPA installation. >> > For starting and stopping all neccessarry parts this is OK. But if I > have enabled some of these services directly in systemd (lets say > memcached or the ldap server) does that make problems during startup or > shutdown. > > May be it is just a coincidence, but I had several warnings (up to > thousands) in the past from the LDAP Server at a simple restart of the > server: > > DSRetroclPlugin - delete_changerecord: could not delete change record > 553423 (rc: 32): 1 Time(s) > > An I have not found any reason for this. Therefore the question: can > this be due to a false shutdown or startup sequence by systemd? The DSRetroclPlugin messages occur when the starting point for trimming the retro changelog was incorrectly set. The messages themselves are harmless, just skipping no longer existing changes. I think a crash or kill at shutdown will increase the probabilty to run into these scenarios > > Last time I run "ipactl stop" before restarting the server and had no > such warnings. As I said may be its just a coincidence. > > I run ipa on a up to date fedora 23 server. > > Regards > Martin > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill From pspacek at redhat.com Tue Apr 5 08:43:14 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 5 Apr 2016 10:43:14 +0200 Subject: [Freeipa-users] DNS operation timed out when installing IPA with forwarders In-Reply-To: <986ED6C5BA6EFD49B00A4CEABE2E8FDA276AD7A2@HICTATRIUEM023.msnet.railb.be> References: <986ED6C5BA6EFD49B00A4CEABE2E8FDA276AC4D5@HICTATRIUEM023.msnet.railb.be> <56C71189.3020303@redhat.com> <986ED6C5BA6EFD49B00A4CEABE2E8FDA276AC589@HICTATRIUEM023.msnet.railb.be> <56C72213.4090802@redhat.com> <56CADD67.8060606@redhat.com> <986ED6C5BA6EFD49B00A4CEABE2E8FDA276AD7A2@HICTATRIUEM023.msnet.railb.be> Message-ID: <57037AA2.2080807@redhat.com> On 24.2.2016 13:19, Geselle Stijn wrote: > Adding a forward zone like Martin suggested works. > I will definitely read the section you linked to get a better understanding of the differences between both. > > Doing a dig for google.com won't work in our case, because the servers are not internet-facing. Hi, this effectively means that servers you specified are not usable as global forwarders, so the check serves its purpose. The problem is that the DNS server in general is not supposed to drop queries. At very least it should answer with REFUSED message so the client can see that the query was administratively prohibited. I hope this explains nature of the check. Petr^2 Spacek > > Stijn > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek > Sent: Monday 22 February 2016 11:05 > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] DNS operation timed out when installing IPA with forwarders > > On 19.2.2016 15:09, Martin Basti wrote: >> On 19.02.2016 14:57, Geselle Stijn wrote: >>> That seems to fail: >>> >>> [root at ipa ~]# dig @192.168.1.1 . SOA >>> >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> @192.168.1.1 . SOA ; (1 >>> server >>> found) ;; global options: +cmd ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44900 ;; flags: >>> qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >>> >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: >>> ;. IN SOA >>> >>> ;; Query time: 11153 msec >>> ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri Feb 19 14:42:51 >>> CET 2016 ;; MSG SIZE rcvd: 28 >>> >>> >>> But if I add a new record (e.g. CNAME) to DNS in Windows Server and >>> try to ping to that CNAME, I get resolved correctly. >>> >>> -Stijn >> Hello, >> >> global forwarders, specified by --forwarder option during installation >> or added via ipa dnsconfig-mod, must be able to resolve root zone >> (your forwarder/server 192.168.1.1 is not able to return result for root zone). >> >> You probably need to specify forwardzone, for the particular windows >> domain you use, instead of specify it as global forwarder. >> >> ipa dnsforwardzone-add --forwarder 192.168.1.1 > > Martin could be right, but this depends on your setup. > > Please read chapter "Managing DNS Forwarding" in our docs: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dns-forwarding.html > > It explains the difference between global and per-zone forwarding (I hope :-) so it will be easier to decide what should be used. > > BTW does the command > $ dig @192.168.1.1 www.google.com. SOA > work? > (Assuming that neither google.com. nor com. are your AD domains :-)) > > Petr^2 Spacek > >>> -----Original Message----- >>> From: freeipa-users-bounces at redhat.com >>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >>> Sent: Friday 19 February 2016 13:59 >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] DNS operation timed out when installing >>> IPA with forwarders >>> >>> On 19.2.2016 13:50, Geselle Stijn wrote: >>>> Hello fellow FreeIPA users, >>>> >>>> I'm trying to setup FreeIPA in a lab environment (VirtualBox): >>>> >>>> >>>> - ad.example.com (Windows Server 2008 R2) - 192.168.1.1 >>>> >>>> - ipa.example.com (CentOS 7.2) - 192.168.1.2 >>>> Both machines can ping each other, DNS resolving works: >>>> >>>> [root at ipa ~] nslookup ad >>>> Server: 192.168.1.1 >>>> Address: 192.168.1.1#53 >>>> >>>> Name: ad.example.com >>>> Address: 192.168.1.1 >>>> >>>> >>>> I executed: >>>> >>>> yum install -y "*ipa-server*" bind bind-dyndb-ldap >>>> ipa-server-install --domain=example.com --realm=EXAMPLE.COM >>>> --setup-dns >>>> --forwarder=192.168.1.1 >>>> >>>> But the installation wizard fails at: >>>> >>>> Checking DNS forwarders, please wait ... >>>> ipa : ERROR DNS server 192.168.1.1: query '. SOA': The DNS >>>> operation timed out after 10.00124242 seconds >>>> ipa.ipapython.install.cli.install_tool(Server): ERROR DNS server >>>> 192.168.1.1: query '. SOA': The DNS operation timed out after >>>> 10.00124242 seconds >>>> >>>> >>>> Is there some way I can better troubleshoot this? Can I increase the >>>> DNS timeout (maybe it's simply slow via VirtualBox). >>> Please try command >>> $ dig @192.168.1.1 . SOA >>> and paste the output here. >>> >>> Also, please run the installer again with option --debug. >>> >>> I will have a look. >>> >>> Thank you. >>> >>> -- >>> Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Petr Spacek @ Red Hat From aalam at paperlesspost.com Tue Apr 5 15:09:27 2016 From: aalam at paperlesspost.com (Ash Alam) Date: Tue, 5 Apr 2016 11:09:27 -0400 Subject: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd In-Reply-To: <2EBB29CB9A8F494FB5253F6AF2E6A1981D6C0893@hoshi.uni.lux> References: <72377F1D-5607-4FC6-A0ED-3841100D8340@redhat.com> <2EBB29CB9A8F494FB5253F6AF2E6A1981D6C0893@hoshi.uni.lux> Message-ID: I wanted to follow up on this. Since sudo needs to be added to sssd.conf and nsswitch.conf. Is it possible to add the options via ipa-client-install? I can do the same with chef but this seems like something that should be done with ipa? Thank You On Thu, Mar 24, 2016 at 4:51 PM, Christophe TREFOIS < christophe.trefois at uni.lu> wrote: > Hi, > > > > Are you not missing ?sudo? in [sssd] and did you restard the services on > the machine? We found quite a significant cache, which sometimes lead to > asking passwords. > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html > > > > You might even have to delete /var/lib/sss/db/ contents and restart sssd. > > > > Best, > > > > *From:* freeipa-users-bounces at redhat.com [mailto: > freeipa-users-bounces at redhat.com] *On Behalf Of *Ash Alam > *Sent:* jeudi 24 mars 2016 19:50 > *To:* Jakub Hrozek > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd > > > > Based on (How to troubleshoot Sudo) > > > > - Maybe i miss spoke when i said it fails completely. Rather it keeps > asking for the users password which it does not accept. > > - I do not have sudo in sssd.conf > > - I do not have sudoers: sss defined in nsswitch.conf > > - Per Fedora/Freeipa doc (Defining Sudo), its not immediately clear if > these needs to be defined > > - If this is the case then adding them might resolve my issues. > > - for the special sudo rule(s). is there any way to track it via the gui? > I am trying to keep track of all the configs so its not a blackhole for the > next person. > > > > - This is what it looks like on the web gui > > [image: Inline image 1] > > > > > > - This is what a clients sssd.conf looks like > > [domain/xxxxx] > > > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = pp > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > ipa_hostname = xxxxxx > > chpass_provider = ipa > > ipa_server = _srv_, xxxxx > > ldap_tls_cacert = /etc/ipa/ca.crt > > [sssd] > > services = nss, pam, ssh > > config_file_version = 2 > > > > domains = XXXXX > > [nss] > > homedir_substring = /home > > > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > > > On Thu, Mar 24, 2016 at 1:01 PM, Jakub Hrozek wrote: > > > > On 24 Mar 2016, at 17:21, Ash Alam wrote: > > > > Hello > > > > I am looking for some guidance on how to properly do sudo with Freeipa. > I have read up on what i need to do but i cant seem to get to work > correctly. Now with sudoers.d i can accomplish this fairly quickly. > > > > Example: > > > > %dev ALL=(ALL) NOPASSWD:/usr/bin/chef-client > > > > What i have configured in Freeipa Sudo Rules: > > > > Sudo Option: !authenticate > > Who: dev (group) > > Access this host: testing (group) > > Run Commands: set of commands that are defined. > > > > Now when i apply this, it still does not work as it asks for a password > for the user and then fails. I am hoping to allow a group to only run > certain commands without requiring password. > > > > You should first find out why sudo fails completely. We have this guide > that should help you: > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > > About asking for passwords -- defining a special sudo rule called > 'defaults' and then adding '!authenticate' should help: > Add a special Sudo rule for default Sudo server configuration: > ipa sudorule-add defaults > > Set a default Sudo option: > ipa sudorule-add-option defaults --sudooption '!authenticate' > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 14858 bytes Desc: not available URL: From abokovoy at redhat.com Tue Apr 5 15:18:05 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 5 Apr 2016 18:18:05 +0300 Subject: [Freeipa-users] Freeipa Sudo / sudoers.d / nopasswd In-Reply-To: References: <72377F1D-5607-4FC6-A0ED-3841100D8340@redhat.com> <2EBB29CB9A8F494FB5253F6AF2E6A1981D6C0893@hoshi.uni.lux> Message-ID: <20160405151805.GC4075@redhat.com> On Tue, 05 Apr 2016, Ash Alam wrote: >I wanted to follow up on this. Since sudo needs to be added to sssd.conf >and nsswitch.conf. Is it possible to add the options via >ipa-client-install? I can do the same with chef but this seems like >something that should be done with ipa? $ ipa-client-install --help|grep sudo --no-sudo do not configure SSSD as data source for sudo By default IPA 4.x configures SSSD for sudo. -- / Alexander Bokovoy From pvoborni at redhat.com Tue Apr 5 16:37:13 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 5 Apr 2016 18:37:13 +0200 Subject: [Freeipa-users] CentOS 7 COPR repository with ipa 4.3.1 available for testing Message-ID: <5703E9B9.8060008@redhat.com> Hello everyone, Copr repository @freeipa/freeipa-4-3-centos-7 is available for testing of Freeipa 4.3.1[1] on CentOS 7. https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ Your feedback is welcome! Disclaimer: the build was not thoroughly tested and works mainly as a preview. Use at your own risk. Do not use in production. There is no guarantee of update stability of the repository. The repository could be deleted or recreated at any time. Known issues: Testing replica promotion[2]: CentOS 7.2 doesn't have updated SELinux policy with policies[3] required for this build therefore replica promotion will fail in SELinux enforcing mode. [1] http://www.freeipa.org/page/Releases/4.3.1 [2] http://www.freeipa.org/page/Releases/4.3.0#New_method_-_domain_level_1 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1289930 -- Petr Vobornik From jeremy at ifuzioncorp.com Tue Apr 5 22:23:08 2016 From: jeremy at ifuzioncorp.com (Jeremy Utley) Date: Tue, 5 Apr 2016 17:23:08 -0500 Subject: [Freeipa-users] Centos 7 IPA server, Centos 6 Clients Message-ID: Hello all! Is there any known issues with registering a CentOS 6 client with a CentOS 7 FreeIPA server? I just tried to register my first C6 client (fully updated) with our new FreeIPA infrastructure installed on C7, and I'm getting an NSS error: args=/usr/sbin/ipa-join -s ds02.domain.com -b dc=ipa,dc=domain,dc=com -d stdout= stderr=XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n hostname.domain.com\r\n \r\n \r\n nsosversion\r\n 2.6.32-573.18.1.el6.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n * About to connect() to ds02.domain.com port 443 (#0) * Trying 192.168.150.2... * Connected to ds02.domain.com (192.168.150.2) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/ipa/ca.crt CApath: none * NSS error -12190 * Closing connection #0 libcurl failed to execute the HTTP POST transaction. SSL connect error Looking up that NSS error, it seems to indicate a SSL protocol error. Looking at my FreeIPA webserver configuration, I'm allowing TLSv1.0, TLSv1.1, TLSv1.2: The oddest part is that, from the client, I can use wget to connect to the IPA server, but can not use curl: [root at hostname ~]# wget --no-check-certificate https://ds02.domain.com --2016-04-05 17:42:50-- https://ds02.domain.com/ Resolving ds02.domain.com... 192.168.150.2 Connecting to ds02.domain.com|192.168.150.2|:443... connected. WARNING: cannot verify ds02.domain.com?s certificate, issued by ?/O= IPA.DOMAIN.COM/CN=Certificate Authority?: Self-signed certificate encountered. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://ds02.domain.com/ipa/ui [following] [root at hostname ~]# curl -v -k https://ds02.domain.com/ * About to connect() to ds02.domain.com port 443 (#0) * Trying 192.168.150.2... connected * Connected to ds02.domain.com (192.168.150.2) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * NSS error -12190 * Closing connection #0 * SSL connect error curl: (35) SSL connect error However, the same curl command, run from another C7 host, works just fine. Something incompatible in the NSS libraries maybe? Thanks for any help you can provide! Jeremy -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Apr 5 22:36:19 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 5 Apr 2016 18:36:19 -0400 Subject: [Freeipa-users] Centos 7 IPA server, Centos 6 Clients In-Reply-To: References: Message-ID: <57043DE3.1040305@redhat.com> Jeremy Utley wrote: > Hello all! > > Is there any known issues with registering a CentOS 6 client with a > CentOS 7 FreeIPA server? I just tried to register my first C6 client > (fully updated) with our new FreeIPA infrastructure installed on C7, and > I'm getting an NSS error: > > args=/usr/sbin/ipa-join -s ds02.domain.com -b > dc=ipa,dc=domain,dc=com -d > stdout= > stderr=XML-RPC CALL: > > \r\n > \r\n > join\r\n > \r\n > \r\n > hostname.domain.com > \r\n > \r\n > \r\n > nsosversion\r\n > 2.6.32-573.18.1.el6.x86_64\r\n > nshardwareplatform\r\n > x86_64\r\n > \r\n > \r\n > \r\n > > * About to connect() to ds02.domain.com port > 443 (#0) > * Trying 192.168.150.2... * Connected to ds02.domain.com > (192.168.150.2) port 443 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * CAfile: /etc/ipa/ca.crt > CApath: none > * NSS error -12190 > * Closing connection #0 > libcurl failed to execute the HTTP POST transaction. SSL connect error > > Looking up that NSS error, it seems to indicate a SSL protocol error. > Looking at my FreeIPA webserver configuration, I'm allowing TLSv1.0, > TLSv1.1, TLSv1.2: Right, it is SSL_ERROR_PROTOCOL_VERSION_ALERT. Can you show the NSSProtocols from /etc/httpd/conf.d/nss.conf on the server? > The oddest part is that, from the client, I can use wget to connect to > the IPA server, but can not use curl: > > [root at hostname ~]# wget --no-check-certificate https://ds02.domain.com > --2016-04-05 17:42:50-- https://ds02.domain.com/ > Resolving ds02.domain.com... 192.168.150.2 > Connecting to ds02.domain.com > |192.168.150.2|:443... connected. > WARNING: cannot verify ds02.domain.com ?s > certificate, issued by ?/O=IPA.DOMAIN.COM/CN=Certificate > Authority?: > Self-signed certificate encountered. > HTTP request sent, awaiting response... 301 Moved Permanently > Location: https://ds02.domain.com/ipa/ui [following] > > > [root at hostname ~]# curl -v -k https://ds02.domain.com/ > * About to connect() to ds02.domain.com port > 443 (#0) > * Trying 192.168.150.2... connected > * Connected to ds02.domain.com (192.168.150.2) > port 443 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * warning: ignoring value of ssl.verifyhost > * NSS error -12190 > * Closing connection #0 > * SSL connect error > curl: (35) SSL connect error They are linked against different crypto providers (OpenSSL and NSS) > However, the same curl command, run from another C7 host, works just > fine. Something incompatible in the NSS libraries maybe? It might be helpful to look at the output of: $ openssl s_client -host ds02.domain.com -port 443 To test all the protocols you can do a test with each: -tls1, -tls1_1 and -tls1_2 rob From mail at kilian-ries.de Wed Apr 6 08:41:38 2016 From: mail at kilian-ries.de (Kilian Ries) Date: Wed, 6 Apr 2016 08:41:38 +0000 Subject: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted Message-ID: Hello, i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm trying to add an replication partner. During the installation i got the following error: ### Restarting the directory and certificate servers Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the ldap service principals is missing. Replication agreement cannot be converted. ### The installation Log shows the following: ### 2016-04-06T08:22:34Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU) 2016-04-06T08:22:34Z DEBUG Unable to find entry for (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636 2016-04-06T08:22:34Z INFO Setting agreement cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping tree,cn=config 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 438, in __convert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1104, in convert_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 797, in gssapi_update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 767, in setup_krb_princs_as_replica_binddns (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 751, in get_replica_principal_dns raise RuntimeError(error) RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. 2016-04-06T08:22:36Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, in _configure executor.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 879, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 295, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 586, in install krb = install_krb(config, setup_pkinit=not options.no_pkinit) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 93, in install_krb setup_pkinit, pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 214, in create_replica self.start_creation(runtime=30) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 438, in __convert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1104, in convert_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 797, in gssapi_update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 767, in setup_krb_princs_as_replica_binddns (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 751, in get_replica_principal_dns raise RuntimeError(error) 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. 2016-04-06T08:22:36Z ERROR One of the ldap service principals is missing. Replication agreement cannot be converted. ### Can anybody help me? Thanks Greets Kilian -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Apr 6 10:18:40 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 6 Apr 2016 12:18:40 +0200 Subject: [Freeipa-users] Centos 7 IPA server, Centos 6 Clients In-Reply-To: References: Message-ID: <5704E280.3020502@redhat.com> On 04/06/2016 12:23 AM, Jeremy Utley wrote: > Hello all! > > Is there any known issues with registering a CentOS 6 client with a CentOS 7 > FreeIPA server? I just tried to register my first C6 client (fully updated) > with our new FreeIPA infrastructure installed on C7, and I'm getting an NSS error: > > args=/usr/sbin/ipa-join -s ds02.domain.com -b > dc=ipa,dc=domain,dc=com -d > stdout= > stderr=XML-RPC CALL: > > \r\n > \r\n > join\r\n > \r\n > \r\n > hostname.domain.com \r\n > \r\n > \r\n > nsosversion\r\n > 2.6.32-573.18.1.el6.x86_64\r\n > nshardwareplatform\r\n > x86_64\r\n > \r\n > \r\n > \r\n > > * About to connect() to ds02.domain.com port 443 (#0) > * Trying 192.168.150.2... * Connected to ds02.domain.com > (192.168.150.2) port 443 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * CAfile: /etc/ipa/ca.crt > CApath: none > * NSS error -12190 > * Closing connection #0 > libcurl failed to execute the HTTP POST transaction. SSL connect error > > Looking up that NSS error, it seems to indicate a SSL protocol error. Looking > at my FreeIPA webserver configuration, I'm allowing TLSv1.0, TLSv1.1, TLSv1.2: > > The oddest part is that, from the client, I can use wget to connect to the IPA > server, but can not use curl: > > [root at hostname ~]# wget --no-check-certificate https://ds02.domain.com > --2016-04-05 17:42:50-- https://ds02.domain.com/ > Resolving ds02.domain.com... 192.168.150.2 > Connecting to ds02.domain.com |192.168.150.2|:443... > connected. > WARNING: cannot verify ds02.domain.com ?s certificate, > issued by ?/O=IPA.DOMAIN.COM/CN=Certificate > Authority?: > Self-signed certificate encountered. > HTTP request sent, awaiting response... 301 Moved Permanently > Location: https://ds02.domain.com/ipa/ui [following] > > > [root at hostname ~]# curl -v -k https://ds02.domain.com/ > * About to connect() to ds02.domain.com port 443 (#0) > * Trying 192.168.150.2... connected > * Connected to ds02.domain.com (192.168.150.2) port 443 > (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * warning: ignoring value of ssl.verifyhost > * NSS error -12190 > * Closing connection #0 > * SSL connect error > curl: (35) SSL connect error > > However, the same curl command, run from another C7 host, works just fine. > Something incompatible in the NSS libraries maybe? > > Thanks for any help you can provide! > > Jeremy Any chance it is related to this thread: https://www.redhat.com/archives/freeipa-users/2016-March/msg00305.html and is resolved just with nss update on the client side? From prashant at apigee.com Wed Apr 6 10:33:38 2016 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 6 Apr 2016 16:03:38 +0530 Subject: [Freeipa-users] Zombie Replica ! Message-ID: Hi, We had 4 IPA servers in master master mode with all of them connected to each other. IPA1 <----> IPA2 (colo 1) IPA3 <----> IPA4 (colo 2) One of the replica servers (IPA2) had to be rebuild. So I went ahead and used below commands. ipa-replica-manage disconnect IPA2 IPA3 ipa-replica-manage disconnection IPA2 IPA4 ipa-replica-manage del IPA2 (to remove it on IPA1). An then ran ipa-server-install --uninstall on IPA2. Created the replica info file using ipa-replica-prepare IPA2. When I tried to run ipa-replica-install on IPA2, it says A replication agreement for this host already exists. It needs to be removed. Run this on the master that generated the info file: % ipa-replica-manage del ipa2.example.net --force Now on IPA1, no matter what I do it still has references to IPA2. So far I have tried the following. 1. ipa-replica-manage del --force IPA2 2. ipa-replica-manage del --force --cleanruv IPA2 3. /usr/sbin/cleanallruv.pl -D "cn=directory manager" -w - -b "dc=example,dc=net" -r 6 Got the rid = 6 by running ldapsearch -Y GSSAPI -b "dc=example,dc=net" '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' nsds50ruv In the directory server logs, I guess its still trying to connect to IPA2 and failing. Below are some lines. [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - agmt="cn= meToipa2.example.net" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task (rid 6): Replica not online (agmt="cn=meToipa2.example.net" (ipa2:389)) [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task (rid 6): Not all replicas online, retrying in 2560 seconds... Any pointers would be helpful. Regards. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Wed Apr 6 10:35:08 2016 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 6 Apr 2016 16:05:08 +0530 Subject: [Freeipa-users] Zombie Replica ! In-Reply-To: References: Message-ID: Oh this is FreeIPA version 4.1.4 on FC21. On 6 April 2016 at 16:03, Prashant Bapat wrote: > Hi, > > We had 4 IPA servers in master master mode with all of them connected to > each other. > > IPA1 <----> IPA2 (colo 1) > > IPA3 <----> IPA4 (colo 2) > > One of the replica servers (IPA2) had to be rebuild. > > So I went ahead and used below commands. > > ipa-replica-manage disconnect IPA2 IPA3 > ipa-replica-manage disconnection IPA2 IPA4 > ipa-replica-manage del IPA2 (to remove it on IPA1). > > An then ran ipa-server-install --uninstall on IPA2. > > Created the replica info file using ipa-replica-prepare IPA2. > > When I tried to run ipa-replica-install on IPA2, it says > > A replication agreement for this host already exists. It needs to be > removed. > Run this on the master that generated the info file: > % ipa-replica-manage del ipa2.example.net --force > > Now on IPA1, no matter what I do it still has references to IPA2. > > So far I have tried the following. > > > 1. ipa-replica-manage del --force IPA2 > 2. ipa-replica-manage del --force --cleanruv IPA2 > 3. /usr/sbin/cleanallruv.pl -D "cn=directory manager" -w - -b > "dc=example,dc=net" -r 6 > > > Got the rid = 6 by running > ldapsearch -Y GSSAPI -b "dc=example,dc=net" > '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' > nsds50ruv > > In the directory server logs, I guess its still trying to connect to IPA2 > and failing. Below are some lines. > > [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - agmt="cn= > meToipa2.example.net" (ipa2:389): Replication bind with GSSAPI auth > failed: LDAP error -1 (Can't contact LDAP server) () > [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task (rid > 6): Replica not online (agmt="cn=meToipa2.example.net" (ipa2:389)) > [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task (rid > 6): Not all replicas online, retrying in 2560 seconds... > > Any pointers would be helpful. > > Regards. > --Prashant > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Apr 6 13:25:05 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 6 Apr 2016 09:25:05 -0400 Subject: [Freeipa-users] Zombie Replica ! In-Reply-To: References: Message-ID: <57050E31.6050409@redhat.com> Prashant Bapat wrote: > Hi, > > We had 4 IPA servers in master master mode with all of them connected to > each other. > > IPA1 <----> IPA2 (colo 1) > IPA3 <----> IPA4 (colo 2) > > One of the replica servers (IPA2) had to be rebuild. > > So I went ahead and used below commands. > > ipa-replica-manage disconnect IPA2 IPA3 > ipa-replica-manage disconnection IPA2 IPA4 > ipa-replica-manage del IPA2 (to remove it on IPA1). > > An then ran ipa-server-install --uninstallon IPA2. > > Created the replica info file using ipa-replica-prepare IPA2. > > When I tried to run ipa-replica-install on IPA2, it says > > A replication agreement for this host already exists. It needs to be > removed. > Run this on the master that generated the info file: > % ipa-replica-manage del ipa2.example.net > --force > > Now on IPA1, no matter what I do it still has references to IPA2. > > So far I have tried the following. > > 1. ipa-replica-manage del --force IPA2 > 2. ipa-replica-manage del --force --cleanruv IPA2 > 3. /usr/sbin/cleanallruv.pl -D "cn=directory > manager" -w - -b "dc=example,dc=net" -r 6 > > > Got the rid = 6 by running > ldapsearch -Y GSSAPI -b "dc=example,dc=net" > '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' > nsds50ruv > > In the directory server logs, I guess its still trying to connect to > IPA2 and failing. Below are some lines. > > [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa2.example.net " (ipa2:389): > Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact > LDAP server) () > [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task > (rid 6): Replica not online (agmt="cn=meToipa2.example.net > " (ipa2:389)) > [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task > (rid 6): Not all replicas online, retrying in 2560 seconds... > > Any pointers would be helpful. On ipa1 run: % ipa-replica-manage list -v `hostname` This will give the list of actual agreements and their status. rob From jeremy at ifuzioncorp.com Wed Apr 6 15:35:28 2016 From: jeremy at ifuzioncorp.com (Jeremy Utley) Date: Wed, 6 Apr 2016 10:35:28 -0500 Subject: [Freeipa-users] Centos 7 IPA server, Centos 6 Clients In-Reply-To: <57043DE3.1040305@redhat.com> References: <57043DE3.1040305@redhat.com> Message-ID: Was able to trace down the problem. Since this system is within a PCI zone, I need high security, and followed instructions at https://access.redhat.com/articles/1467293, and disabled TLSv1.0. Evidently, the NSS libraries on C6 do not support TLS versions higher than 1.0, because once I put TLSv1.0 back into the config, it worked again. Thanks for the help! Jeremy On Tue, Apr 5, 2016 at 5:36 PM, Rob Crittenden wrote: > Jeremy Utley wrote: > >> Hello all! >> >> Is there any known issues with registering a CentOS 6 client with a >> CentOS 7 FreeIPA server? I just tried to register my first C6 client >> (fully updated) with our new FreeIPA infrastructure installed on C7, and >> I'm getting an NSS error: >> >> args=/usr/sbin/ipa-join -s ds02.domain.com -b >> dc=ipa,dc=domain,dc=com -d >> stdout= >> stderr=XML-RPC CALL: >> >> \r\n >> \r\n >> join\r\n >> \r\n >> \r\n >> hostname.domain.com >> \r\n >> \r\n >> \r\n >> nsosversion\r\n >> 2.6.32-573.18.1.el6.x86_64\r\n >> nshardwareplatform\r\n >> x86_64\r\n >> \r\n >> \r\n >> \r\n >> >> * About to connect() to ds02.domain.com port >> 443 (#0) >> * Trying 192.168.150.2... * Connected to ds02.domain.com >> (192.168.150.2) port 443 (#0) >> * Initializing NSS with certpath: sql:/etc/pki/nssdb >> * CAfile: /etc/ipa/ca.crt >> CApath: none >> * NSS error -12190 >> * Closing connection #0 >> libcurl failed to execute the HTTP POST transaction. SSL connect error >> >> Looking up that NSS error, it seems to indicate a SSL protocol error. >> Looking at my FreeIPA webserver configuration, I'm allowing TLSv1.0, >> TLSv1.1, TLSv1.2: >> > > Right, it is SSL_ERROR_PROTOCOL_VERSION_ALERT. Can you show the > NSSProtocols from /etc/httpd/conf.d/nss.conf on the server? > > The oddest part is that, from the client, I can use wget to connect to >> the IPA server, but can not use curl: >> >> [root at hostname ~]# wget --no-check-certificate https://ds02.domain.com >> --2016-04-05 17:42:50-- https://ds02.domain.com/ >> Resolving ds02.domain.com... 192.168.150.2 >> Connecting to ds02.domain.com >> |192.168.150.2|:443... connected. >> WARNING: cannot verify ds02.domain.com ?s >> certificate, issued by ?/O=IPA.DOMAIN.COM/CN=Certificate >> Authority?: >> Self-signed certificate encountered. >> HTTP request sent, awaiting response... 301 Moved Permanently >> Location: https://ds02.domain.com/ipa/ui [following] >> >> >> [root at hostname ~]# curl -v -k https://ds02.domain.com/ >> * About to connect() to ds02.domain.com port >> 443 (#0) >> * Trying 192.168.150.2... connected >> * Connected to ds02.domain.com (192.168.150.2) >> port 443 (#0) >> * Initializing NSS with certpath: sql:/etc/pki/nssdb >> * warning: ignoring value of ssl.verifyhost >> * NSS error -12190 >> * Closing connection #0 >> * SSL connect error >> curl: (35) SSL connect error >> > > They are linked against different crypto providers (OpenSSL and NSS) > > However, the same curl command, run from another C7 host, works just >> fine. Something incompatible in the NSS libraries maybe? >> > > It might be helpful to look at the output of: > > $ openssl s_client -host ds02.domain.com -port 443 > > To test all the protocols you can do a test with each: -tls1, -tls1_1 and > -tls1_2 > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Daryl.Fonseca-Holt at umanitoba.ca Wed Apr 6 15:40:28 2016 From: Daryl.Fonseca-Holt at umanitoba.ca (Daryl Fonseca-Holt) Date: Wed, 6 Apr 2016 10:40:28 -0500 Subject: [Freeipa-users] nis-keys-format works with ypcat but fails ypmatch when using %collect Message-ID: <57052DEC.2050800@umanitoba.ca> An HTML attachment was scrubbed... URL: From Daryl.Fonseca-Holt at umanitoba.ca Wed Apr 6 15:46:46 2016 From: Daryl.Fonseca-Holt at umanitoba.ca (Daryl Fonseca-Holt) Date: Wed, 6 Apr 2016 10:46:46 -0500 Subject: [Freeipa-users] nis-keys-format works with ypcat but fails ypmatch when using %collect In-Reply-To: <57052DEC.2050800@umanitoba.ca> References: <57052DEC.2050800@umanitoba.ca> Message-ID: <57052F66.9070607@umanitoba.ca> An HTML attachment was scrubbed... URL: From Daryl.Fonseca-Holt at umanitoba.ca Wed Apr 6 15:49:46 2016 From: Daryl.Fonseca-Holt at umanitoba.ca (Daryl Fonseca-Holt) Date: Wed, 6 Apr 2016 10:49:46 -0500 Subject: [Freeipa-users] nis-keys-format works with ypcat but fails ypmatch when using %collect In-Reply-To: <57052F66.9070607@umanitoba.ca> References: <57052DEC.2050800@umanitoba.ca> <57052F66.9070607@umanitoba.ca> Message-ID: <5705301A.4080308@umanitoba.ca> An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Wed Apr 6 16:37:09 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 6 Apr 2016 17:37:09 +0100 Subject: [Freeipa-users] would you use IPA's web server for some... Message-ID: <57053B35.4090508@yahoo.co.uk> ... other things? I'm not thinking here about anything heavy, rather lightweight bits... a blog, a calendar... What are best practices? Is it ok to use VirtualHost, IPA won't mind? Is there a way to migrate from mod_ssl based to IPA's nss and use IPA's cert suite? many thanks, L. From prashant at apigee.com Wed Apr 6 16:47:14 2016 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 6 Apr 2016 22:17:14 +0530 Subject: [Freeipa-users] Zombie Replica ! In-Reply-To: <57050E31.6050409@redhat.com> References: <57050E31.6050409@redhat.com> Message-ID: # ipa-replica-manage list `hostname` ipa2.example.net: replica ipa3.example.net: replica ipa4.example.net: replica ipa2.example.net should not be there. How do I remove it? On 6 April 2016 at 18:55, Rob Crittenden wrote: > Prashant Bapat wrote: > >> Hi, >> >> We had 4 IPA servers in master master mode with all of them connected to >> each other. >> >> IPA1 <----> IPA2 (colo 1) >> IPA3 <----> IPA4 (colo 2) >> >> One of the replica servers (IPA2) had to be rebuild. >> >> So I went ahead and used below commands. >> >> ipa-replica-manage disconnect IPA2 IPA3 >> ipa-replica-manage disconnection IPA2 IPA4 >> ipa-replica-manage del IPA2 (to remove it on IPA1). >> >> An then ran ipa-server-install --uninstallon IPA2. >> >> Created the replica info file using ipa-replica-prepare IPA2. >> >> When I tried to run ipa-replica-install on IPA2, it says >> >> A replication agreement for this host already exists. It needs to be >> removed. >> Run this on the master that generated the info file: >> % ipa-replica-manage del ipa2.example.net >> --force >> >> Now on IPA1, no matter what I do it still has references to IPA2. >> >> So far I have tried the following. >> >> 1. ipa-replica-manage del --force IPA2 >> 2. ipa-replica-manage del --force --cleanruv IPA2 >> 3. /usr/sbin/cleanallruv.pl -D "cn=directory >> manager" -w - -b "dc=example,dc=net" -r 6 >> >> >> Got the rid = 6 by running >> ldapsearch -Y GSSAPI -b "dc=example,dc=net" >> >> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >> nsds50ruv >> >> In the directory server logs, I guess its still trying to connect to >> IPA2 and failing. Below are some lines. >> >> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - >> agmt="cn=meToipa2.example.net " (ipa2:389): >> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >> LDAP server) () >> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task >> (rid 6): Replica not online (agmt="cn=meToipa2.example.net >> " (ipa2:389)) >> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task >> (rid 6): Not all replicas online, retrying in 2560 seconds... >> >> Any pointers would be helpful. >> > > On ipa1 run: > > % ipa-replica-manage list -v `hostname` > > This will give the list of actual agreements and their status. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.1209 at yahoo.com Thu Apr 7 04:12:58 2016 From: john.1209 at yahoo.com (John Williams) Date: Thu, 7 Apr 2016 04:12:58 +0000 (UTC) Subject: [Freeipa-users] CentOS 7 replica installation failing References: <897241885.695029.1460002378443.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <897241885.695029.1460002378443.JavaMail.yahoo@mail.yahoo.com> I've setup an initial FreeIPA instance on a CentOS 7 host. ?The install went without a hitch. ?I can login to the GUI with no problems. ?However, I am not able to install the replica on another CentOS 7 host. ?I get the following errors: [root at ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheckWARNING: conflicting time&date synchronization service 'chronyd' willbe disabled in favor of ntpd Directory Manager (existing master) password: Existing BIND configuration detected, overwrite? [no]: yesUsing reverse zone(s) 1.168.192.in-addr.arpa.Configuring NTP daemon (ntpd)? [1/4]: stopping ntpd? [2/4]: writing configuration? [3/4]: configuring ntpd to start on boot? [4/4]: starting ntpdDone configuring NTP daemon (ntpd).Configuring directory server (dirsrv). Estimated time: 1 minute? [1/38]: creating directory server user? [2/38]: creating directory server instance? [3/38]: adding default schema? [4/38]: enabling memberof plugin? [5/38]: enabling winsync plugin? [6/38]: configuring replication version plugin? [7/38]: enabling IPA enrollment plugin? [8/38]: enabling ldapi? [9/38]: configuring uniqueness plugin? [10/38]: configuring uuid plugin? [11/38]: configuring modrdn plugin? [12/38]: configuring DNS plugin? [13/38]: enabling entryUSN plugin? [14/38]: configuring lockout plugin? [15/38]: creating indices? [16/38]: enabling referential integrity plugin? [17/38]: configuring ssl for ds instance? [18/38]: configuring certmap.conf? [19/38]: configure autobind for root? [20/38]: configure new location for managed entries? [21/38]: configure dirsrv ccache? [22/38]: enable SASL mapping fallback? [23/38]: restarting directory server? [24/38]: setting up initial replicationStarting replication, please wait until this has completed. [ipa1.nrln.us] reports: Update failed! Status: [-1 ?- LDAP error: Can't contact LDAP server] ? [error] RuntimeError: Failed to start replicationYour system may be partly configured.Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR ? ?Failed to start replication The error message is misleading. The two hosts sit on the same subnet. ?All firewalls are off. ?Selinux is disabled. ?Here is an nmap port scan from the replica to the master: [root at ipa2 ~]# nmap ipa1 Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDTNmap scan report for ipa1 (192.168.1.38)Host is up (0.000086s latency).rDNS record for 192.168.1.38: ipa1.nrln.usNot shown: 990 closed portsPORT ? ? STATE SERVICE22/tcp ? open ?ssh80/tcp ? open ?http88/tcp ? open ?kerberos-sec389/tcp ?open ?ldap443/tcp ?open ?https464/tcp ?open ?kpasswd5636/tcp ?open ?ldapssl749/tcp ?open ?kerberos-adm8080/tcp open ?http-proxy8443/tcp open ?https-altMAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds[root at ipa2 ~]# Why do I get this message? TIA!! -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Thu Apr 7 05:23:16 2016 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 7 Apr 2016 10:53:16 +0530 Subject: [Freeipa-users] Zombie Replica ! In-Reply-To: References: <57050E31.6050409@redhat.com> Message-ID: What I have done now was to add a new server, ipa02 and configured replication again and things are fine. However on IPA1 the 389 ds error logs have reference to the dead ipa2 replica. [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - agmt="cn= meToipa2.example.net" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV Task (rid 6): Failed to connect to replica(agmt="cn=meToipa2.example.net" (ipa2:389)). [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV Task (rid 6): Retrying in 14400 seconds It will never be able to connect to ipa2 as its gone permanently. Also the ipa-replica-manage list `hostname` command still shows the ipa2 as replica. How to remove this permanently ??? Thanks. --Prashant On 6 April 2016 at 22:17, Prashant Bapat wrote: > # ipa-replica-manage list `hostname` > ipa2.example.net: replica > ipa3.example.net: replica > ipa4.example.net: replica > > ipa2.example.net should not be there. How do I remove it? > > On 6 April 2016 at 18:55, Rob Crittenden wrote: > >> Prashant Bapat wrote: >> >>> Hi, >>> >>> We had 4 IPA servers in master master mode with all of them connected to >>> each other. >>> >>> IPA1 <----> IPA2 (colo 1) >>> IPA3 <----> IPA4 (colo 2) >>> >>> One of the replica servers (IPA2) had to be rebuild. >>> >>> So I went ahead and used below commands. >>> >>> ipa-replica-manage disconnect IPA2 IPA3 >>> ipa-replica-manage disconnection IPA2 IPA4 >>> ipa-replica-manage del IPA2 (to remove it on IPA1). >>> >>> An then ran ipa-server-install --uninstallon IPA2. >>> >>> Created the replica info file using ipa-replica-prepare IPA2. >>> >>> When I tried to run ipa-replica-install on IPA2, it says >>> >>> A replication agreement for this host already exists. It needs to be >>> removed. >>> Run this on the master that generated the info file: >>> % ipa-replica-manage del ipa2.example.net >>> --force >>> >>> Now on IPA1, no matter what I do it still has references to IPA2. >>> >>> So far I have tried the following. >>> >>> 1. ipa-replica-manage del --force IPA2 >>> 2. ipa-replica-manage del --force --cleanruv IPA2 >>> 3. /usr/sbin/cleanallruv.pl -D "cn=directory >>> manager" -w - -b "dc=example,dc=net" -r 6 >>> >>> >>> Got the rid = 6 by running >>> ldapsearch -Y GSSAPI -b "dc=example,dc=net" >>> >>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >>> nsds50ruv >>> >>> In the directory server logs, I guess its still trying to connect to >>> IPA2 and failing. Below are some lines. >>> >>> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - >>> agmt="cn=meToipa2.example.net " (ipa2:389): >>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>> LDAP server) () >>> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task >>> (rid 6): Replica not online (agmt="cn=meToipa2.example.net >>> " (ipa2:389)) >>> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task >>> (rid 6): Not all replicas online, retrying in 2560 seconds... >>> >>> Any pointers would be helpful. >>> >> >> On ipa1 run: >> >> % ipa-replica-manage list -v `hostname` >> >> This will give the list of actual agreements and their status. >> >> rob >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Thu Apr 7 07:42:37 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 07 Apr 2016 09:42:37 +0200 Subject: [Freeipa-users] Zombie Replica ! In-Reply-To: References: <57050E31.6050409@redhat.com> Message-ID: <57060F6D.4070809@redhat.com> On 04/07/2016 07:23 AM, Prashant Bapat wrote: > What I have done now was to add a new server, ipa02 and configured > replication again and things are fine. > > However on IPA1 the 389 ds error logs have reference to the dead ipa2 > replica. > > [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa2.example.net " > (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -1 > (Can't contact LDAP server) () > [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV > Task (rid 6): Failed to connect to > replica(agmt="cn=meToipa2.example.net " > (ipa2:389)). > [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV > Task (rid 6): Retrying in 14400 seconds > > It will never be able to connect to ipa2 as its gone permanently. > Also the ipa-replica-manage list `hostname`command still shows the > ipa2 as replica. > > How to remove this permanently ??? I don't know why you did get into this state, ipa-replica-manage del should have removed the agreement. You can do it by directly deleting it in DS: - get the full dn of the agreement ldapsearch ..... -D "cn=directory manager" -w .... -b cn=config "cn=meToipa2.example.net" dn it should return an entry with dn: the do a delete ldapmodify ..... -D "cn=directory manager" -w .... dn: changetype: delete > > Thanks. > --Prashant > > On 6 April 2016 at 22:17, Prashant Bapat > wrote: > > # ipa-replica-manage list `hostname` > ipa2.example.net : replica > ipa3.example.net : replica > ipa4.example.net : replica > > ipa2.example.net should not be there. > How do I remove it? > > On 6 April 2016 at 18:55, Rob Crittenden > wrote: > > Prashant Bapat wrote: > > Hi, > > We had 4 IPA servers in master master mode with all of > them connected to > each other. > > IPA1 <----> IPA2 (colo 1) > IPA3 <----> IPA4 (colo 2) > > One of the replica servers (IPA2) had to be rebuild. > > So I went ahead and used below commands. > > ipa-replica-manage disconnect IPA2 IPA3 > ipa-replica-manage disconnection IPA2 IPA4 > ipa-replica-manage del IPA2 (to remove it on IPA1). > > An then ran ipa-server-install --uninstallon IPA2. > > Created the replica info file using ipa-replica-prepare IPA2. > > When I tried to run ipa-replica-install on IPA2, it says > > A replication agreement for this host already exists. It > needs to be > removed. > Run this on the master that generated the info file: > % ipa-replica-manage del ipa2.example.net > > --force > > Now on IPA1, no matter what I do it still has references > to IPA2. > > So far I have tried the following. > > 1. ipa-replica-manage del --force IPA2 > 2. ipa-replica-manage del --force --cleanruv IPA2 > 3. /usr/sbin/cleanallruv.pl > -D "cn=directory > manager" -w - -b "dc=example,dc=net" -r 6 > > > Got the rid = 6 by running > ldapsearch -Y GSSAPI -b "dc=example,dc=net" > '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' > nsds50ruv > > In the directory server logs, I guess its still trying to > connect to > IPA2 and failing. Below are some lines. > > [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - > agmt="cn=meToipa2.example.net > > " (ipa2:389): > Replication bind with GSSAPI auth failed: LDAP error -1 > (Can't contact > LDAP server) () > [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - > CleanAllRUV Task > (rid 6): Replica not online (agmt="cn=meToipa2.example.net > > " (ipa2:389)) > [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - > CleanAllRUV Task > (rid 6): Not all replicas online, retrying in 2560 seconds... > > Any pointers would be helpful. > > > On ipa1 run: > > % ipa-replica-manage list -v `hostname` > > This will give the list of actual agreements and their status. > > rob > > > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Thu Apr 7 09:25:05 2016 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 7 Apr 2016 14:55:05 +0530 Subject: [Freeipa-users] Zombie Replica ! In-Reply-To: <57060F6D.4070809@redhat.com> References: <57050E31.6050409@redhat.com> <57060F6D.4070809@redhat.com> Message-ID: Thank you very much! That does it. On 7 April 2016 at 13:12, Ludwig Krispenz wrote: > > On 04/07/2016 07:23 AM, Prashant Bapat wrote: > > What I have done now was to add a new server, ipa02 and configured > replication again and things are fine. > > However on IPA1 the 389 ds error logs have reference to the dead ipa2 > replica. > > [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - agmt="cn= > meToipa2.example.net" (ipa2:389): Replication bind with GSSAPI auth > failed: LDAP error -1 (Can't contact LDAP server) () > [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV > Task (rid 6): Failed to connect to replica(agmt="cn=meToipa2.example.net" > (ipa2:389)). > [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV > Task (rid 6): Retrying in 14400 seconds > > It will never be able to connect to ipa2 as its gone permanently. Also the > ipa-replica-manage list `hostname` command still shows the ipa2 as > replica. > > How to remove this permanently ??? > > I don't know why you did get into this state, ipa-replica-manage del > should have removed the agreement. You can do it by directly deleting it in > DS: > - get the full dn of the agreement > ldapsearch ..... -D "cn=directory manager" -w .... -b cn=config "cn=meToipa2.example.net" > dn > it should return an entry with > dn: > > the do a delete > > ldapmodify ..... -D "cn=directory manager" -w .... > dn: > changetype: delete > > > Thanks. > --Prashant > > On 6 April 2016 at 22:17, Prashant Bapat wrote: > >> # ipa-replica-manage list `hostname` >> ipa2.example.net: replica >> ipa3.example.net: replica >> ipa4.example.net: replica >> >> ipa2.example.net should not be there. How do I remove it? >> >> On 6 April 2016 at 18:55, Rob Crittenden wrote: >> >>> Prashant Bapat wrote: >>> >>>> Hi, >>>> >>>> We had 4 IPA servers in master master mode with all of them connected to >>>> each other. >>>> >>>> IPA1 <----> IPA2 (colo 1) >>>> IPA3 <----> IPA4 (colo 2) >>>> >>>> One of the replica servers (IPA2) had to be rebuild. >>>> >>>> So I went ahead and used below commands. >>>> >>>> ipa-replica-manage disconnect IPA2 IPA3 >>>> ipa-replica-manage disconnection IPA2 IPA4 >>>> ipa-replica-manage del IPA2 (to remove it on IPA1). >>>> >>>> An then ran ipa-server-install --uninstallon IPA2. >>>> >>>> Created the replica info file using ipa-replica-prepare IPA2. >>>> >>>> When I tried to run ipa-replica-install on IPA2, it says >>>> >>>> A replication agreement for this host already exists. It needs to be >>>> removed. >>>> Run this on the master that generated the info file: >>>> % ipa-replica-manage del ipa2.example.net >>> > >>>> --force >>>> >>>> Now on IPA1, no matter what I do it still has references to IPA2. >>>> >>>> So far I have tried the following. >>>> >>>> 1. ipa-replica-manage del --force IPA2 >>>> 2. ipa-replica-manage del --force --cleanruv IPA2 >>>> 3. /usr/sbin/cleanallruv.pl -D "cn=directory >>>> manager" -w - -b "dc=example,dc=net" -r 6 >>>> >>>> >>>> Got the rid = 6 by running >>>> ldapsearch -Y GSSAPI -b "dc=example,dc=net" >>>> >>>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >>>> nsds50ruv >>>> >>>> In the directory server logs, I guess its still trying to connect to >>>> IPA2 and failing. Below are some lines. >>>> >>>> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - >>>> agmt="cn=meToipa2.example.net " >>>> (ipa2:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>>> LDAP server) () >>>> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task >>>> (rid 6): Replica not online (agmt="cn=meToipa2.example.net >>>> " (ipa2:389)) >>>> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task >>>> (rid 6): Not all replicas online, retrying in 2560 seconds... >>>> >>>> Any pointers would be helpful. >>>> >>> >>> On ipa1 run: >>> >>> % ipa-replica-manage list -v `hostname` >>> >>> This will give the list of actual agreements and their status. >>> >>> rob >>> >>> >> > > > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu Apr 7 11:04:20 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 7 Apr 2016 13:04:20 +0200 Subject: [Freeipa-users] would you use IPA's web server for some... In-Reply-To: <57053B35.4090508@yahoo.co.uk> References: <57053B35.4090508@yahoo.co.uk> Message-ID: <57063EB4.7030105@redhat.com> On 04/06/2016 06:37 PM, lejeczek wrote: > ... other things? > > I'm not thinking here about anything heavy, rather lightweight bits... a > blog, a calendar... > What are best practices? > Is it ok to use VirtualHost, IPA won't mind? > Is there a way to migrate from mod_ssl based to IPA's nss and use IPA's > cert suite? > > many thanks, > L. > In general it is not recommended. IPA assumes that it is the only application on apache and therefore it might introduce server wide apache configuration which could break your app. -- Petr Vobornik From pvoborni at redhat.com Thu Apr 7 11:11:26 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 7 Apr 2016 13:11:26 +0200 Subject: [Freeipa-users] CentOS 7 replica installation failing In-Reply-To: <897241885.695029.1460002378443.JavaMail.yahoo@mail.yahoo.com> References: <897241885.695029.1460002378443.JavaMail.yahoo.ref@mail.yahoo.com> <897241885.695029.1460002378443.JavaMail.yahoo@mail.yahoo.com> Message-ID: <5706405E.3040101@redhat.com> On 04/07/2016 06:12 AM, John Williams wrote: > I've setup an initial FreeIPA instance on a CentOS 7 host. The install went > without a hitch. I can login to the GUI with no problems. However, I am not > able to install the replica on another CentOS 7 host. I get the following errors: > > [root at ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck It was run with '--skip-conncheck'. Is there a reason? If you remove it, what does it complain about? In general, using --skip-conncheck should be avoided because it may hide errors. You could also check master server /var/log/dirsrv/slapd-your-instance/access and errors logs if there is some connection attempt from the replica visible. And maybe /var/log/ipareplica-install.log contains more info. > WARNING: conflicting time&date synchronization service 'chronyd' will > be disabled in favor of ntpd > > Directory Manager (existing master) password: > > Existing BIND configuration detected, overwrite? [no]: yes > Using reverse zone(s) 1.168.192.in-addr.arpa. > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 1 minute > [1/38]: creating directory server user > [2/38]: creating directory server instance > [3/38]: adding default schema > [4/38]: enabling memberof plugin > [5/38]: enabling winsync plugin > [6/38]: configuring replication version plugin > [7/38]: enabling IPA enrollment plugin > [8/38]: enabling ldapi > [9/38]: configuring uniqueness plugin > [10/38]: configuring uuid plugin > [11/38]: configuring modrdn plugin > [12/38]: configuring DNS plugin > [13/38]: enabling entryUSN plugin > [14/38]: configuring lockout plugin > [15/38]: creating indices > [16/38]: enabling referential integrity plugin > [17/38]: configuring ssl for ds instance > [18/38]: configuring certmap.conf > [19/38]: configure autobind for root > [20/38]: configure new location for managed entries > [21/38]: configure dirsrv ccache > [22/38]: enable SASL mapping fallback > [23/38]: restarting directory server > [24/38]: setting up initial replication > Starting replication, please wait until this has completed. > > [ipa1.nrln.us] reports: Update failed! Status: [-1 - LDAP error: Can't contact > LDAP server] > > [error] RuntimeError: Failed to start replication > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start > replication > > > The error message is misleading. The two hosts sit on the same subnet. All > firewalls are off. Selinux is disabled. Here is an nmap port scan from the > replica to the master: > > > [root at ipa2 ~]# nmap ipa1 > > Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDT > Nmap scan report for ipa1 (192.168.1.38) > Host is up (0.000086s latency). > rDNS record for 192.168.1.38: ipa1.nrln.us > Not shown: 990 closed ports > PORT STATE SERVICE > 22/tcp open ssh > 80/tcp open http > 88/tcp open kerberos-sec > 389/tcp open ldap > 443/tcp open https > 464/tcp open kpasswd5 > 636/tcp open ldapssl > 749/tcp open kerberos-adm > 8080/tcp open http-proxy > 8443/tcp open https-alt > MAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC) > > Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds > [root at ipa2 ~]# > > > Why do I get this message? > > TIA!! > > > -- Petr Vobornik From pvoborni at redhat.com Thu Apr 7 11:23:22 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 7 Apr 2016 13:23:22 +0200 Subject: [Freeipa-users] DNA plugin undo instructions In-Reply-To: References: Message-ID: <5706432A.3000502@redhat.com> On 03/30/2016 09:09 PM, Jeff Goddard wrote: > I followed the same instructions and have the same problem described in this > thread:https://www.redhat.com/archives/freeipa-users/2010-June/msg00024.html > What I don't find is instructions on how to make changes to my existing dna > plugin configuration and how to change the configuration so that dna assigns a > consistent sambaGroupType value. > > I see this: http://www.freeipa.org/page/FreeIPAv2:DNA_plugin_default_configuration > > but it's depricated so I don't want to keep shooting my feet :) Can anyone point > me in the right direction? > > Server:Centos7, Freeipa:4.2 > > Thanks, > > Jeff > There is chapter 12 of "Linux Domain Identity, Authentication, and Policy Guide" dedicated to ranges. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Managing-Unique_UID_and_GID_Attributes.html And also "RANGES" section of `man ipa-replica-manage`? -- Petr Vobornik From john.1209 at yahoo.com Thu Apr 7 11:24:16 2016 From: john.1209 at yahoo.com (John Williams) Date: Thu, 7 Apr 2016 11:24:16 +0000 (UTC) Subject: [Freeipa-users] CentOS 7 replica installation failing In-Reply-To: <897241885.695029.1460002378443.JavaMail.yahoo@mail.yahoo.com> References: <897241885.695029.1460002378443.JavaMail.yahoo.ref@mail.yahoo.com> <897241885.695029.1460002378443.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1054885820.855765.1460028256790.JavaMail.yahoo@mail.yahoo.com> I've setup an initial FreeIPA instance on a CentOS 7 host. ?The install went without a hitch. ?I can login to the GUI with no problems. ?However, I am not able to install the replica on another CentOS 7 host. ?I get the following errors: [root at ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheckWARNING: conflicting time&date synchronization service 'chronyd' willbe disabled in favor of ntpd Directory Manager (existing master) password: Existing BIND configuration detected, overwrite? [no]: yesUsing reverse zone(s) 1.168.192.in-addr.arpa.Configuring NTP daemon (ntpd)? [1/4]: stopping ntpd? [2/4]: writing configuration? [3/4]: configuring ntpd to start on boot? [4/4]: starting ntpdDone configuring NTP daemon (ntpd).Configuring directory server (dirsrv). Estimated time: 1 minute? [1/38]: creating directory server user? [2/38]: creating directory server instance? [3/38]: adding default schema? [4/38]: enabling memberof plugin? [5/38]: enabling winsync plugin? [6/38]: configuring replication version plugin? [7/38]: enabling IPA enrollment plugin? [8/38]: enabling ldapi? [9/38]: configuring uniqueness plugin? [10/38]: configuring uuid plugin? [11/38]: configuring modrdn plugin? [12/38]: configuring DNS plugin? [13/38]: enabling entryUSN plugin? [14/38]: configuring lockout plugin? [15/38]: creating indices? [16/38]: enabling referential integrity plugin? [17/38]: configuring ssl for ds instance? [18/38]: configuring certmap.conf? [19/38]: configure autobind for root? [20/38]: configure new location for managed entries? [21/38]: configure dirsrv ccache? [22/38]: enable SASL mapping fallback? [23/38]: restarting directory server? [24/38]: setting up initial replicationStarting replication, please wait until this has completed. [ipa1.nrln.us] reports: Update failed! Status: [-1 ?- LDAP error: Can't contact LDAP server] ? [error] RuntimeError: Failed to start replicationYour system may be partly configured.Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR ? ?Failed to start replication The error message is misleading. The two hosts sit on the same subnet. ?All firewalls are off. ?Selinux is disabled. ?Here is an nmap port scan from the replica to the master: [root at ipa2 ~]# nmap ipa1 Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDTNmap scan report for ipa1 (192.168.1.38)Host is up (0.000086s latency).rDNS record for 192.168.1.38: ipa1.nrln.usNot shown: 990 closed portsPORT ? ? STATE SERVICE22/tcp ? open ?ssh80/tcp ? open ?http88/tcp ? open ?kerberos-sec389/tcp ?open ?ldap443/tcp ?open ?https464/tcp ?open ?kpasswd5636/tcp ?open ?ldapssl749/tcp ?open ?kerberos-adm8080/tcp open ?http-proxy8443/tcp open ?https-altMAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds[root at ipa2 ~]# Why do I get this message? TIA!! -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.1209 at yahoo.com Thu Apr 7 11:34:26 2016 From: john.1209 at yahoo.com (John Williams) Date: Thu, 7 Apr 2016 11:34:26 +0000 (UTC) Subject: [Freeipa-users] CentOS 7 replica installation failing In-Reply-To: <5706405E.3040101@redhat.com> References: <5706405E.3040101@redhat.com> Message-ID: <2016979772.832552.1460028866687.JavaMail.yahoo@mail.yahoo.com> From: Petr Vobornik To: John Williams ; "Freeipa-users at redhat.com" Sent: Thursday, April 7, 2016 7:11 AM Subject: Re: [Freeipa-users] CentOS 7 replica installation failing On 04/07/2016 06:12 AM, John Williams wrote: > I've setup an initial FreeIPA instance on a CentOS 7 host.? The install went > without a hitch.? I can login to the GUI with no problems.? However, I am not > able to install the replica on another CentOS 7 host.? I get the following errors: > > [root at ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck It was run with '--skip-conncheck'. Is there a reason? If you remove it, what does it complain about? In general, using --skip-conncheck should be avoided because it may hide errors. You could also check master server /var/log/dirsrv/slapd-your-instance/access and errors logs if there is some connection attempt from the replica visible. And maybe /var/log/ipareplica-install.log contains more info. I ran the skip connections, because when I ran it initially without the skip connections, I got the following messages: The following UDP ports could not be verified as open: 88, 464This can happen if they are already bound to an applicationand ipa-replica-conncheck cannot attach own UDP responder. Remote master check failed with following error message(s):Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts.Could not chdir to home directory /home/admin: No such file or directoryPort check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP) ipa.ipapython.install.cli.install_tool(Replica): ERROR ? ?Connection check failed!Please fix your network settings according to error messages above.If the check results are not valid it can be skipped with --skip-conncheck parameter. There is nothing blocking the connections, and the initial IPA server seems to be working fine. Here are some snippets from the log: ?File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 525, in install_check? ? options.setup_ca, config.ca_ds_port, options.admin_password)? File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 91, in replica_conn_check? ? "\nIf the check results are not valid it can be skipped with --skip-conncheck parameter.") 2016-04-07T11:30:06Z DEBUG The ipa-replica-install command failed, exception: SystemExit: Connection check failed!Please fix your network settings according to error messages above.If the check results are not valid it can be skipped with --skip-conncheck parameter.2016-04-07T11:30:06Z ERROR Connection check failed!Please fix your network settings according to error messages above.If the check results are not valid it can be skipped with --skip-conncheck parameter. Here are some more logs: [root at ipa2 ~]# tail -30 /var/log/ipareplica-conncheck.logCould not chdir to home directory /home/admin: No such file or directorydebug1: client_input_channel_req: channel 0 rtype exit-status reply 0debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0debug1: channel 0: free: client-session, nchannels 1debug1: fd 1 clearing O_NONBLOCKdebug1: fd 2 clearing O_NONBLOCKTransferred: sent 3032, received 2584 bytes, in 0.0 secondsBytes per second: sent 131062.5, received 111697.1debug1: Exit status 0 2016-04-07T11:30:02Z DEBUG Starting external process2016-04-07T11:30:02Z DEBUG args='/bin/ssh' '-o StrictHostKeychecking=no' '-o UserKnownHostsFile=/tmp/tmpCbCb50' 'admin at ipa1.nrln.us' '/usr/sbin/ipa-replica-conncheck --replica ipa2.nrln.us'2016-04-07T11:30:05Z DEBUG Process finished, return code=12016-04-07T11:30:05Z DEBUG stdout=Check connection from master to remote replica 'ipa2.nrln.us':? ?Directory Service: Unsecure port (389): FAILED? ?Directory Service: Secure port (636): FAILED? ?Kerberos KDC: TCP (88): FAILED? ?Kerberos KDC: UDP (88): WARNING? ?Kerberos Kpasswd: TCP (464): FAILED? ?Kerberos Kpasswd: UDP (464): WARNING? ?HTTP Server: Unsecure port (80): FAILED? ?HTTP Server: Secure port (443): FAILEDThe following UDP ports could not be verified as open: 88, 464This can happen if they are already bound to an applicationand ipa-replica-conncheck cannot attach own UDP responder. 2016-04-07T11:30:05Z DEBUG stderr=Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts.Could not chdir to home directory /home/admin: No such file or directoryPort check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP) These two hosts are on the same subnet, nor firewall, or IPTables running. ?That's why the error message confusing. Any suggestions? > WARNING: conflicting time&date synchronization service 'chronyd' will > be disabled in favor of ntpd > > Directory Manager (existing master) password: > > Existing BIND configuration detected, overwrite? [no]: yes > Using reverse zone(s) 1.168.192.in-addr.arpa. > Configuring NTP daemon (ntpd) >? ? [1/4]: stopping ntpd >? ? [2/4]: writing configuration >? ? [3/4]: configuring ntpd to start on boot >? ? [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 1 minute >? ? [1/38]: creating directory server user >? ? [2/38]: creating directory server instance >? ? [3/38]: adding default schema >? ? [4/38]: enabling memberof plugin >? ? [5/38]: enabling winsync plugin >? ? [6/38]: configuring replication version plugin >? ? [7/38]: enabling IPA enrollment plugin >? ? [8/38]: enabling ldapi >? ? [9/38]: configuring uniqueness plugin >? ? [10/38]: configuring uuid plugin >? ? [11/38]: configuring modrdn plugin >? ? [12/38]: configuring DNS plugin >? ? [13/38]: enabling entryUSN plugin >? ? [14/38]: configuring lockout plugin >? ? [15/38]: creating indices >? ? [16/38]: enabling referential integrity plugin >? ? [17/38]: configuring ssl for ds instance >? ? [18/38]: configuring certmap.conf >? ? [19/38]: configure autobind for root >? ? [20/38]: configure new location for managed entries >? ? [21/38]: configure dirsrv ccache >? ? [22/38]: enable SASL mapping fallback >? ? [23/38]: restarting directory server >? ? [24/38]: setting up initial replication > Starting replication, please wait until this has completed. > > [ipa1.nrln.us] reports: Update failed! Status: [-1? - LDAP error: Can't contact > LDAP server] > >? ? [error] RuntimeError: Failed to start replication > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERROR? ? Failed to start > replication > > > The error message is misleading. The two hosts sit on the same subnet.? All > firewalls are off.? Selinux is disabled.? Here is an nmap port scan from the > replica to the master: > > > [root at ipa2 ~]# nmap ipa1 > > Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDT > Nmap scan report for ipa1 (192.168.1.38) > Host is up (0.000086s latency). > rDNS record for 192.168.1.38: ipa1.nrln.us > Not shown: 990 closed ports > PORT? ? STATE SERVICE > 22/tcp? open? ssh > 80/tcp? open? http > 88/tcp? open? kerberos-sec > 389/tcp? open? ldap > 443/tcp? open? https > 464/tcp? open? kpasswd5 > 636/tcp? open? ldapssl > 749/tcp? open? kerberos-adm > 8080/tcp open? http-proxy > 8443/tcp open? https-alt > MAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC) > > Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds > [root at ipa2 ~]# > > > Why do I get this message? > > TIA!! > > > -- Petr Vobornik -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu Apr 7 12:01:08 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 7 Apr 2016 14:01:08 +0200 Subject: [Freeipa-users] CentOS 7 replica installation failing In-Reply-To: <2016979772.832552.1460028866687.JavaMail.yahoo@mail.yahoo.com> References: <5706405E.3040101@redhat.com> <2016979772.832552.1460028866687.JavaMail.yahoo@mail.yahoo.com> Message-ID: <57064C04.3070305@redhat.com> On 04/07/2016 01:34 PM, John Williams wrote: > > > -------------------------------------------------------------------------------- > *From:* Petr Vobornik > *To:* John Williams ; "Freeipa-users at redhat.com" > > *Sent:* Thursday, April 7, 2016 7:11 AM > *Subject:* Re: [Freeipa-users] CentOS 7 replica installation failing > > On 04/07/2016 06:12 AM, John Williams wrote: > > I've setup an initial FreeIPA instance on a CentOS 7 host. The install went > > without a hitch. I can login to the GUI with no problems. However, I am not > > able to install the replica on another CentOS 7 host. I get the following > errors: > > > > [root at ipa2 ~]# ipa-replica-install --setup-ca --setup-dns > --no-forwarders > > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck > > It was run with '--skip-conncheck'. Is there a reason? If you remove it, > what does it complain about? > > In general, using --skip-conncheck should be avoided because it may hide > errors. > > You could also check master server > /var/log/dirsrv/slapd-your-instance/access and errors logs if there is > some connection attempt from the replica visible. > > And maybe /var/log/ipareplica-install.log contains more info. > > I ran the skip connections, because when I ran it initially without the skip > connections, I got the following messages: > > The following UDP ports could not be verified as open: 88, 464 > This can happen if they are already bound to an application > and ipa-replica-conncheck cannot attach own UDP responder. > > Remote master check failed with following error message(s): > Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of > known hosts. > Could not chdir to home directory /home/admin: No such file or directory > Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 > (TCP), 80 (TCP), 443 (TCP) > > ipa.ipapython.install.cli.install_tool(Replica): ERROR Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > There is nothing blocking the connections, and the initial IPA server seems to > be working fine. > > Here are some snippets from the log: > > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 525, in install_check > options.setup_ca, config.ca_ds_port, options.admin_password) > File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 91, in replica_conn_check > "\nIf the check results are not valid it can be skipped with > --skip-conncheck parameter.") > > 2016-04-07T11:30:06Z DEBUG The ipa-replica-install command failed, exception: > SystemExit: Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > 2016-04-07T11:30:06Z ERROR Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > Here are some more logs: > > [root at ipa2 ~]# tail -30 /var/log/ipareplica-conncheck.log > Could not chdir to home directory /home/admin: No such file or directory > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 > debug1: channel 0: free: client-session, nchannels 1 > debug1: fd 1 clearing O_NONBLOCK > debug1: fd 2 clearing O_NONBLOCK > Transferred: sent 3032, received 2584 bytes, in 0.0 seconds > Bytes per second: sent 131062.5, received 111697.1 > debug1: Exit status 0 > > 2016-04-07T11:30:02Z DEBUG Starting external process > 2016-04-07T11:30:02Z DEBUG args='/bin/ssh' '-o StrictHostKeychecking=no' '-o > UserKnownHostsFile=/tmp/tmpCbCb50' 'admin at ipa1.nrln.us' > '/usr/sbin/ipa-replica-conncheck --replica ipa2.nrln.us' > 2016-04-07T11:30:05Z DEBUG Process finished, return code=1 > 2016-04-07T11:30:05Z DEBUG stdout=Check connection from master to remote replica > 'ipa2.nrln.us': > Directory Service: Unsecure port (389): FAILED > Directory Service: Secure port (636): FAILED > Kerberos KDC: TCP (88): FAILED > Kerberos KDC: UDP (88): WARNING > Kerberos Kpasswd: TCP (464): FAILED > Kerberos Kpasswd: UDP (464): WARNING > HTTP Server: Unsecure port (80): FAILED > HTTP Server: Secure port (443): FAILED > The following UDP ports could not be verified as open: 88, 464 > This can happen if they are already bound to an application > and ipa-replica-conncheck cannot attach own UDP responder. > > 2016-04-07T11:30:05Z DEBUG stderr=Warning: Permanently added > 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts. > Could not chdir to home directory /home/admin: No such file or directory > Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 > (TCP), 80 (TCP), 443 (TCP) > > These two hosts are on the same subnet, nor firewall, or IPTables running. > That's why the error message confusing. > > Any suggestions? The error suggest that master is not able to contact replica on any port. Is DNS ok? What does `nmap ipa2.nrln.us` return? > > > WARNING: conflicting time&date synchronization service 'chronyd' will > > be disabled in favor of ntpd > > > > Directory Manager (existing master) password: > > > > Existing BIND configuration detected, overwrite? [no]: yes > > Using reverse zone(s) 1.168.192.in-addr.arpa. > > Configuring NTP daemon (ntpd) > > [1/4]: stopping ntpd > > [2/4]: writing configuration > > [3/4]: configuring ntpd to start on boot > > [4/4]: starting ntpd > > Done configuring NTP daemon (ntpd). > > Configuring directory server (dirsrv). Estimated time: 1 minute > > [1/38]: creating directory server user > > [2/38]: creating directory server instance > > [3/38]: adding default schema > > [4/38]: enabling memberof plugin > > [5/38]: enabling winsync plugin > > [6/38]: configuring replication version plugin > > [7/38]: enabling IPA enrollment plugin > > [8/38]: enabling ldapi > > [9/38]: configuring uniqueness plugin > > [10/38]: configuring uuid plugin > > [11/38]: configuring modrdn plugin > > [12/38]: configuring DNS plugin > > [13/38]: enabling entryUSN plugin > > [14/38]: configuring lockout plugin > > [15/38]: creating indices > > [16/38]: enabling referential integrity plugin > > [17/38]: configuring ssl for ds instance > > [18/38]: configuring certmap.conf > > [19/38]: configure autobind for root > > [20/38]: configure new location for managed entries > > [21/38]: configure dirsrv ccache > > [22/38]: enable SASL mapping fallback > > [23/38]: restarting directory server > > [24/38]: setting up initial replication > > Starting replication, please wait until this has completed. > > > > [ipa1.nrln.us] reports: Update failed! Status: [-1 - LDAP error: Can't contact > > LDAP server] > > > > [error] RuntimeError: Failed to start replication > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start > > replication > > > > > > The error message is misleading. The two hosts sit on the same subnet. All > > firewalls are off. Selinux is disabled. Here is an nmap port scan from the > > replica to the master: > > > > > > [root at ipa2 ~]# nmap ipa1 > > > > Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDT > > Nmap scan report for ipa1 (192.168.1.38) > > Host is up (0.000086s latency). > > rDNS record for 192.168.1.38: ipa1.nrln.us > > Not shown: 990 closed ports > > PORT STATE SERVICE > > 22/tcp open ssh > > 80/tcp open http > > 88/tcp open kerberos-sec > > 389/tcp open ldap > > 443/tcp open https > > 464/tcp open kpasswd5 > > 636/tcp open ldapssl > > 749/tcp open kerberos-adm > > 8080/tcp open http-proxy > > 8443/tcp open https-alt > > MAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC) > > > > Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds > > [root at ipa2 ~]# > > > > > > Why do I get this message? > > -- Petr Vobornik From pvoborni at redhat.com Thu Apr 7 14:55:40 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 7 Apr 2016 16:55:40 +0200 Subject: [Freeipa-users] 7.x replica install from 6.x master fails In-Reply-To: References: <56FA5C2F.3070200@redhat.com> Message-ID: <570674EC.1060204@redhat.com> Sorry for the late response. It looks like a bug https://bugzilla.redhat.com/show_bug.cgi?id=1291747 But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure. Anyway, java.io.IOException: 2 actually means authentication failure. The authentication problem might be caused by a missing subsystem user (bug #1225589) and there's already a tool to restore it. However, before running the script, please run this command on the master to verify the problem: $ pki-server ca-group-member-find "Subsystem Group" Ideally it should return a user ID "CA--9443" and the description attribute should contain the subsystem certificate in this format ";;;". If that's not the case, please run this tool to restore the subsystem user: $ python /usr/share/pki/scripts/restore-subsystem-user.py Then run this command again to verify the fix: $ pki-server ca-group-member-find "Subsystem Group" If everything works well, please try installing the replica again. Also verify that all certificates in `getcert list` output are not expired. On 03/31/2016 09:07 PM, Ott, Dennis wrote: > Petr, > > Original 6.x master installed at: > > ipa-server-2.1.3-9 > > pki-ca-9.0.3-20 > > > At the time the migration was attempted, the 6.x master had been updated to: > > ipa-server-3.0.0-47 > > pki-ca-9.0.3-45 > > > The 7.x replica install has been attempted using a variety of versions. The log excerpts at the beginning of this email were from an installation attempt using: > > ipa-server-4.2.0-15.0.1 > > pki-ca-10.2.5-6 > > > It's a standard CA installation. This line is from /var/log/ipaserverinstall.log showing selfsign as False: > > 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, 'subject': None, 'no_forwarders': False, 'persistent_search': True, 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, 'forwarders': None, 'idstart': 900000000, 'external_ca': False, 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': False, 'external_cert_file': None, 'uninstall': False} > 2013-09-04T18:41:20Z DEBUG missing options might be asked for interactively later > > > -----Original Message----- > From: Petr Vobornik [mailto:pvoborni at redhat.com] > Sent: Tuesday, March 29, 2016 6:43 AM > To: Ott, Dennis; Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > On 03/24/2016 04:29 PM, Ott, Dennis wrote: >> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. >> After working through and solving a few issues, my current efforts >> fail when setting up the replica CA. >> >> If I set up a new, pristine master on OS 6.7, I am able to create an >> OS 7.x replica without any problem. However, if I try to create a >> replica from my two year old test lab instance (production will be >> another matter for the future) it fails. The test lab master was >> created a couple of years ago on OS 6.3 / IPA 2.x and has been >> upgraded to the latest versions in the 6.x chain. It is old enough to >> have had all the certificates renewed, but I believe I have worked through all the issues related to that. >> >> Below is what I believe are the useful portions of the pertinent logs. >> I?ve not been able to find anything online that speaks to the errors I >> am seeing >> >> Thanks for your help. > > Hello Dennis, > > what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica? > > What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA? > > I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less). > >> >> /var/log/ipareplica-install.log >> >> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). >> Estimated time: 3 minutes 30 seconds >> >> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user >> >> 2016-03-23T21:55:11Z DEBUG group pkiuser exists >> >> 2016-03-23T21:55:11Z DEBUG user pkiuser exists >> >> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds >> >> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance >> >> 2016-03-23T21:55:11Z DEBUG Loading StateFile from >> '/var/lib/ipa/sysrestore/sysrestore.state' >> >> 2016-03-23T21:55:11Z DEBUG Saving StateFile to >> '/var/lib/ipa/sysrestore/sysrestore.state' >> >> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC): >> >> [CA] >> >> pki_security_domain_name = IPA >> >> pki_enable_proxy = True >> >> pki_restart_configured_instance = False >> >> pki_backup_keys = True >> >> pki_backup_password = XXXXXXXX >> >> pki_profiles_in_ldap = True >> >> pki_client_database_dir = /tmp/tmp-g0CKZ3 >> >> pki_client_database_password = XXXXXXXX >> >> pki_client_database_purge = False >> >> pki_client_pkcs12_password = XXXXXXXX >> >> pki_admin_name = admin >> >> pki_admin_uid = admin >> >> pki_admin_email = root at localhost >> >> pki_admin_password = XXXXXXXX >> >> pki_admin_nickname = ipa-ca-agent >> >> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM >> >> pki_client_admin_cert_p12 = /root/ca-agent.p12 >> >> pki_ds_ldap_port = 389 >> >> pki_ds_password = XXXXXXXX >> >> pki_ds_base_dn = o=ipaca >> >> pki_ds_database = ipaca >> >> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM >> >> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM >> >> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM >> >> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM >> >> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM >> >> pki_subsystem_nickname = subsystemCert cert-pki-ca >> >> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca >> >> pki_ssl_server_nickname = Server-Cert cert-pki-ca >> >> pki_audit_signing_nickname = auditSigningCert cert-pki-ca >> >> pki_ca_signing_nickname = caSigningCert cert-pki-ca >> >> pki_ca_signing_key_algorithm = SHA256withRSA >> >> pki_security_domain_hostname = ptipa1.example.com >> >> pki_security_domain_https_port = 443 >> >> pki_security_domain_user = admin >> >> pki_security_domain_password = XXXXXXXX >> >> pki_clone = True >> >> pki_clone_pkcs12_path = /tmp/ca.p12 >> >> pki_clone_pkcs12_password = XXXXXXXX >> >> pki_clone_replication_security = TLS >> >> pki_clone_replication_master_port = 7389 >> >> pki_clone_replication_clone_port = 389 >> >> pki_clone_replicate_schema = False >> >> pki_clone_uri = >> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISrdG >> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbcmD >> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSbN_ >> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJ >> USyrh >> >> 2016-03-23T21:55:11Z DEBUG Starting external process >> >> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC' >> >> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 >> >> 2016-03-23T21:56:51Z DEBUG stdout=Log file: >> /var/log/pki/pki-ca-spawn.20160323175511.log >> >> Loading deployment configuration from /tmp/tmpGQ59ZC. >> >> Installing CA into /var/lib/pki/pki-tomcat. >> >> Storing deployment configuration into >> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >> >> Installation failed. >> >> 2016-03-23T21:56:51Z DEBUG >> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >> InsecureRequestWarning: Unverified HTTPS request is being made. Adding >> certificate verification is strongly advised. See: >> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUOyr >> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsVHk >> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2gaz >> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0 >> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> >> InsecureRequestWarning) >> >> pkispawn : WARNING ....... unable to validate security domain user/password >> through REST interface. Interface not available >> >> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 >> Server Error: Internal Server Error >> >> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line >> 1, column 0: >> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >> PKIException","Code":500,"Message":"Error >> while updating security domain: java.io.IOException: 2"} >> >> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: Command >> ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' returned >> non-zero exit status 1 >> >> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the >> following files/directories for more information: >> >> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log >> >> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat >> >> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 418, in start_creation >> >> run_step(full_msg, method) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 620, in __spawn_instance >> >> DogtagInstance.spawn_instance(self, cfg_file) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 201, in spawn_instance >> >> self.handle_setup_error(e) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 465, in handle_setup_error >> >> raise RuntimeError("%s configuration failed." % self.subsystem) >> >> RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >> in execute >> >> return_value = self.run() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >> line 311, in run >> >> cfgr.run() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 281, in run >> >> self.execute() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 303, in execute >> >> for nothing in self._executor(): >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 524, in _configure >> >> executor.next() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 421, in _handle_exception >> >> self.__parent._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 418, in _handle_exception >> >> super(ComponentBase, self)._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line >> 63, in _install >> >> for nothing in self._installer(self.parent): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainst >> all.py", >> line 879, in main >> >> install(self) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainst >> all.py", >> line 295, in decorated >> >> func(installer) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainst >> all.py", >> line 584, in install >> >> ca.install(False, config, options) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >> line 106, in install >> >> install_step_0(standalone, replica_config, options) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >> line 130, in >> install_step_0 >> >> ra_p12=getattr(options, 'ra_p12', None)) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 1543, in install_replica_ca >> >> subject_base=config.subject_base) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 486, in configure_instance >> >> self.start_creation(runtime=210) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 418, in start_creation >> >> run_step(full_msg, method) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 620, in __spawn_instance >> >> DogtagInstance.spawn_instance(self, cfg_file) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 201, in spawn_instance >> >> self.handle_setup_error(e) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 465, in handle_setup_error >> >> raise RuntimeError("%s configuration failed." % self.subsystem) >> >> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: >> RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z ERROR CA configuration failed. >> >> /var/log/pki/pki-ca-spawn..log >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f >> /etc/pki/pki-tomcat/ca/noise >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s >> /lib/systemd/system/pki-tomcatd at .service >> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.se >> rvice >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 >> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.se >> rvice >> >> 2016-03-23 17:55:12 pkispawn : INFO ... configuring >> 'pki.server.deployment.scriptlets.configuration' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >> '/root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >> '/root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >> /root/.dogtag/pki-tomcat/ca/password.conf >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >> /root/.dogtag/pki-tomcat/ca/password.conf >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 >> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d >> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl >> daemon-reload' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start >> pki-tomcatd at pki-tomcat.service' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server >> may still be down >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception >> thrown: ('Connection aborted.', error(111, 'Connection refused')) >> >> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server >> may still be down >> >> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception >> thrown: ('Connection aborted.', error(111, 'Connection refused')) >> >> 2016-03-23 17:55:24 pkispawn : DEBUG ........... > encoding="UTF-8" >> standalone="no"?>0CAr >> unning10.2.5-6.el7 >> >> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI >> configuration data. >> >> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration >> data. >> >> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java >> Configuration Servlet: 500 Server Error: Internal Server Error >> >> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed >> (invalid token): line 1, column 0: >> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >> PKIException","Code":500,"Message":"Error >> while updating security domain: java.io.IOException: 2"} >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not >> well-formed (invalid token): line 1, column 0 >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", >> line 597, in main >> >> rv = instance.spawn(deployer) >> >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/con >> figuration.py", >> line 116, in spawn >> >> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) >> >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", >> line 3906, in configure_pki_data >> >> root = ET.fromstring(e.response.text) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, >> in XML >> >> parser.feed(text) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, >> in feed >> >> self._raiseerror(v) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, >> in _raiseerror >> >> raise err >> >> /var/log/pki/pki-tomcat/ca/debug >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >> ok: store in memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >> makeConnection errorIfDown is false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >> errorIfDown false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >> connection using basic authentication to host pt-idm-vm01.example.com >> port 389 as cn=Directory Manager >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >> port 389, secure connection, false, authentication type 1 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >> connections by 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >> LdapBoundConnFactory::getConn() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >> true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >> connected true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >> param=preop.internaldb.manager_ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file >> = /usr/share/pki/server/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file >> copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP >> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >> exception in adding entry >> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: >> error result (20) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): >> start >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating >> LdapBoundConnFactor(ConfigurationUtils) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: >> init >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: >> LdapBoundConnFactory:doCloning true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >> begins >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >> prompt is internaldb >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try >> getting from memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got >> password from memory >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >> password found for prompt. >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >> ok: store in memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >> makeConnection errorIfDown is false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >> errorIfDown false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >> connection using basic authentication to host pt-idm-vm01.example.com >> port 389 as cn=Directory Manager >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >> port 389, secure connection, false, authentication type 1 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >> connections by 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >> LdapBoundConnFactory::getConn() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >> true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >> connected true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now 2 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >> param=preop.internaldb.post_ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file >> = /usr/share/pki/ca/conf/vlv.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif file >> copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file >> = /usr/share/pki/ca/conf/vlvtasks.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif file >> copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn >> cn=index1160589769, cn=index, cn=tasks, cn=config >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: >> SystemConfigService:processCerts(): san_server_cert not found for tag >> sslserver >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >> local >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >> remote (revised) >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: >> updateConfig() for certTag sslserver >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >> public key >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >> private key >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this >> Cloned CA, always use its Master CA to generate the 'sslserver' >> certificate to avoid any changes which may have been made to the X500Name directory string encoding order. >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: >> injectSAN=false >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil >> createRemoteCert: content >> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAut >> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxxx >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true&s >> essionID=-4495713718673639316 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil >> createRemoteCert: status=0 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: >> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: >> handleCertRequest() begins >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >> tag=sslserver >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: >> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >> created cert request >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate: >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert >> tag 'sslserver' using cert type 'remote' >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process >> remote...import cert >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: >> nickname=Server-Cert cert-pki-ca >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert deleted >> successfully >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): >> certchains length=2 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import >> certificate successfully, certTag=sslserver >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate. >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert >> Panel/SavePKCS12 Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing >> security domain >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): >> Getting domain.xml from CA... >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: >> domainInfo=> standalone="no"?>IPAptipa1. >> example.com443443> cureAgentPort>443> hPort>44380> e>FALSEpki-cadTR >> UE1> PList>0> Count>00> Count>0> PSList>0 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ptipa1.example.com port=443 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >> failed to update security domain using admin port 443: >> org.xml.sax.SAXParseException; >> lineNumber: 1; columnNumber: 50; White spaces are required between >> publicId and systemId. >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >> now trying agent port with client auth >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ptipa1.example.com port=443 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() >> nickname=subsystemCert cert-pki-ca >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: >> status=1 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating >> security >> domain: java.io.IOException: 2 >> >> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, >> authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. >> >> /var/log/pki/pki-tomcat/ca/system >> >> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot >> build CA chain. Error java.security.cert.CertificateException: >> Certificate is not a PKCS >> #11 certificate >> >> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz >> instance DirAclAuthz initialization failed and skipped, error=Property >> internaldb.ldapconn.port missing value >> >> *Dennis M Ott* >> Infrastructure Administrator >> Infrastructure and Security Operations >> >> *McKesson Corporation >> McKesson Pharmacy Systems and Automation* www.mckesson.com >> >>> -- > Petr Vobornik > -- Petr Vobornik From Dennis.Ott at mckesson.com Thu Apr 7 21:38:49 2016 From: Dennis.Ott at mckesson.com (Ott, Dennis) Date: Thu, 7 Apr 2016 21:38:49 +0000 Subject: [Freeipa-users] 7.x replica install from 6.x master fails In-Reply-To: <570674EC.1060204@redhat.com> References: <56FA5C2F.3070200@redhat.com> <570674EC.1060204@redhat.com> Message-ID: It doesn't look like that is my problem. The output of pki-server ca-group-member-find "Subsystem Group" gives: User ID: CA-ptipa1.example.com-9443 Common Name: CA-ptipa1.example.com-9443 Surname: CA-ptipa1.example.com-9443 Type: agentType Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM E-mail: All the certs seem valid: # getcert list | grep expires expires: 2017-07-18 00:55:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-08-09 00:54:19 UTC expires: 2017-08-09 00:54:19 UTC expires: 2017-08-09 00:54:21 UTC # I was wondering if I might be hitting this: https://fedorahosted.org/freeipa/ticket/5129 https://fedorahosted.org/pki/ticket/1495 It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora (many months ago), but is not yet available for enterprise. Dennis -----Original Message----- From: Petr Vobornik [mailto:pvoborni at redhat.com] Sent: Thursday, April 07, 2016 10:56 AM To: Ott, Dennis; Freeipa-users at redhat.com Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails Sorry for the late response. It looks like a bug http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbParza9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdCPpesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub6qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure. Anyway, java.io.IOException: 2 actually means authentication failure. The authentication problem might be caused by a missing subsystem user (bug #1225589) and there's already a tool to restore it. However, before running the script, please run this command on the master to verify the problem: $ pki-server ca-group-member-find "Subsystem Group" Ideally it should return a user ID "CA--9443" and the description attribute should contain the subsystem certificate in this format ";;;". If that's not the case, please run this tool to restore the subsystem user: $ python /usr/share/pki/scripts/restore-subsystem-user.py Then run this command again to verify the fix: $ pki-server ca-group-member-find "Subsystem Group" If everything works well, please try installing the replica again. Also verify that all certificates in `getcert list` output are not expired. On 03/31/2016 09:07 PM, Ott, Dennis wrote: > Petr, > > Original 6.x master installed at: > > ipa-server-2.1.3-9 > > pki-ca-9.0.3-20 > > > At the time the migration was attempted, the 6.x master had been updated to: > > ipa-server-3.0.0-47 > > pki-ca-9.0.3-45 > > > The 7.x replica install has been attempted using a variety of versions. The log excerpts at the beginning of this email were from an installation attempt using: > > ipa-server-4.2.0-15.0.1 > > pki-ca-10.2.5-6 > > > It's a standard CA installation. This line is from /var/log/ipaserverinstall.log showing selfsign as False: > > 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked > with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': > None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, > 'subject': None, 'no_forwarders': False, 'persistent_search': True, > 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': > True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, > 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, > 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, > 'forwarders': None, 'idstart': 900000000, 'external_ca': False, > 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, > 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': > False, 'external_cert_file': None, 'uninstall': False} > 2013-09-04T18:41:20Z DEBUG missing options might be asked for > interactively later > > > -----Original Message----- > From: Petr Vobornik [mailto:pvoborni at redhat.com] > Sent: Tuesday, March 29, 2016 6:43 AM > To: Ott, Dennis; Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > On 03/24/2016 04:29 PM, Ott, Dennis wrote: >> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. >> After working through and solving a few issues, my current efforts >> fail when setting up the replica CA. >> >> If I set up a new, pristine master on OS 6.7, I am able to create an >> OS 7.x replica without any problem. However, if I try to create a >> replica from my two year old test lab instance (production will be >> another matter for the future) it fails. The test lab master was >> created a couple of years ago on OS 6.3 / IPA 2.x and has been >> upgraded to the latest versions in the 6.x chain. It is old enough to >> have had all the certificates renewed, but I believe I have worked through all the issues related to that. >> >> Below is what I believe are the useful portions of the pertinent logs. >> I?ve not been able to find anything online that speaks to the errors >> I am seeing >> >> Thanks for your help. > > Hello Dennis, > > what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica? > > What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA? > > I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less). > >> >> /var/log/ipareplica-install.log >> >> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). >> Estimated time: 3 minutes 30 seconds >> >> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user >> >> 2016-03-23T21:55:11Z DEBUG group pkiuser exists >> >> 2016-03-23T21:55:11Z DEBUG user pkiuser exists >> >> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds >> >> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance >> >> 2016-03-23T21:55:11Z DEBUG Loading StateFile from >> '/var/lib/ipa/sysrestore/sysrestore.state' >> >> 2016-03-23T21:55:11Z DEBUG Saving StateFile to >> '/var/lib/ipa/sysrestore/sysrestore.state' >> >> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC): >> >> [CA] >> >> pki_security_domain_name = IPA >> >> pki_enable_proxy = True >> >> pki_restart_configured_instance = False >> >> pki_backup_keys = True >> >> pki_backup_password = XXXXXXXX >> >> pki_profiles_in_ldap = True >> >> pki_client_database_dir = /tmp/tmp-g0CKZ3 >> >> pki_client_database_password = XXXXXXXX >> >> pki_client_database_purge = False >> >> pki_client_pkcs12_password = XXXXXXXX >> >> pki_admin_name = admin >> >> pki_admin_uid = admin >> >> pki_admin_email = root at localhost >> >> pki_admin_password = XXXXXXXX >> >> pki_admin_nickname = ipa-ca-agent >> >> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM >> >> pki_client_admin_cert_p12 = /root/ca-agent.p12 >> >> pki_ds_ldap_port = 389 >> >> pki_ds_password = XXXXXXXX >> >> pki_ds_base_dn = o=ipaca >> >> pki_ds_database = ipaca >> >> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM >> >> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM >> >> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM >> >> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM >> >> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM >> >> pki_subsystem_nickname = subsystemCert cert-pki-ca >> >> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca >> >> pki_ssl_server_nickname = Server-Cert cert-pki-ca >> >> pki_audit_signing_nickname = auditSigningCert cert-pki-ca >> >> pki_ca_signing_nickname = caSigningCert cert-pki-ca >> >> pki_ca_signing_key_algorithm = SHA256withRSA >> >> pki_security_domain_hostname = ptipa1.example.com >> >> pki_security_domain_https_port = 443 >> >> pki_security_domain_user = admin >> >> pki_security_domain_password = XXXXXXXX >> >> pki_clone = True >> >> pki_clone_pkcs12_path = /tmp/ca.p12 >> >> pki_clone_pkcs12_password = XXXXXXXX >> >> pki_clone_replication_security = TLS >> >> pki_clone_replication_master_port = 7389 >> >> pki_clone_replication_clone_port = 389 >> >> pki_clone_replicate_schema = False >> >> pki_clone_uri = >> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISrd >> G >> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbcm >> D >> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSbN >> _ >> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKV >> J >> USyrh >> >> 2016-03-23T21:55:11Z DEBUG Starting external process >> >> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC' >> >> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 >> >> 2016-03-23T21:56:51Z DEBUG stdout=Log file: >> /var/log/pki/pki-ca-spawn.20160323175511.log >> >> Loading deployment configuration from /tmp/tmpGQ59ZC. >> >> Installing CA into /var/lib/pki/pki-tomcat. >> >> Storing deployment configuration into >> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >> >> Installation failed. >> >> 2016-03-23T21:56:51Z DEBUG >> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >> InsecureRequestWarning: Unverified HTTPS request is being made. >> Adding certificate verification is strongly advised. See: >> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUOy >> r >> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsVH >> k >> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2ga >> z >> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh >> 0 >> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> >> InsecureRequestWarning) >> >> pkispawn : WARNING ....... unable to validate security domain user/password >> through REST interface. Interface not available >> >> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 >> Server Error: Internal Server Error >> >> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line >> 1, column 0: >> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >> PKIException","Code":500,"Message":"Error >> while updating security domain: java.io.IOException: 2"} >> >> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: >> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' >> returned non-zero exit status 1 >> >> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the >> following files/directories for more information: >> >> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log >> >> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat >> >> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 418, in start_creation >> >> run_step(full_msg, method) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 620, in __spawn_instance >> >> DogtagInstance.spawn_instance(self, cfg_file) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 201, in spawn_instance >> >> self.handle_setup_error(e) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 465, in handle_setup_error >> >> raise RuntimeError("%s configuration failed." % self.subsystem) >> >> RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >> in execute >> >> return_value = self.run() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >> line 311, in run >> >> cfgr.run() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 281, in run >> >> self.execute() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 303, in execute >> >> for nothing in self._executor(): >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 524, in _configure >> >> executor.next() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 421, in _handle_exception >> >> self.__parent._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 418, in _handle_exception >> >> super(ComponentBase, self)._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line >> 63, in _install >> >> for nothing in self._installer(self.parent): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >> t >> all.py", >> line 879, in main >> >> install(self) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >> t >> all.py", >> line 295, in decorated >> >> func(installer) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >> t >> all.py", >> line 584, in install >> >> ca.install(False, config, options) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >> line 106, in install >> >> install_step_0(standalone, replica_config, options) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >> line 130, in >> install_step_0 >> >> ra_p12=getattr(options, 'ra_p12', None)) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 1543, in install_replica_ca >> >> subject_base=config.subject_base) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 486, in configure_instance >> >> self.start_creation(runtime=210) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 418, in start_creation >> >> run_step(full_msg, method) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 620, in __spawn_instance >> >> DogtagInstance.spawn_instance(self, cfg_file) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 201, in spawn_instance >> >> self.handle_setup_error(e) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 465, in handle_setup_error >> >> raise RuntimeError("%s configuration failed." % self.subsystem) >> >> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: >> RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z ERROR CA configuration failed. >> >> /var/log/pki/pki-ca-spawn..log >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f >> /etc/pki/pki-tomcat/ca/noise >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s >> /lib/systemd/system/pki-tomcatd at .service >> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.s >> e >> rvice >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 >> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.s >> e >> rvice >> >> 2016-03-23 17:55:12 pkispawn : INFO ... configuring >> 'pki.server.deployment.scriptlets.configuration' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >> '/root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >> '/root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >> /root/.dogtag/pki-tomcat/ca/password.conf >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >> /root/.dogtag/pki-tomcat/ca/password.conf >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 >> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d >> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl >> daemon-reload' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start >> pki-tomcatd at pki-tomcat.service' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server >> may still be down >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception >> thrown: ('Connection aborted.', error(111, 'Connection refused')) >> >> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server >> may still be down >> >> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception >> thrown: ('Connection aborted.', error(111, 'Connection refused')) >> >> 2016-03-23 17:55:24 pkispawn : DEBUG ........... > encoding="UTF-8" >> standalone="no"?>0CA >> r unning10.2.5-6.el7 >> >> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI >> configuration data. >> >> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration >> data. >> >> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java >> Configuration Servlet: 500 Server Error: Internal Server Error >> >> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed >> (invalid token): line 1, column 0: >> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >> PKIException","Code":500,"Message":"Error >> while updating security domain: java.io.IOException: 2"} >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not >> well-formed (invalid token): line 1, column 0 >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", >> line 597, in main >> >> rv = instance.spawn(deployer) >> >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/co >> n >> figuration.py", >> line 116, in spawn >> >> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) >> >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" >> , >> line 3906, in configure_pki_data >> >> root = ET.fromstring(e.response.text) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, >> in XML >> >> parser.feed(text) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, >> in feed >> >> self._raiseerror(v) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, >> in _raiseerror >> >> raise err >> >> /var/log/pki/pki-tomcat/ca/debug >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >> ok: store in memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >> makeConnection errorIfDown is false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >> errorIfDown false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >> connection using basic authentication to host pt-idm-vm01.example.com >> port 389 as cn=Directory Manager >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >> port 389, secure connection, false, authentication type 1 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >> connections by 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >> LdapBoundConnFactory::getConn() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >> true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >> connected true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >> 2 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >> param=preop.internaldb.manager_ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file = /usr/share/pki/server/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP >> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >> exception in adding entry >> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: >> error result (20) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): >> start >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating >> LdapBoundConnFactor(ConfigurationUtils) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: >> init >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: >> LdapBoundConnFactory:doCloning true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >> begins >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >> prompt is internaldb >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try >> getting from memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got >> password from memory >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >> password found for prompt. >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >> ok: store in memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >> makeConnection errorIfDown is false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >> errorIfDown false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >> connection using basic authentication to host pt-idm-vm01.example.com >> port 389 as cn=Directory Manager >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >> port 389, secure connection, false, authentication type 1 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >> connections by 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >> LdapBoundConnFactory::getConn() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >> true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >> connected true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >> 2 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >> param=preop.internaldb.post_ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file = /usr/share/pki/ca/conf/vlv.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >> file = /usr/share/pki/ca/conf/vlvtasks.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn >> cn=index1160589769, cn=index, cn=tasks, cn=config >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: >> SystemConfigService:processCerts(): san_server_cert not found for tag >> sslserver >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >> local >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >> remote (revised) >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: >> updateConfig() for certTag sslserver >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >> public key >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >> private key >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this >> Cloned CA, always use its Master CA to generate the 'sslserver' >> certificate to avoid any changes which may have been made to the X500Name directory string encoding order. >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: >> injectSAN=false >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil >> createRemoteCert: content >> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAu >> t >> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true& >> s >> essionID=-4495713718673639316 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil >> createRemoteCert: status=0 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: >> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: >> handleCertRequest() begins >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >> tag=sslserver >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: >> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >> created cert request >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate: >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert >> tag 'sslserver' using cert type 'remote' >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process >> remote...import cert >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: >> nickname=Server-Cert cert-pki-ca >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert >> deleted successfully >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): >> certchains length=2 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import >> certificate successfully, certTag=sslserver >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate. >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert >> Panel/SavePKCS12 Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing >> security domain >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): >> Getting domain.xml from CA... >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: >> domainInfo=> standalone="no"?>IPAptipa1. >> example.com443443> e >> cureAgentPort>443> cureAgentPort>t >> hPort>44380> hPort>n >> e>FALSEpki-cadT >> e>R >> UE1> S >> PList>0> PList>m >> Count>00> Count>m >> Count>0< >> Count>T >> PSList>0 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ptipa1.example.com port=443 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >> failed to update security domain using admin port 443: >> org.xml.sax.SAXParseException; >> lineNumber: 1; columnNumber: 50; White spaces are required between >> publicId and systemId. >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >> now trying agent port with client auth >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ptipa1.example.com port=443 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() >> nickname=subsystemCert cert-pki-ca >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: >> status=1 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating >> security >> domain: java.io.IOException: 2 >> >> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, >> authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. >> >> /var/log/pki/pki-tomcat/ca/system >> >> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot >> build CA chain. Error java.security.cert.CertificateException: >> Certificate is not a PKCS >> #11 certificate >> >> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz >> instance DirAclAuthz initialization failed and skipped, >> error=Property internaldb.ldapconn.port missing value >> >> *Dennis M Ott* >> Infrastructure Administrator >> Infrastructure and Security Operations >> >> *McKesson Corporation >> McKesson Pharmacy Systems and Automation* www.mckesson.com >> >>> -- > Petr Vobornik > -- Petr Vobornik From huston at astro.princeton.edu Thu Apr 7 21:57:07 2016 From: huston at astro.princeton.edu (Steve Huston) Date: Thu, 7 Apr 2016 17:57:07 -0400 Subject: [Freeipa-users] Extending attributes Message-ID: Finding very little on the Interwebs about this, I wonder if I'm the only person who's trying to add things to FreeIPA and doing UI and backend plugins! The back story, I'm coming from an OpenLDAP deployment which I need to update for various reasons and decided to look at options. FreeIPA looks great, and I'm using 4.2.0-15 from the RHEL7 distribution (technically Springdale Linux, our in-house rebuild). Since one of the sticky parts of management of hosts and users for myself and others has been all the LDAP details (which I and one other use ldapmodify for, but some of the admin assistants who create accounts use a custom-made PHP that makes it slightly prettier but harder to maintain), I'm trying to get everything into a pretty interface that anyone can use and means a single window for making these changes. I'm ditching our custom LDAP schema since the attributes can be handled by other included schema elements, though I am adding the Puppet schema which was easily imported and I even wrote the glue to make that work. One of the things I wanted to add is to a host record, the 'owner' field, which should be the owner of a machine - this gets pulled into puppet for some fanciness down the road, as well as used for some accounting information. What I have currently works, but it's not how I originally wrote it: http://www.astro.princeton.edu/~huston/astrocustom/ The way I wanted it, the javascript part (which worked fine) pushed the name field, with type 'entity_select', other_entity: 'user', other_field: 'uid'. This gave a nice drop-down of all the users, and submitted the UID to the back-end. I quickly realized when I tried to submit a host that it was barfing because LDAP wants a DN, so I looked at how 'manager' is done for users and tried to replicate it. The Python to do that is shown in astrocustom-new.py.html in the above directory. I know that didn't work, but I forget which version of that not working that is - at some point I stopped checking them into version control and bashed on the server until I gave up. Can someone help me figure out what I'm doing here? :D Part of it I'm sure is my limited Python knowledge, and the fact that I'm applying concepts I learned long ago from programming languages classes to a language I don't really use based on seeing how some parts work and trying to make them work elsewhere. Alternatively, if there's more than just the FreeIPA33-extending-freeipa.pdf presentation to go on for making plugins (and pvoborni.fedorapeople.org/plugins for UI work) I'd love to have a pointer to it to read more. There's some other UI things I'd tried doing before which failed (such as removing some of the items from the stageuser details page, which the people who will create stageusers won't need to see and shouldn't be messing with) but that's another thread, which might not need to be opened if there's another trove of information on this that I just haven't found yet. Thanks for reading this far. Cookies are on the way. -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' From john.1209 at yahoo.com Fri Apr 8 00:04:35 2016 From: john.1209 at yahoo.com (John Williams) Date: Fri, 8 Apr 2016 00:04:35 +0000 (UTC) Subject: [Freeipa-users] CentOS 7 replica installation failing In-Reply-To: <57064C04.3070305@redhat.com> References: <57064C04.3070305@redhat.com> Message-ID: <1264123657.1353358.1460073875453.JavaMail.yahoo@mail.yahoo.com> From: Petr Vobornik To: John Williams ; "Freeipa-users at redhat.com" Sent: Thursday, April 7, 2016 8:01 AM Subject: Re: [Freeipa-users] CentOS 7 replica installation failing On 04/07/2016 01:34 PM, John Williams wrote: > > > -------------------------------------------------------------------------------- > *From:* Petr Vobornik > *To:* John Williams ; "Freeipa-users at redhat.com" > > *Sent:* Thursday, April 7, 2016 7:11 AM > *Subject:* Re: [Freeipa-users] CentOS 7 replica installation failing > > On 04/07/2016 06:12 AM, John Williams wrote: >? > I've setup an initial FreeIPA instance on a CentOS 7 host.? The install went >? > without a hitch.? I can login to the GUI with no problems.? However, I am not >? > able to install the replica on another CentOS 7 host.? I get the following > errors: >? > >? > [root at ipa2 ~]# ipa-replica-install --setup-ca --setup-dns > --no-forwarders >? > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck > > It was run with '--skip-conncheck'. Is there a reason? If you remove it, > what does it complain about? > > In general, using --skip-conncheck should be avoided because it may hide > errors. > > You could also check master server > /var/log/dirsrv/slapd-your-instance/access and errors logs if there is > some connection attempt from the replica visible. > > And maybe /var/log/ipareplica-install.log contains more info. > > I ran the skip connections, because when I ran it initially without the skip > connections, I got the following messages: > > The following UDP ports could not be verified as open: 88, 464 > This can happen if they are already bound to an application > and ipa-replica-conncheck cannot attach own UDP responder. > > Remote master check failed with following error message(s): > Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of > known hosts. > Could not chdir to home directory /home/admin: No such file or directory > Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 > (TCP), 80 (TCP), 443 (TCP) > > ipa.ipapython.install.cli.install_tool(Replica): ERROR? ? Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > There is nothing blocking the connections, and the initial IPA server seems to > be working fine. > > Here are some snippets from the log: > > >? File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 525, in install_check >? ? ? options.setup_ca, config.ca_ds_port, options.admin_password) >? ? File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 91, in replica_conn_check >? ? ? "\nIf the check results are not valid it can be skipped with > --skip-conncheck parameter.") > > 2016-04-07T11:30:06Z DEBUG The ipa-replica-install command failed, exception: > SystemExit: Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > 2016-04-07T11:30:06Z ERROR Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > Here are some more logs: > > [root at ipa2 ~]# tail -30 /var/log/ipareplica-conncheck.log > Could not chdir to home directory /home/admin: No such file or directory > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 > debug1: channel 0: free: client-session, nchannels 1 > debug1: fd 1 clearing O_NONBLOCK > debug1: fd 2 clearing O_NONBLOCK > Transferred: sent 3032, received 2584 bytes, in 0.0 seconds > Bytes per second: sent 131062.5, received 111697.1 > debug1: Exit status 0 > > 2016-04-07T11:30:02Z DEBUG Starting external process > 2016-04-07T11:30:02Z DEBUG args='/bin/ssh' '-o StrictHostKeychecking=no' '-o > UserKnownHostsFile=/tmp/tmpCbCb50' 'admin at ipa1.nrln.us' > '/usr/sbin/ipa-replica-conncheck --replica ipa2.nrln.us' > 2016-04-07T11:30:05Z DEBUG Process finished, return code=1 > 2016-04-07T11:30:05Z DEBUG stdout=Check connection from master to remote replica > 'ipa2.nrln.us': >? ? Directory Service: Unsecure port (389): FAILED >? ? Directory Service: Secure port (636): FAILED >? ? Kerberos KDC: TCP (88): FAILED >? ? Kerberos KDC: UDP (88): WARNING >? ? Kerberos Kpasswd: TCP (464): FAILED >? ? Kerberos Kpasswd: UDP (464): WARNING >? ? HTTP Server: Unsecure port (80): FAILED >? ? HTTP Server: Secure port (443): FAILED > The following UDP ports could not be verified as open: 88, 464 > This can happen if they are already bound to an application > and ipa-replica-conncheck cannot attach own UDP responder. > > 2016-04-07T11:30:05Z DEBUG stderr=Warning: Permanently added > 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts. > Could not chdir to home directory /home/admin: No such file or directory > Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 > (TCP), 80 (TCP), 443 (TCP) > > These two hosts are on the same subnet, nor firewall, or IPTables running. >? That's why the error message confusing. > > Any suggestions? The error suggest that master is not able to contact replica on any port. Is DNS ok? What does `nmap ipa2.nrln.us` return? OMG. ?The firewall was on the replica. ?Thanks so much!! > >? > WARNING: conflicting time&date synchronization service 'chronyd' will >? > be disabled in favor of ntpd >? > >? > Directory Manager (existing master) password: >? > >? > Existing BIND configuration detected, overwrite? [no]: yes >? > Using reverse zone(s) 1.168.192.in-addr.arpa. >? > Configuring NTP daemon (ntpd) >? >? ? [1/4]: stopping ntpd >? >? ? [2/4]: writing configuration >? >? ? [3/4]: configuring ntpd to start on boot >? >? ? [4/4]: starting ntpd >? > Done configuring NTP daemon (ntpd). >? > Configuring directory server (dirsrv). Estimated time: 1 minute >? >? ? [1/38]: creating directory server user >? >? ? [2/38]: creating directory server instance >? >? ? [3/38]: adding default schema >? >? ? [4/38]: enabling memberof plugin >? >? ? [5/38]: enabling winsync plugin >? >? ? [6/38]: configuring replication version plugin >? >? ? [7/38]: enabling IPA enrollment plugin >? >? ? [8/38]: enabling ldapi >? >? ? [9/38]: configuring uniqueness plugin >? >? ? [10/38]: configuring uuid plugin >? >? ? [11/38]: configuring modrdn plugin >? >? ? [12/38]: configuring DNS plugin >? >? ? [13/38]: enabling entryUSN plugin >? >? ? [14/38]: configuring lockout plugin >? >? ? [15/38]: creating indices >? >? ? [16/38]: enabling referential integrity plugin >? >? ? [17/38]: configuring ssl for ds instance >? >? ? [18/38]: configuring certmap.conf >? >? ? [19/38]: configure autobind for root >? >? ? [20/38]: configure new location for managed entries >? >? ? [21/38]: configure dirsrv ccache >? >? ? [22/38]: enable SASL mapping fallback >? >? ? [23/38]: restarting directory server >? >? ? [24/38]: setting up initial replication >? > Starting replication, please wait until this has completed. >? > >? > [ipa1.nrln.us] reports: Update failed! Status: [-1? - LDAP error: Can't contact >? > LDAP server] >? > >? >? ? [error] RuntimeError: Failed to start replication >? > Your system may be partly configured. >? > Run /usr/sbin/ipa-server-install --uninstall to clean up. >? > >? > ipa.ipapython.install.cli.install_tool(Replica): ERROR? ? Failed to start >? > replication >? > >? > >? > The error message is misleading. The two hosts sit on the same subnet.? All >? > firewalls are off.? Selinux is disabled.? Here is an nmap port scan from the >? > replica to the master: >? > >? > >? > [root at ipa2 ~]# nmap ipa1 >? > >? > Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDT >? > Nmap scan report for ipa1 (192.168.1.38) >? > Host is up (0.000086s latency). >? > rDNS record for 192.168.1.38: ipa1.nrln.us >? > Not shown: 990 closed ports >? > PORT? ? STATE SERVICE >? > 22/tcp? open? ssh >? > 80/tcp? open? http >? > 88/tcp? open? kerberos-sec >? > 389/tcp? open? ldap >? > 443/tcp? open? https >? > 464/tcp? open? kpasswd5 >? > 636/tcp? open? ldapssl >? > 749/tcp? open? kerberos-adm >? > 8080/tcp open? http-proxy >? > 8443/tcp open? https-alt >? > MAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC) >? > >? > Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds >? > [root at ipa2 ~]# >? > >? > >? > Why do I get this message? >? > -- Petr Vobornik -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrorourke at earthlink.net Fri Apr 8 02:28:22 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Thu, 7 Apr 2016 22:28:22 -0400 Subject: [Freeipa-users] AD Integration change propagation timing Message-ID: <57071746.6060809@earthlink.net> I have a question regarding AD Integration with FreeIPA (CentOS 7.1/freeipa 4.2.0) and Windows Server 2008 R2 with a Functional Level forest of 2008 R2. Given a simple scenario of a group in active directory that is mapped to a POSIX group in FreeIPA, if a change is made on the AD side such as adding a user to an AD group, how long should it take on the FreeIPA side before the change would show up? What would the maximum time it could take before the change propagates to a server joined to FreeIPA? What if a user was logged into the server and was waiting on the change (assuming the MS PAC was cached by sssd)? This would be for a simple forest trust with FreeIPA and a medium/small AD environment. Also, assuming that sssd was not restarted and/or the cache flushed. I'm not looking for exact timing, just some estimates. Thanks, Mike From sbose at redhat.com Fri Apr 8 07:36:11 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 8 Apr 2016 09:36:11 +0200 Subject: [Freeipa-users] AD Integration change propagation timing In-Reply-To: <57071746.6060809@earthlink.net> References: <57071746.6060809@earthlink.net> Message-ID: <20160408073611.GN4768@p.redhat.com> On Thu, Apr 07, 2016 at 10:28:22PM -0400, Michael ORourke wrote: > I have a question regarding AD Integration with FreeIPA (CentOS 7.1/freeipa > 4.2.0) and Windows Server 2008 R2 with a Functional Level forest of 2008 R2. > Given a simple scenario of a group in active directory that is mapped to a > POSIX group in FreeIPA, if a change is made on the AD side such as adding a > user to an AD group, how long should it take on the FreeIPA side before the > change would show up? What would the maximum time it could take before the > change propagates to a server joined to FreeIPA? What if a user was logged > into the server and was waiting on the change (assuming the MS PAC was > cached by sssd)? This would be for a simple forest trust with FreeIPA and a > medium/small AD environment. Also, assuming that sssd was not restarted > and/or the cache flushed. > I'm not looking for exact timing, just some estimates. By default SSSD has a cache timeout of 5400s aka 1.5h, see then entry_cache_timeout and following entries in man sssd.conf for details. In the worst case on a client you have to add the timeout of the client and the server. If the user logs in the group memberships are updated unconditionally. But this won't effect existing session they will always have the same group memberships as at login time, i.e. the 'id' command will always return the same list of group-memberships even if 'id username' from a different session will tell something different. This is a general UNIX/Linux feature and can be seen with local groups managed in /etc/groups as well. Another thing to take care of is the PAC. Since the PAC is part of the Kerberos ticket it won't change as long as the ticket is valid. E.g. if you log in from a Window client to an IPA client with putty using GSSAPI authentication you get a service ticket for the IPA client which includes the PAC and is stored on the Windows client. If you then change the group memberships of the user in AD and make sure the IPA client sees the new groups memberships, e.g. by invalidating the cache on the client and the server, a fresh login with putty might still show the old group memberships again, because the PAC in the valid Kerberos ticket is not refreshed and might force the client to use the group-membership data from the PAC. In this case you have to call 'klist /purge' on the Windows client to remove the tickets to get a fresh PAC. HTH bye, Sumit > > Thanks, > Mike > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Fri Apr 8 07:50:11 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 8 Apr 2016 09:50:11 +0200 Subject: [Freeipa-users] AD Integration change propagation timing In-Reply-To: <20160408073611.GN4768@p.redhat.com> References: <57071746.6060809@earthlink.net> <20160408073611.GN4768@p.redhat.com> Message-ID: <20160408075011.GD3161@hendrix.arn.redhat.com> On Fri, Apr 08, 2016 at 09:36:11AM +0200, Sumit Bose wrote: > On Thu, Apr 07, 2016 at 10:28:22PM -0400, Michael ORourke wrote: > > I have a question regarding AD Integration with FreeIPA (CentOS 7.1/freeipa > > 4.2.0) and Windows Server 2008 R2 with a Functional Level forest of 2008 R2. > > Given a simple scenario of a group in active directory that is mapped to a > > POSIX group in FreeIPA, if a change is made on the AD side such as adding a > > user to an AD group, how long should it take on the FreeIPA side before the > > change would show up? What would the maximum time it could take before the > > change propagates to a server joined to FreeIPA? What if a user was logged > > into the server and was waiting on the change (assuming the MS PAC was > > cached by sssd)? This would be for a simple forest trust with FreeIPA and a > > medium/small AD environment. Also, assuming that sssd was not restarted > > and/or the cache flushed. > > I'm not looking for exact timing, just some estimates. > > By default SSSD has a cache timeout of 5400s aka 1.5h, see then > entry_cache_timeout and following entries in man sssd.conf for details. > In the worst case on a client you have to add the timeout of the client > and the server. Yes, just please be aware of https://fedorahosted.org/sssd/ticket/2899 which was fixed only recently and we haven't released sssd-1.13.4 yet upstream. From pvoborni at redhat.com Fri Apr 8 07:50:34 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 8 Apr 2016 09:50:34 +0200 Subject: [Freeipa-users] Extending attributes In-Reply-To: References: Message-ID: <570762CA.7080800@redhat.com> On 04/07/2016 11:57 PM, Steve Huston wrote: > Finding very little on the Interwebs about this, I wonder if I'm the > only person who's trying to add things to FreeIPA and doing UI and > backend plugins! > > The back story, I'm coming from an OpenLDAP deployment which I need to > update for various reasons and decided to look at options. FreeIPA > looks great, and I'm using 4.2.0-15 from the RHEL7 distribution > (technically Springdale Linux, our in-house rebuild). Since one of > the sticky parts of management of hosts and users for myself and > others has been all the LDAP details (which I and one other use > ldapmodify for, but some of the admin assistants who create accounts > use a custom-made PHP that makes it slightly prettier but harder to > maintain), I'm trying to get everything into a pretty interface that > anyone can use and means a single window for making these changes. > > I'm ditching our custom LDAP schema since the attributes can be > handled by other included schema elements, though I am adding the > Puppet schema which was easily imported and I even wrote the glue to > make that work. One of the things I wanted to add is to a host > record, the 'owner' field, which should be the owner of a machine - > this gets pulled into puppet for some fanciness down the road, as well > as used for some accounting information. > > What I have currently works, but it's not how I originally wrote it: > http://www.astro.princeton.edu/~huston/astrocustom/ > > The way I wanted it, the javascript part (which worked fine) pushed > the name field, with type 'entity_select', other_entity: 'user', > other_field: 'uid'. This gave a nice drop-down of all the users, and > submitted the UID to the back-end. I quickly realized when I tried to > submit a host that it was barfing because LDAP wants a DN, so I looked > at how 'manager' is done for users and tried to replicate it. The > Python to do that is shown in astrocustom-new.py.html in the above > directory. I know that didn't work, but I forget which version of > that not working that is - at some point I stopped checking them into > version control and bashed on the server until I gave up. > > Can someone help me figure out what I'm doing here? :D Part of it > I'm sure is my limited Python knowledge, and the fact that I'm > applying concepts I learned long ago from programming languages > classes to a language I don't really use based on seeing how some > parts work and trying to make them work elsewhere. Alternatively, if > there's more than just the FreeIPA33-extending-freeipa.pdf > presentation to go on for making plugins (and > pvoborni.fedorapeople.org/plugins for UI work) I'd love to have a > pointer to it to read more. There's some other UI things I'd tried > doing before which failed (such as removing some of the items from the > stageuser details page, which the people who will create stageusers > won't need to see and shouldn't be messing with) but that's another > thread, which might not need to be opened if there's another trove of > information on this that I just haven't found yet. > > Thanks for reading this far. Cookies are on the way. > I didn't examine it thoroughly. But basically: IPA management framework does "cn" -> "dn" conversion in pre_callback (host-add, host-mod). But then it needs to do the reverse on post_callback (host-add, host-mod, host-show, maybe also host-find) Given that manager field was your example, you can also look at "convert_manager" method which does the "dn" -> "cn" conversion. And how it is called in post_callback/how are post_callbacks defined. Apart from that, I don't see what is wrong. How does it behave? -- Petr Vobornik From mkosek at redhat.com Fri Apr 8 08:33:32 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 8 Apr 2016 10:33:32 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.3.1 In-Reply-To: <56F45AC5.3050807@redhat.com> References: <56F45AC5.3050807@redhat.com> Message-ID: <57076CDC.60901@redhat.com> On 03/24/2016 10:23 PM, Petr Vobornik wrote: > The FreeIPA team would like to announce FreeIPA v4.3.1 bug fixing release! > > It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are > available for Fedora 24 and rawhide. Builds for Fedora 23 are available in the > official COPR > repository. > Experimental builds for CentOS 7 will be available in the official FreeIPA > CentOS7 COPR > repository > shortly after Easter Holidays. > > This announcement with links to Trac tickets is available on > http://www.freeipa.org/page/Releases/4.3.1 . > > Fedora 24 update: https://bodhi.fedoraproject.org/updates/freeipa-4.3.1-1.fc24 For the record, I just finished upgrading FreeIPA Public Demo to version 4.3.1. Besides other improvements noted on the release page, the good news is that the FreeIPA demo web server now scores "A" in the SSL Labs SSL Server Test (the cipher update is done automatically after upgrade to 4.3.1). Martin From peljasz at yahoo.co.uk Fri Apr 8 09:23:15 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 8 Apr 2016 10:23:15 +0100 Subject: [Freeipa-users] nsswitch skipped by ipa-server-install .. Message-ID: <57077883.3070901@yahoo.co.uk> ... which I suppose should have not happened? hi everybody, installation went fine, migration too, not errors reported by neither process and I wonder - how come? bw. L. From pspacek at redhat.com Fri Apr 8 09:32:32 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 8 Apr 2016 11:32:32 +0200 Subject: [Freeipa-users] nsswitch skipped by ipa-server-install .. In-Reply-To: <57077883.3070901@yahoo.co.uk> References: <57077883.3070901@yahoo.co.uk> Message-ID: <57077AB0.9070608@redhat.com> On 8.4.2016 11:23, lejeczek wrote: > ... which I suppose should have not happened? > > hi everybody, > installation went fine, migration too, not errors reported by neither process > and I wonder - how come? Hello, it is unclear what you did and what is the problem. Please follow http://www.freeipa.org/page/Troubleshooting#Reporting_bugs and give us more information. Have a nice day! -- Petr^2 Spacek From ftweedal at redhat.com Fri Apr 8 14:27:14 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Sat, 9 Apr 2016 00:27:14 +1000 Subject: [Freeipa-users] Announcing FreeIPA 4.3.1 In-Reply-To: <57076CDC.60901@redhat.com> References: <56F45AC5.3050807@redhat.com> <57076CDC.60901@redhat.com> Message-ID: <20160408142714.GW18277@dhcp-40-8.bne.redhat.com> On Fri, Apr 08, 2016 at 10:33:32AM +0200, Martin Kosek wrote: > On 03/24/2016 10:23 PM, Petr Vobornik wrote: > > The FreeIPA team would like to announce FreeIPA v4.3.1 bug fixing release! > > > > It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are > > available for Fedora 24 and rawhide. Builds for Fedora 23 are available in the > > official COPR > > repository. > > Experimental builds for CentOS 7 will be available in the official FreeIPA > > CentOS7 COPR > > repository > > shortly after Easter Holidays. > > > > This announcement with links to Trac tickets is available on > > http://www.freeipa.org/page/Releases/4.3.1 . > > > > Fedora 24 update: https://bodhi.fedoraproject.org/updates/freeipa-4.3.1-1.fc24 > > For the record, I just finished upgrading FreeIPA Public Demo to version 4.3.1. > Besides other improvements noted on the release page, the good news is that the > FreeIPA demo web server now scores "A" in the SSL Labs SSL Server Test (the > cipher update is done automatically after upgrade to 4.3.1). > Nice! Kudos to Christian for the cipher suite upgrade. From john.1209 at yahoo.com Fri Apr 8 14:49:46 2016 From: john.1209 at yahoo.com (John Williams) Date: Fri, 8 Apr 2016 14:49:46 +0000 (UTC) Subject: [Freeipa-users] authentication failing References: <1715538076.1677616.1460126986984.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1715538076.1677616.1460126986984.JavaMail.yahoo@mail.yahoo.com> I've got a system that is not authenticating to our freeIPA instance. ?I get the following messages on the client: Apr? 8 10:14:52 host sssd[be[my.com]]: dereference processing failed : Invalid argumentApr? 8 10:14:52 host sssd[be[my.com]]]: dereference processing failed : Invalid argumentApr? 8 10:14:58 host sssd[be[my.com]]]: dereference processing failed : Invalid argumentApr? 8 10:14:58 host sssd[be[my.com]]]: dereference processing failed : Invalid argumentApr? 8 10:16:17 host sssd[be[my.com]]]: dereference processing failed : Invalid argumentApr? 8 10:16:17 host sssd[be[my.com]]]: dereference processing failed : Invalid argument[root at host log]# less /var/log/messages Not sure what other information would be helpful in troubleshooting. ?But where do we start troubleshooting if more logs are required? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Apr 8 14:53:27 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 8 Apr 2016 16:53:27 +0200 Subject: [Freeipa-users] authentication failing In-Reply-To: <1715538076.1677616.1460126986984.JavaMail.yahoo@mail.yahoo.com> References: <1715538076.1677616.1460126986984.JavaMail.yahoo.ref@mail.yahoo.com> <1715538076.1677616.1460126986984.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160408145327.GA25728@hendrix.arn.redhat.com> On Fri, Apr 08, 2016 at 02:49:46PM +0000, John Williams wrote: > I've got a system that is not authenticating to our freeIPA instance. ?I get the following messages on the client: > Apr? 8 10:14:52 host sssd[be[my.com]]: dereference processing failed : Invalid argumentApr? 8 10:14:52 host sssd[be[my.com]]]: dereference processing failed : Invalid argumentApr? 8 10:14:58 host sssd[be[my.com]]]: dereference processing failed : Invalid argumentApr? 8 10:14:58 host sssd[be[my.com]]]: dereference processing failed : Invalid argumentApr? 8 10:16:17 host sssd[be[my.com]]]: dereference processing failed : Invalid argumentApr? 8 10:16:17 host sssd[be[my.com]]]: dereference processing failed : Invalid argument[root at host log]# less /var/log/messages > Not sure what other information would be helpful in troubleshooting. ?But where do we start troubleshooting if more logs are required? > Thanks Start here: https://fedorahosted.org/sssd/wiki/Troubleshooting From mrorourke at earthlink.net Fri Apr 8 15:01:43 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Fri, 8 Apr 2016 11:01:43 -0400 (EDT) Subject: [Freeipa-users] AD Integration change propagation timing Message-ID: <26461467.1460127704459.JavaMail.wam@elwamui-darkeyed.atl.sa.earthlink.net> -----Original Message----- >From: Sumit Bose >Sent: Apr 8, 2016 3:36 AM >To: freeipa-users at redhat.com >Subject: Re: [Freeipa-users] AD Integration change propagation timing > >On Thu, Apr 07, 2016 at 10:28:22PM -0400, Michael ORourke wrote: >> I have a question regarding AD Integration with FreeIPA (CentOS 7.1/freeipa >> 4.2.0) and Windows Server 2008 R2 with a Functional Level forest of 2008 R2. >> Given a simple scenario of a group in active directory that is mapped to a >> POSIX group in FreeIPA, if a change is made on the AD side such as adding a >> user to an AD group, how long should it take on the FreeIPA side before the >> change would show up? What would the maximum time it could take before the >> change propagates to a server joined to FreeIPA? What if a user was logged >> into the server and was waiting on the change (assuming the MS PAC was >> cached by sssd)? This would be for a simple forest trust with FreeIPA and a >> medium/small AD environment. Also, assuming that sssd was not restarted >> and/or the cache flushed. >> I'm not looking for exact timing, just some estimates. > >By default SSSD has a cache timeout of 5400s aka 1.5h, see then >entry_cache_timeout and following entries in man sssd.conf for details. >In the worst case on a client you have to add the timeout of the client >and the server. Thanks for the response! Here's another scenario... we would like to leverage HBAC rules for users in AD groups (assigning the rule to a local posix group which maps back to an AD group). So the AD admins would add users to an AD group, which correlates to a particular HBAC rule, which grants user access to the host(s). Example: AD user tries to login to server joined to IPA, but is denied (missing HBAC group membership), so the user puts in a request to the local AD team which gets approved and that user is added to the appropriate AD group. If the user tries to login to that same server again, it could take up to 1.5h for the cache to expire before the user is allowed to login? Or is it not cached at the server, because the user was not granted access to the server initially? My assumption is that it would only require the Windows client to refresh their Kerberos tkt to get a new PAC. Which is easy enough to test out. -Mike > >If the user logs in the group memberships are updated unconditionally. >But this won't effect existing session they will always have the same >group memberships as at login time, i.e. the 'id' command will always >return the same list of group-memberships even if 'id username' from a >different session will tell something different. This is a general >UNIX/Linux feature and can be seen with local groups managed in >/etc/groups as well. > >Another thing to take care of is the PAC. Since the PAC is part of the >Kerberos ticket it won't change as long as the ticket is valid. E.g. if >you log in from a Window client to an IPA client with putty using GSSAPI >authentication you get a service ticket for the IPA client which >includes the PAC and is stored on the Windows client. If you then change >the group memberships of the user in AD and make sure the IPA client >sees the new groups memberships, e.g. by invalidating the cache on the >client and the server, a fresh login with putty might still show the old >group memberships again, because the PAC in the valid Kerberos ticket is >not refreshed and might force the client to use the group-membership >data from the PAC. In this case you have to call 'klist /purge' on the >Windows client to remove the tickets to get a fresh PAC. > >HTH > >bye, >Sumit > >> >> Thanks, >> Mike >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project From huston at astro.princeton.edu Fri Apr 8 15:46:30 2016 From: huston at astro.princeton.edu (Steve Huston) Date: Fri, 8 Apr 2016 11:46:30 -0400 Subject: [Freeipa-users] Extending attributes In-Reply-To: <570762CA.7080800@redhat.com> References: <570762CA.7080800@redhat.com> Message-ID: On Fri, Apr 8, 2016 at 3:50 AM, Petr Vobornik wrote: > I didn't examine it thoroughly. But basically: IPA management framework > does "cn" -> "dn" conversion in pre_callback (host-add, host-mod). But > then it needs to do the reverse on post_callback (host-add, host-mod, > host-show, maybe also host-find) > Given that manager field was your example, you can also look at > "convert_manager" method which does the "dn" -> "cn" conversion. And how > it is called in post_callback/how are post_callbacks defined. I figured that was the next step; I did note that if I manually entered the right data, either via ldapmodify or host-mod with a full dn, it worked fine but then displayed the entire dn in the UI, so I assumed there was another bit to make that conversion and just hadn't looked ahead for it. > Apart from that, I don't see what is wrong. How does it behave? The file as it is now is here: http://www.astro.princeton.edu/~huston/astrocustom/astrocustom.1144.py.html (take off the .html for the source file if you prefer). And the error when I run 'ipa host-mod syrinx.astro.princeton.edu --owner=huston' is: [Fri Apr 08 11:32:29.096491 2016] [:error] [pid 5833] ipa: ERROR: non-public: AttributeError: 'module' object has no attribute 'backend' [Fri Apr 08 11:32:29.096522 2016] [:error] [pid 5833] Traceback (most recent call last): [Fri Apr 08 11:32:29.096524 2016] [:error] [pid 5833] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute [Fri Apr 08 11:32:29.096526 2016] [:error] [pid 5833] result = self.Command[name](*args, **options) [Fri Apr 08 11:32:29.096527 2016] [:error] [pid 5833] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 442, in __call__ [Fri Apr 08 11:32:29.096529 2016] [:error] [pid 5833] ret = self.run(*args, **options) [Fri Apr 08 11:32:29.096530 2016] [:error] [pid 5833] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 759, in run [Fri Apr 08 11:32:29.096532 2016] [:error] [pid 5833] return self.execute(*args, **options) [Fri Apr 08 11:32:29.096533 2016] [:error] [pid 5833] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1468, in execute [Fri Apr 08 11:32:29.096535 2016] [:error] [pid 5833] *keys, **options) [Fri Apr 08 11:32:29.096536 2016] [:error] [pid 5833] File "/usr/lib/python2.7/site-packages/ipalib/plugins/astrocustom.py", line 80, in hostmod_precallback [Fri Apr 08 11:32:29.096538 2016] [:error] [pid 5833] entry_attrs['owner'] = self.obj.normalize_owner(entry_attrs['owner'], self.obj.container_dn) [Fri Apr 08 11:32:29.096539 2016] [:error] [pid 5833] File "/usr/lib/python2.7/site-packages/ipalib/plugins/astrocustom.py", line 35, in normalize_owner [Fri Apr 08 11:32:29.096541 2016] [:error] [pid 5833] entry_attrs = self.backend.find_entry_by_attr( [Fri Apr 08 11:32:29.096542 2016] [:error] [pid 5833] AttributeError: 'module' object has no attribute 'backend' [Fri Apr 08 11:32:29.096861 2016] [:error] [pid 5833] ipa: INFO: [jsonserver_session] admin at ASTRO.PRINCETON.EDU: host_mod(u'syrinx.astro.princeton.edu', random=False, owner=u'huston', rights=False, updatedns=False, all=False, raw=False, version=u'2.156', no_members=False): AttributeError To test the new parts, I then did an ldapmodify to set the owner attribute, and 'ipa host-show syrinx --all' gave this error: [Fri Apr 08 11:41:38.050569 2016] [:error] [pid 5832] ipa: ERROR: non-public: AttributeError: 'module' object has no attribute 'get_primary_key_from_dn' [Fri Apr 08 11:41:38.050588 2016] [:error] [pid 5832] Traceback (most recent call last): [Fri Apr 08 11:41:38.050591 2016] [:error] [pid 5832] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute [Fri Apr 08 11:41:38.050593 2016] [:error] [pid 5832] result = self.Command[name](*args, **options) [Fri Apr 08 11:41:38.050594 2016] [:error] [pid 5832] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 442, in __call__ [Fri Apr 08 11:41:38.050596 2016] [:error] [pid 5832] ret = self.run(*args, **options) [Fri Apr 08 11:41:38.050597 2016] [:error] [pid 5832] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 759, in run [Fri Apr 08 11:41:38.050599 2016] [:error] [pid 5832] return self.execute(*args, **options) [Fri Apr 08 11:41:38.050601 2016] [:error] [pid 5832] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1380, in execute [Fri Apr 08 11:41:38.050602 2016] [:error] [pid 5832] self, ldap, entry_attrs.dn, entry_attrs, *keys, **options) [Fri Apr 08 11:41:38.050604 2016] [:error] [pid 5832] File "/usr/lib/python2.7/site-packages/ipalib/plugins/astrocustom.py", line 98, in hostshow_postcallback [Fri Apr 08 11:41:38.050605 2016] [:error] [pid 5832] self.obj.convert_owner(entry_attrs, **options) [Fri Apr 08 11:41:38.050607 2016] [:error] [pid 5832] File "/usr/lib/python2.7/site-packages/ipalib/plugins/astrocustom.py", line 55, in convert_owner [Fri Apr 08 11:41:38.050608 2016] [:error] [pid 5832] entry_attrs['owner'][m] = self.get_primary_key_from_dn(entry_attrs['owner'][m]) [Fri Apr 08 11:41:38.050610 2016] [:error] [pid 5832] AttributeError: 'module' object has no attribute 'get_primary_key_from_dn' [Fri Apr 08 11:41:38.050757 2016] [:error] [pid 5832] ipa: INFO: [jsonserver_session] admin at ASTRO.PRINCETON.EDU: host_show(u'syrinx', rights=False, all=True, raw=False, version=u'2.156', no_members=False): AttributeError -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' From peljasz at yahoo.co.uk Fri Apr 8 16:37:45 2016 From: peljasz at yahoo.co.uk (Pawel Eljasz) Date: Fri, 8 Apr 2016 16:37:45 +0000 (UTC) Subject: [Freeipa-users] certutil - how to delete an orphan key.. References: <670225692.2837947.1460133465683.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <670225692.2837947.1460133465683.JavaMail.yahoo@mail.yahoo.com> .. would anybody know?I realize this might be not the ideal place for such a question, sorry.thanksL -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrorourke at earthlink.net Fri Apr 8 17:45:50 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Fri, 8 Apr 2016 13:45:50 -0400 (GMT-04:00) Subject: [Freeipa-users] AD Integration change propagation timing Message-ID: <33301322.1460137551448.JavaMail.wam@elwamui-darkeyed.atl.sa.earthlink.net> -----Original Message----- >From: Michael ORourke >Sent: Apr 8, 2016 11:01 AM >To: Sumit Bose , freeipa-users at redhat.com >Subject: Re: [Freeipa-users] AD Integration change propagation timing > >-----Original Message----- >>From: Sumit Bose >>Sent: Apr 8, 2016 3:36 AM >>To: freeipa-users at redhat.com >>Subject: Re: [Freeipa-users] AD Integration change propagation timing >> >>On Thu, Apr 07, 2016 at 10:28:22PM -0400, Michael ORourke wrote: >>> I have a question regarding AD Integration with FreeIPA (CentOS 7.1/freeipa >>> 4.2.0) and Windows Server 2008 R2 with a Functional Level forest of 2008 R2. >>> Given a simple scenario of a group in active directory that is mapped to a >>> POSIX group in FreeIPA, if a change is made on the AD side such as adding a >>> user to an AD group, how long should it take on the FreeIPA side before the >>> change would show up? What would the maximum time it could take before the >>> change propagates to a server joined to FreeIPA? What if a user was logged >>> into the server and was waiting on the change (assuming the MS PAC was >>> cached by sssd)? This would be for a simple forest trust with FreeIPA and a >>> medium/small AD environment. Also, assuming that sssd was not restarted >>> and/or the cache flushed. >>> I'm not looking for exact timing, just some estimates. >> >>By default SSSD has a cache timeout of 5400s aka 1.5h, see then >>entry_cache_timeout and following entries in man sssd.conf for details. >>In the worst case on a client you have to add the timeout of the client >>and the server. > >Thanks for the response! > >Here's another scenario... we would like to leverage HBAC rules for users in AD groups (assigning the rule to a local posix group which maps back to an AD group). So the AD admins would add users to an AD group, which correlates to a particular HBAC rule, which grants user access to the host(s). > >Example: AD user tries to login to server joined to IPA, but is denied (missing HBAC group membership), so the user puts in a request to the local AD team which gets approved and that user is added to the appropriate AD group. If the user tries to login to that same server again, it could take up to 1.5h for the cache to expire before the user is allowed to login? >Or is it not cached at the server, because the user was not granted access to the server initially? My assumption is that it would only require the Windows client to refresh their Kerberos tkt to get a new PAC. Which is easy enough to test out. > >-Mike > *UPDATE* I tried testing the scenario above by first clearing the Kerberos tkt on the client, but access was denied. Then I cleared the cache on the target linux server, sss_cache -E, restarted SSSD, and access was denied. Then I cleared cache on the IPA server, and restarted SSSD, access granted! So I suspect clearing the target server's cache had no impact, but haven't proved that yet. -Mike >> >>If the user logs in the group memberships are updated unconditionally. >>But this won't effect existing session they will always have the same >>group memberships as at login time, i.e. the 'id' command will always >>return the same list of group-memberships even if 'id username' from a >>different session will tell something different. This is a general >>UNIX/Linux feature and can be seen with local groups managed in >>/etc/groups as well. >> >>Another thing to take care of is the PAC. Since the PAC is part of the >>Kerberos ticket it won't change as long as the ticket is valid. E.g. if >>you log in from a Window client to an IPA client with putty using GSSAPI >>authentication you get a service ticket for the IPA client which >>includes the PAC and is stored on the Windows client. If you then change >>the group memberships of the user in AD and make sure the IPA client >>sees the new groups memberships, e.g. by invalidating the cache on the >>client and the server, a fresh login with putty might still show the old >>group memberships again, because the PAC in the valid Kerberos ticket is >>not refreshed and might force the client to use the group-membership >>data from the PAC. In this case you have to call 'klist /purge' on the >>Windows client to remove the tickets to get a fresh PAC. >> >>HTH >> >>bye, >>Sumit >> >>> >>> Thanks, >>> Mike >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >>-- >>Manage your subscription for the Freeipa-users mailing list: >>https://www.redhat.com/mailman/listinfo/freeipa-users >>Go to http://freeipa.org for more info on the project From rcritten at redhat.com Fri Apr 8 19:39:49 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 8 Apr 2016 15:39:49 -0400 Subject: [Freeipa-users] certutil - how to delete an orphan key.. In-Reply-To: <670225692.2837947.1460133465683.JavaMail.yahoo@mail.yahoo.com> References: <670225692.2837947.1460133465683.JavaMail.yahoo.ref@mail.yahoo.com> <670225692.2837947.1460133465683.JavaMail.yahoo@mail.yahoo.com> Message-ID: <57080905.1010806@redhat.com> Pawel Eljasz wrote: > .. would anybody know? > I realize this might be not the ideal place for such a question, sorry. > thanks > L > > I don't know that there is a way using a tool to delete a key from an NSS database. Why do you want to? It won't hurt anything. rob From huston at astro.princeton.edu Fri Apr 8 19:51:28 2016 From: huston at astro.princeton.edu (Steve Huston) Date: Fri, 8 Apr 2016 15:51:28 -0400 Subject: [Freeipa-users] Extending attributes In-Reply-To: References: <570762CA.7080800@redhat.com> Message-ID: And after a bit more hacking around, I seem to have hit on the answer. For one thing, the way I wrote it wouldn't work because the dn_container would have been wrong anyway (previously it worked because users are in the same container as other users, but in this case it would fail since the object's container is that of a host). Some of the values here are hard coded now, which is probably not good practice, but as this is my plugin for my environment I'm going to give myself a break on it. I still need to write an error handler in the case of a user account being deleted and a host "owned" by that user still exists, so that one doesn't have to go to LDAP to deal with the entry, but compared to the amount of iterations this took, that should be easy :D For those interested: http://www.astro.princeton.edu/~huston/astrocustom/astrocustom.1546.py.html -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' From ftweedal at redhat.com Sat Apr 9 00:18:38 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Sat, 9 Apr 2016 10:18:38 +1000 Subject: [Freeipa-users] certutil - how to delete an orphan key.. In-Reply-To: <57080905.1010806@redhat.com> References: <670225692.2837947.1460133465683.JavaMail.yahoo.ref@mail.yahoo.com> <670225692.2837947.1460133465683.JavaMail.yahoo@mail.yahoo.com> <57080905.1010806@redhat.com> Message-ID: <20160409001838.GZ18277@dhcp-40-8.bne.redhat.com> On Fri, Apr 08, 2016 at 03:39:49PM -0400, Rob Crittenden wrote: > Pawel Eljasz wrote: > >.. would anybody know? > >I realize this might be not the ideal place for such a question, sorry. > >thanks > >L > > > > > > I don't know that there is a way using a tool to delete a key from an NSS > database. Why do you want to? It won't hurt anything. > > rob > According to man page, to list contents of key database: certutil ... -K and to delete a particular key: certutil ... -F -n $KEY_ID Cheers, Fraser From rcritten at redhat.com Sat Apr 9 02:10:22 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 8 Apr 2016 22:10:22 -0400 Subject: [Freeipa-users] certutil - how to delete an orphan key.. In-Reply-To: <20160409001838.GZ18277@dhcp-40-8.bne.redhat.com> References: <670225692.2837947.1460133465683.JavaMail.yahoo.ref@mail.yahoo.com> <670225692.2837947.1460133465683.JavaMail.yahoo@mail.yahoo.com> <57080905.1010806@redhat.com> <20160409001838.GZ18277@dhcp-40-8.bne.redhat.com> Message-ID: <5708648E.4040201@redhat.com> Fraser Tweedale wrote: > On Fri, Apr 08, 2016 at 03:39:49PM -0400, Rob Crittenden wrote: >> Pawel Eljasz wrote: >>> .. would anybody know? >>> I realize this might be not the ideal place for such a question, sorry. >>> thanks >>> L >>> >>> >> >> I don't know that there is a way using a tool to delete a key from an NSS >> database. Why do you want to? It won't hurt anything. >> >> rob >> > According to man page, to list contents of key database: > > certutil ... -K > > and to delete a particular key: > > certutil ... -F -n $KEY_ID Can't believe I missed that, nice catch. rob From peljasz at yahoo.co.uk Sat Apr 9 12:50:42 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Sat, 9 Apr 2016 13:50:42 +0100 Subject: [Freeipa-users] certutil - how to delete an orphan key.. In-Reply-To: <20160409001838.GZ18277@dhcp-40-8.bne.redhat.com> References: <670225692.2837947.1460133465683.JavaMail.yahoo.ref@mail.yahoo.com> <670225692.2837947.1460133465683.JavaMail.yahoo@mail.yahoo.com> <57080905.1010806@redhat.com> <20160409001838.GZ18277@dhcp-40-8.bne.redhat.com> Message-ID: <5708FAA2.2060404@yahoo.co.uk> On 09/04/16 01:18, Fraser Tweedale wrote: > On Fri, Apr 08, 2016 at 03:39:49PM -0400, Rob Crittenden wrote: >> Pawel Eljasz wrote: >>> .. would anybody know? >>> I realize this might be not the ideal place for such a question, sorry. >>> thanks >>> L >>> >>> >> I don't know that there is a way using a tool to delete a key from an NSS >> database. Why do you want to? It won't hurt anything. >> >> rob >> > According to man page, to list contents of key database: > > certutil ... -K > > and to delete a particular key: > > certutil ... -F -n $KEY_ID well... https://bugzilla.redhat.com/show_bug.cgi?id=1144186 > > Cheers, > Fraser > From remco at crunchrapps.com Mon Apr 11 10:02:08 2016 From: remco at crunchrapps.com (Remco Kranenburg) Date: Mon, 11 Apr 2016 12:02:08 +0200 Subject: [Freeipa-users] Adding FreeIPA to an existing infrastructure Message-ID: <1460368928.12466.0@smtp.office365.com> Hi all, At our company, we manage several Ubuntu web servers with SSH, and we use ansible scripts to automate some tasks. The web servers are hosted by a VPS hosting provider. Until now, we have always managed the user accounts manually for each server, but this is becoming increasingly cumbersome as we grow. To centralize our identity management, I've been looking into FreeIPA, but having no prior experience with this, I am overwhelmed by complexity. So the first question: is FreeIPA too complex for what we are trying to accomplish? Should we be looking at a different solution? I do like some of the advanced things we can supposedly do with FreeIPA: single identity for everything (SSH on our servers, our Bitbucket accounts, our Jenkins CI server), but those are currently not hard requirements. Some technical questions: We currently manage our TLS certificate manually with a wildcard that we install on each server every year, but we will soon be moving to the automated system provided by Letsencrypt. Does this mean we can disable the Certificate Authority system provided by FreeIPA, or is the CA also required for other things? We currently manage our DNS entries through the web interface of our hosting provider. When we introduce a new server, we simply clone a special clean 'image' server, change the hostname and add an A and AAAA record to our ISP's DNS settings. How does this interact with the FreeIPA DNS system? Should we disable it, or does it provide advantages? -- Remco From christophe.trefois at uni.lu Mon Apr 11 11:33:31 2016 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Mon, 11 Apr 2016 11:33:31 +0000 Subject: [Freeipa-users] Adding FreeIPA to an existing infrastructure In-Reply-To: <1460368928.12466.0@smtp.office365.com> References: <1460368928.12466.0@smtp.office365.com> Message-ID: <117018ED-D3BF-4111-ABA6-7108142525BB@uni.lu> Hi Remco, I?m not an expert, but I will try to answer to the best of my knowledge. > On 11 Apr 2016, at 12:02, Remco Kranenburg wrote: > > Hi all, > > At our company, we manage several Ubuntu web servers with SSH, and we use ansible scripts to automate some tasks. The web servers are hosted by a VPS hosting provider. Until now, we have always managed the user accounts manually for each server, but this is becoming increasingly cumbersome as we grow. To centralize our identity management, I've been looking into FreeIPA, but having no prior experience with this, I am overwhelmed by complexity. > > So the first question: is FreeIPA too complex for what we are trying to accomplish? Should we be looking at a different solution? I do like some of the advanced things we can supposedly do with FreeIPA: single identity for everything (SSH on our servers, our Bitbucket accounts, our Jenkins CI server), but those are currently not hard requirements. I would say it?s not too complex. Once it?s installed, you can slowly dig in and it?s not so complex to use. The architecture is quite complex, but using it is quite straightforward I think. Setup at least 3 replicas so you have failover and redundancy, and then you?re good to go. We use FreeIPA to manage SSH accounts on the VMs and sudo rules as well. This can be done via PAM. We also integrate all our services with FreeIPA so that we can manage accounts centrally. In fact, we setup now the FreeIPA integration automatically via Foreman provisioning. It is quite magical.a > > Some technical questions: > > We currently manage our TLS certificate manually with a wildcard that we install on each server every year, but we will soon be moving to the automated system provided by Letsencrypt. Does this mean we can disable the Certificate Authority system provided by FreeIPA, or is the CA also required for other things? I?m not sure here but I thought the CA was meant for VMs to establish trust with FreeIPA, so I think it should stay on. > > We currently manage our DNS entries through the web interface of our hosting provider. When we introduce a new server, we simply clone a special clean 'image' server, change the hostname and add an A and AAAA record to our ISP's DNS settings. How does this interact with the FreeIPA DNS system? Should we disable it, or does it provide advantages? > > -- > Remco > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mbasti at redhat.com Mon Apr 11 13:02:07 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Apr 2016 15:02:07 +0200 Subject: [Freeipa-users] Adding FreeIPA to an existing infrastructure In-Reply-To: <117018ED-D3BF-4111-ABA6-7108142525BB@uni.lu> References: <1460368928.12466.0@smtp.office365.com> <117018ED-D3BF-4111-ABA6-7108142525BB@uni.lu> Message-ID: <570BA04F.7060709@redhat.com> On 11.04.2016 13:33, Christophe TREFOIS wrote: > Hi Remco, > > I?m not an expert, but I will try to answer to the best of my knowledge. > > >> On 11 Apr 2016, at 12:02, Remco Kranenburg wrote: >> >> Hi all, >> >> At our company, we manage several Ubuntu web servers with SSH, and we use ansible scripts to automate some tasks. The web servers are hosted by a VPS hosting provider. Until now, we have always managed the user accounts manually for each server, but this is becoming increasingly cumbersome as we grow. To centralize our identity management, I've been looking into FreeIPA, but having no prior experience with this, I am overwhelmed by complexity. >> >> So the first question: is FreeIPA too complex for what we are trying to accomplish? Should we be looking at a different solution? I do like some of the advanced things we can supposedly do with FreeIPA: single identity for everything (SSH on our servers, our Bitbucket accounts, our Jenkins CI server), but those are currently not hard requirements. > I would say it?s not too complex. Once it?s installed, you can slowly dig in and it?s not so complex to use. The architecture is quite complex, but using it is quite straightforward I think. > > Setup at least 3 replicas so you have failover and redundancy, and then you?re good to go. We use FreeIPA to manage SSH accounts on the VMs and sudo rules as well. This can be done via PAM. > We also integrate all our services with FreeIPA so that we can manage accounts centrally. > > In fact, we setup now the FreeIPA integration automatically via Foreman provisioning. It is quite magical.a > >> Some technical questions: >> >> We currently manage our TLS certificate manually with a wildcard that we install on each server every year, but we will soon be moving to the automated system provided by Letsencrypt. Does this mean we can disable the Certificate Authority system provided by FreeIPA, or is the CA also required for other things? > I?m not sure here but I thought the CA was meant for VMs to establish trust with FreeIPA, so I think it should stay on. CA is not mandratory part, CA-less installation is supported you have to provide certificates for http and directory server then. There are plans for integration with letsencrypt in future, but I don't know more details. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-less > >> We currently manage our DNS entries through the web interface of our hosting provider. When we introduce a new server, we simply clone a special clean 'image' server, change the hostname and add an A and AAAA record to our ISP's DNS settings. How does this interact with the FreeIPA DNS system? Should we disable it, or does it provide advantages? IPA DNS is not mandratory part of IdM. IPA install generates list of records that should be added to zone. Advantages are that IPA manages its own zone, put the correct records there after installation and it has very nice webUI for DNS management, integration with SSSD allows to dynamically update A/AAAA/PTR records of of IPA hosts, but if you are fine with your external DNS you don't need install IPA DNS. (I'm not sure how networks of your provider works, if there is NAT and views, etc., IPA DNS does not support views and has issues with NAT) Martin >> >> -- >> Remco >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > From anthonyclarka2 at gmail.com Mon Apr 11 15:43:17 2016 From: anthonyclarka2 at gmail.com (Anthony Clark) Date: Mon, 11 Apr 2016 11:43:17 -0400 Subject: [Freeipa-users] change CA subject or "friendly name"? Message-ID: Hello All, I'm in the process of deploying FreeIPA 4 in a development environment. One of my testers has imported the ca.pem file into Windows, and indicates that it displays as: Issued to: Certificate Authority Issued by: Certificate Authority Friendly Name: This will unfortunately cause confusion among certain end users, so I was wondering if there's a way to change those attributes? Ideally without reinstalling everything, but thankfully we're still early in the process so it's OK if do blow everything away. Do I need to generate a new CA outside of FreeIPA and then use ipa-cacert-manage to "renew" the base CA? Thanks, Anthony Clark -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dennis.Ott at mckesson.com Mon Apr 11 16:27:23 2016 From: Dennis.Ott at mckesson.com (Ott, Dennis) Date: Mon, 11 Apr 2016 16:27:23 +0000 Subject: [Freeipa-users] 7.x replica install from 6.x master fails In-Reply-To: References: <56FA5C2F.3070200@redhat.com> <570674EC.1060204@redhat.com> Message-ID: As a test, I attempted to do a replica install on a Fedora 23 machine. It fails with the same error. Dennis -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ott, Dennis Sent: Thursday, April 07, 2016 5:39 PM To: Petr Vobornik; Freeipa-users at redhat.com Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails It doesn't look like that is my problem. The output of pki-server ca-group-member-find "Subsystem Group" gives: User ID: CA-ptipa1.example.com-9443 Common Name: CA-ptipa1.example.com-9443 Surname: CA-ptipa1.example.com-9443 Type: agentType Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM E-mail: All the certs seem valid: # getcert list | grep expires expires: 2017-07-18 00:55:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-08-09 00:54:19 UTC expires: 2017-08-09 00:54:19 UTC expires: 2017-08-09 00:54:21 UTC # I was wondering if I might be hitting this: http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJhbctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh http://cp.mcafee.com/d/5fHCNEg3zqb3BXKfI3D3pJ55d5VBdZZ4SyyCyYOCUOyrdCPqJyLQFm7bCNPFEV72GtD3hOaEXHbdQZ5hTS82H3W6yHOrJNlNRSRTD64XqOrdCPpIDeqR4INTQaNQDmA_gU03yNmmjBoHYYhod7bVIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora (many months ago), but is not yet available for enterprise. Dennis -----Original Message----- From: Petr Vobornik [mailto:pvoborni at redhat.com] Sent: Thursday, April 07, 2016 10:56 AM To: Ott, Dennis; Freeipa-users at redhat.com Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails Sorry for the late response. It looks like a bug http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbParza9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdCPpesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub6qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure. Anyway, java.io.IOException: 2 actually means authentication failure. The authentication problem might be caused by a missing subsystem user (bug #1225589) and there's already a tool to restore it. However, before running the script, please run this command on the master to verify the problem: $ pki-server ca-group-member-find "Subsystem Group" Ideally it should return a user ID "CA--9443" and the description attribute should contain the subsystem certificate in this format ";;;". If that's not the case, please run this tool to restore the subsystem user: $ python /usr/share/pki/scripts/restore-subsystem-user.py Then run this command again to verify the fix: $ pki-server ca-group-member-find "Subsystem Group" If everything works well, please try installing the replica again. Also verify that all certificates in `getcert list` output are not expired. On 03/31/2016 09:07 PM, Ott, Dennis wrote: > Petr, > > Original 6.x master installed at: > > ipa-server-2.1.3-9 > > pki-ca-9.0.3-20 > > > At the time the migration was attempted, the 6.x master had been updated to: > > ipa-server-3.0.0-47 > > pki-ca-9.0.3-45 > > > The 7.x replica install has been attempted using a variety of versions. The log excerpts at the beginning of this email were from an installation attempt using: > > ipa-server-4.2.0-15.0.1 > > pki-ca-10.2.5-6 > > > It's a standard CA installation. This line is from /var/log/ipaserverinstall.log showing selfsign as False: > > 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked > with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': > None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, > 'subject': None, 'no_forwarders': False, 'persistent_search': True, > 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': > True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, > 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, > 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, > 'forwarders': None, 'idstart': 900000000, 'external_ca': False, > 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, > 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': > False, 'external_cert_file': None, 'uninstall': False} > 2013-09-04T18:41:20Z DEBUG missing options might be asked for > interactively later > > > -----Original Message----- > From: Petr Vobornik [mailto:pvoborni at redhat.com] > Sent: Tuesday, March 29, 2016 6:43 AM > To: Ott, Dennis; Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > On 03/24/2016 04:29 PM, Ott, Dennis wrote: >> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. >> After working through and solving a few issues, my current efforts >> fail when setting up the replica CA. >> >> If I set up a new, pristine master on OS 6.7, I am able to create an >> OS 7.x replica without any problem. However, if I try to create a >> replica from my two year old test lab instance (production will be >> another matter for the future) it fails. The test lab master was >> created a couple of years ago on OS 6.3 / IPA 2.x and has been >> upgraded to the latest versions in the 6.x chain. It is old enough to >> have had all the certificates renewed, but I believe I have worked through all the issues related to that. >> >> Below is what I believe are the useful portions of the pertinent logs. >> I?ve not been able to find anything online that speaks to the errors >> I am seeing >> >> Thanks for your help. > > Hello Dennis, > > what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica? > > What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA? > > I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less). > >> >> /var/log/ipareplica-install.log >> >> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). >> Estimated time: 3 minutes 30 seconds >> >> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user >> >> 2016-03-23T21:55:11Z DEBUG group pkiuser exists >> >> 2016-03-23T21:55:11Z DEBUG user pkiuser exists >> >> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds >> >> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance >> >> 2016-03-23T21:55:11Z DEBUG Loading StateFile from >> '/var/lib/ipa/sysrestore/sysrestore.state' >> >> 2016-03-23T21:55:11Z DEBUG Saving StateFile to >> '/var/lib/ipa/sysrestore/sysrestore.state' >> >> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC): >> >> [CA] >> >> pki_security_domain_name = IPA >> >> pki_enable_proxy = True >> >> pki_restart_configured_instance = False >> >> pki_backup_keys = True >> >> pki_backup_password = XXXXXXXX >> >> pki_profiles_in_ldap = True >> >> pki_client_database_dir = /tmp/tmp-g0CKZ3 >> >> pki_client_database_password = XXXXXXXX >> >> pki_client_database_purge = False >> >> pki_client_pkcs12_password = XXXXXXXX >> >> pki_admin_name = admin >> >> pki_admin_uid = admin >> >> pki_admin_email = root at localhost >> >> pki_admin_password = XXXXXXXX >> >> pki_admin_nickname = ipa-ca-agent >> >> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM >> >> pki_client_admin_cert_p12 = /root/ca-agent.p12 >> >> pki_ds_ldap_port = 389 >> >> pki_ds_password = XXXXXXXX >> >> pki_ds_base_dn = o=ipaca >> >> pki_ds_database = ipaca >> >> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM >> >> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM >> >> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM >> >> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM >> >> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM >> >> pki_subsystem_nickname = subsystemCert cert-pki-ca >> >> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca >> >> pki_ssl_server_nickname = Server-Cert cert-pki-ca >> >> pki_audit_signing_nickname = auditSigningCert cert-pki-ca >> >> pki_ca_signing_nickname = caSigningCert cert-pki-ca >> >> pki_ca_signing_key_algorithm = SHA256withRSA >> >> pki_security_domain_hostname = ptipa1.example.com >> >> pki_security_domain_https_port = 443 >> >> pki_security_domain_user = admin >> >> pki_security_domain_password = XXXXXXXX >> >> pki_clone = True >> >> pki_clone_pkcs12_path = /tmp/ca.p12 >> >> pki_clone_pkcs12_password = XXXXXXXX >> >> pki_clone_replication_security = TLS >> >> pki_clone_replication_master_port = 7389 >> >> pki_clone_replication_clone_port = 389 >> >> pki_clone_replicate_schema = False >> >> pki_clone_uri = >> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISrd >> G >> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbcm >> D >> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSbN >> _ >> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKV >> J >> USyrh >> >> 2016-03-23T21:55:11Z DEBUG Starting external process >> >> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC' >> >> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 >> >> 2016-03-23T21:56:51Z DEBUG stdout=Log file: >> /var/log/pki/pki-ca-spawn.20160323175511.log >> >> Loading deployment configuration from /tmp/tmpGQ59ZC. >> >> Installing CA into /var/lib/pki/pki-tomcat. >> >> Storing deployment configuration into >> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >> >> Installation failed. >> >> 2016-03-23T21:56:51Z DEBUG >> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >> InsecureRequestWarning: Unverified HTTPS request is being made. >> Adding certificate verification is strongly advised. See: >> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUOy >> r >> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsVH >> k >> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2ga >> z >> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh >> 0 >> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> >> InsecureRequestWarning) >> >> pkispawn : WARNING ....... unable to validate security domain user/password >> through REST interface. Interface not available >> >> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 >> Server Error: Internal Server Error >> >> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line >> 1, column 0: >> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >> PKIException","Code":500,"Message":"Error >> while updating security domain: java.io.IOException: 2"} >> >> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: >> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' >> returned non-zero exit status 1 >> >> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the >> following files/directories for more information: >> >> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log >> >> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat >> >> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 418, in start_creation >> >> run_step(full_msg, method) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 620, in __spawn_instance >> >> DogtagInstance.spawn_instance(self, cfg_file) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 201, in spawn_instance >> >> self.handle_setup_error(e) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 465, in handle_setup_error >> >> raise RuntimeError("%s configuration failed." % self.subsystem) >> >> RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >> in execute >> >> return_value = self.run() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >> line 311, in run >> >> cfgr.run() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 281, in run >> >> self.execute() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 303, in execute >> >> for nothing in self._executor(): >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 524, in _configure >> >> executor.next() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 421, in _handle_exception >> >> self.__parent._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 418, in _handle_exception >> >> super(ComponentBase, self)._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line >> 63, in _install >> >> for nothing in self._installer(self.parent): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >> t >> all.py", >> line 879, in main >> >> install(self) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >> t >> all.py", >> line 295, in decorated >> >> func(installer) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >> t >> all.py", >> line 584, in install >> >> ca.install(False, config, options) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >> line 106, in install >> >> install_step_0(standalone, replica_config, options) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >> line 130, in >> install_step_0 >> >> ra_p12=getattr(options, 'ra_p12', None)) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 1543, in install_replica_ca >> >> subject_base=config.subject_base) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 486, in configure_instance >> >> self.start_creation(runtime=210) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 418, in start_creation >> >> run_step(full_msg, method) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 620, in __spawn_instance >> >> DogtagInstance.spawn_instance(self, cfg_file) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 201, in spawn_instance >> >> self.handle_setup_error(e) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 465, in handle_setup_error >> >> raise RuntimeError("%s configuration failed." % self.subsystem) >> >> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: >> RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z ERROR CA configuration failed. >> >> /var/log/pki/pki-ca-spawn..log >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f >> /etc/pki/pki-tomcat/ca/noise >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s >> /lib/systemd/system/pki-tomcatd at .service >> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.s >> e >> rvice >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 >> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.s >> e >> rvice >> >> 2016-03-23 17:55:12 pkispawn : INFO ... configuring >> 'pki.server.deployment.scriptlets.configuration' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >> '/root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >> '/root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >> /root/.dogtag/pki-tomcat/ca/password.conf >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >> /root/.dogtag/pki-tomcat/ca/password.conf >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 >> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d >> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl >> daemon-reload' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start >> pki-tomcatd at pki-tomcat.service' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server >> may still be down >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception >> thrown: ('Connection aborted.', error(111, 'Connection refused')) >> >> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server >> may still be down >> >> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception >> thrown: ('Connection aborted.', error(111, 'Connection refused')) >> >> 2016-03-23 17:55:24 pkispawn : DEBUG ........... > encoding="UTF-8" >> standalone="no"?>0CA >> r unning10.2.5-6.el7 >> >> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI >> configuration data. >> >> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration >> data. >> >> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java >> Configuration Servlet: 500 Server Error: Internal Server Error >> >> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed >> (invalid token): line 1, column 0: >> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >> PKIException","Code":500,"Message":"Error >> while updating security domain: java.io.IOException: 2"} >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not >> well-formed (invalid token): line 1, column 0 >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", >> line 597, in main >> >> rv = instance.spawn(deployer) >> >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/co >> n >> figuration.py", >> line 116, in spawn >> >> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) >> >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" >> , >> line 3906, in configure_pki_data >> >> root = ET.fromstring(e.response.text) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, >> in XML >> >> parser.feed(text) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, >> in feed >> >> self._raiseerror(v) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, >> in _raiseerror >> >> raise err >> >> /var/log/pki/pki-tomcat/ca/debug >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >> ok: store in memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >> makeConnection errorIfDown is false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >> errorIfDown false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >> connection using basic authentication to host pt-idm-vm01.example.com >> port 389 as cn=Directory Manager >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >> port 389, secure connection, false, authentication type 1 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >> connections by 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >> LdapBoundConnFactory::getConn() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >> true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >> connected true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >> 2 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >> param=preop.internaldb.manager_ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file = /usr/share/pki/server/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP >> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >> exception in adding entry >> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: >> error result (20) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): >> start >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating >> LdapBoundConnFactor(ConfigurationUtils) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: >> init >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: >> LdapBoundConnFactory:doCloning true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >> begins >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >> prompt is internaldb >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try >> getting from memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got >> password from memory >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >> password found for prompt. >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >> ok: store in memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >> makeConnection errorIfDown is false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >> errorIfDown false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >> connection using basic authentication to host pt-idm-vm01.example.com >> port 389 as cn=Directory Manager >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >> port 389, secure connection, false, authentication type 1 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >> connections by 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >> LdapBoundConnFactory::getConn() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >> true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >> connected true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >> 2 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >> param=preop.internaldb.post_ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file = /usr/share/pki/ca/conf/vlv.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >> file = /usr/share/pki/ca/conf/vlvtasks.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn >> cn=index1160589769, cn=index, cn=tasks, cn=config >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: >> SystemConfigService:processCerts(): san_server_cert not found for tag >> sslserver >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >> local >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >> remote (revised) >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: >> updateConfig() for certTag sslserver >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >> public key >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >> private key >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this >> Cloned CA, always use its Master CA to generate the 'sslserver' >> certificate to avoid any changes which may have been made to the X500Name directory string encoding order. >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: >> injectSAN=false >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil >> createRemoteCert: content >> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAu >> t >> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true& >> s >> essionID=-4495713718673639316 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil >> createRemoteCert: status=0 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: >> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: >> handleCertRequest() begins >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >> tag=sslserver >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: >> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >> created cert request >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate: >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert >> tag 'sslserver' using cert type 'remote' >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process >> remote...import cert >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: >> nickname=Server-Cert cert-pki-ca >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert >> deleted successfully >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): >> certchains length=2 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import >> certificate successfully, certTag=sslserver >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate. >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert >> Panel/SavePKCS12 Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing >> security domain >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): >> Getting domain.xml from CA... >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: >> domainInfo=> standalone="no"?>IPAptipa1. >> example.com443443> e >> cureAgentPort>443> cureAgentPort>t >> hPort>44380> hPort>n >> e>FALSEpki-cadT >> e>R >> UE1> S >> PList>0> PList>m >> Count>00> Count>m >> Count>0< >> Count>T >> PSList>0 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ptipa1.example.com port=443 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >> failed to update security domain using admin port 443: >> org.xml.sax.SAXParseException; >> lineNumber: 1; columnNumber: 50; White spaces are required between >> publicId and systemId. >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >> now trying agent port with client auth >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ptipa1.example.com port=443 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() >> nickname=subsystemCert cert-pki-ca >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: >> status=1 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating >> security >> domain: java.io.IOException: 2 >> >> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, >> authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. >> >> /var/log/pki/pki-tomcat/ca/system >> >> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot >> build CA chain. Error java.security.cert.CertificateException: >> Certificate is not a PKCS >> #11 certificate >> >> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz >> instance DirAclAuthz initialization failed and skipped, >> error=Property internaldb.ldapconn.port missing value >> >> *Dennis M Ott* >> Infrastructure Administrator >> Infrastructure and Security Operations >> >> *McKesson Corporation >> McKesson Pharmacy Systems and Automation* www.mckesson.com >> >>> -- > Petr Vobornik > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: http://cp.mcafee.com/d/5fHCMUe6gUSyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJhbcat7Q2uPVv1dnoovaAVgtHzIv-iSBSWv6xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh Go to http://cp.mcafee.com/d/FZsSd3gArhosLtNZwsUrdEEFELcFLLECQkkQnCkT6kjpISrlIl-BaMVsSetd78UljIUqehl7tppKDEGe-N0lovgQlujtKaKeKSKYUMDrmjpISrdw0To_YBJU03xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh for more info on the project From zwolfinger at myemma.com Mon Apr 11 17:01:29 2016 From: zwolfinger at myemma.com (Zak Wolfinger) Date: Mon, 11 Apr 2016 12:01:29 -0500 Subject: [Freeipa-users] Migration from 3.0 to 4.3.1 questions Message-ID: We are running FreeIPA 3.0 (Dogtag 9) on CentOS and want to migrate to the latest version. I understand that FreeIPA 3.1 introduced Dogtag 10 and there is no ?upgrade? but can be accomplished as a ?migration?. However we are not currently using CA so that may simplify things. Can I just do this? 1. Create a new replica VM running 4.3.1 2. Make sure it syncs up with the 3.0 primary and test 3. Promote the new replica to primary 4. Remove all the old 3.0 replicas 5. Build new 4.3.1 replicas 6. ?? 7. Profit What do you experienced people think? What am I missing? Cheers, Zak Wolfinger Infrastructure Engineer | Emma? zak.wolfinger at myemma.com 800.595.4401 or 615.292.5888 x197 615.292.0777 (fax) Emma helps organizations everywhere communicate & market in style. Visit us online at www.myemma.com -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From mbasti at redhat.com Mon Apr 11 17:09:08 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 11 Apr 2016 19:09:08 +0200 Subject: [Freeipa-users] Migration from 3.0 to 4.3.1 questions In-Reply-To: References: Message-ID: <570BDA34.9040600@redhat.com> On 11.04.2016 19:01, Zak Wolfinger wrote: > We are running FreeIPA 3.0 (Dogtag 9) on CentOS and want to migrate to > the latest version. > > I understand that FreeIPA 3.1 introduced Dogtag 10 and there is no > ?upgrade? but can be accomplished as a ?migration?. > > However we are not currently using CA so that may simplify things. > > Can I just do this? > 1. Create a new replica VM running 4.3.1 > 2. Make sure it syncs up with the 3.0 primary and test > 3. Promote the new replica to primary > 4. Remove all the old 3.0 replicas > 5. Build new 4.3.1 replicas > 6. ?? > 7. Profit > > What do you experienced people think? What am I missing? > This may help https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#upgrading There is covered migration form RHEL 6 to RHEL 7, it should work Martin > > > Cheers, > *Zak Wolfinger* > > Infrastructure Engineer | Emma? > zak.wolfinger at myemma.com > 800.595.4401 or 615.292.5888 x197 > 615.292.0777 (fax) > * > * > Emma helps organizations everywhere communicate & market in style. > Visit us online at www.myemma.com > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zwolfinger at myemma.com Mon Apr 11 19:47:25 2016 From: zwolfinger at myemma.com (Zak Wolfinger) Date: Mon, 11 Apr 2016 14:47:25 -0500 Subject: [Freeipa-users] Migration from 3.0 to 4.3.1 questions In-Reply-To: <570BDA34.9040600@redhat.com> References: <570BDA34.9040600@redhat.com> Message-ID: <5648015E-D0AD-44A8-B9B5-B2E805A47544@myemma.com> > On Apr 11, 2016, at 12:09 PM, Martin Basti wrote: > > > > On 11.04.2016 19:01, Zak Wolfinger wrote: >> We are running FreeIPA 3.0 (Dogtag 9) on CentOS and want to migrate to the latest version. >> >> I understand that FreeIPA 3.1 introduced Dogtag 10 and there is no ?upgrade? but can be accomplished as a ?migration?. >> >> However we are not currently using CA so that may simplify things. >> >> Can I just do this? >> 1. Create a new replica VM running 4.3.1 >> 2. Make sure it syncs up with the 3.0 primary and test >> 3. Promote the new replica to primary >> 4. Remove all the old 3.0 replicas >> 5. Build new 4.3.1 replicas >> 6. ?? >> 7. Profit >> >> What do you experienced people think? What am I missing? >> > This may help > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#upgrading > > There is covered migration form RHEL 6 to RHEL 7, it should work > Martin Since we are running FreeIPA on CentOS instead of IDM on RHEL, I?m not sure how this warning applies to our configuration: WARNING If any of the instances in your IdM deployment are using Red Hat Enterprise Linux 6.5 or earlier, upgrade them to Red Hat Enterprise Linux 6.6 before upgrading a Red Hat Enterprise Linux 7.0 IdM server to the 7.1 version or before connecting a Red Hat Enterprise Linux 7.1 IdM replica. anything to be concerned about here? Thanks! -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rcritten at redhat.com Mon Apr 11 20:39:58 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 11 Apr 2016 16:39:58 -0400 Subject: [Freeipa-users] Migration from 3.0 to 4.3.1 questions In-Reply-To: <5648015E-D0AD-44A8-B9B5-B2E805A47544@myemma.com> References: <570BDA34.9040600@redhat.com> <5648015E-D0AD-44A8-B9B5-B2E805A47544@myemma.com> Message-ID: <570C0B9E.5070802@redhat.com> Zak Wolfinger wrote: > > > >> On Apr 11, 2016, at 12:09 PM, Martin Basti > > wrote: >> >> >> >> On 11.04.2016 19:01, Zak Wolfinger wrote: >>> We are running FreeIPA 3.0 (Dogtag 9) on CentOS and want to migrate >>> to the latest version. >>> >>> I understand that FreeIPA 3.1 introduced Dogtag 10 and there is no >>> ?upgrade? but can be accomplished as a ?migration?. >>> >>> However we are not currently using CA so that may simplify things. >>> >>> Can I just do this? >>> 1. Create a new replica VM running 4.3.1 >>> 2. Make sure it syncs up with the 3.0 primary and test >>> 3. Promote the new replica to primary >>> 4. Remove all the old 3.0 replicas >>> 5. Build new 4.3.1 replicas >>> 6. ?? >>> 7. Profit >>> >>> What do you experienced people think? What am I missing? >>> >> This may help >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#upgrading >> >> There is covered migration form RHEL 6 to RHEL 7, it should work >> Martin > > Since we are running FreeIPA on CentOS instead of IDM on RHEL, I?m not > sure how this warning applies to our configuration: > > WARNING > If any of the instances in your IdM deployment are using Red Hat > Enterprise Linux 6.5 or earlier, upgrade them to Red Hat > Enterprise Linux 6.6 before upgrading a Red Hat Enterprise Linux 7.0 IdM > server to the 7.1 version or before connecting a Red Hat > Enterprise Linux 7.1 IdM replica. > anything to be concerned about here? One reason is https://bugzilla.redhat.com/show_bug.cgi?id=1083878 You need 3.0.0-38 or higher. rob From ftweedal at redhat.com Mon Apr 11 23:08:32 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 12 Apr 2016 09:08:32 +1000 Subject: [Freeipa-users] change CA subject or "friendly name"? In-Reply-To: References: Message-ID: <20160411230832.GC18277@dhcp-40-8.bne.redhat.com> On Mon, Apr 11, 2016 at 11:43:17AM -0400, Anthony Clark wrote: > Hello All, > > I'm in the process of deploying FreeIPA 4 in a development environment. > One of my testers has imported the ca.pem file into Windows, and indicates > that it displays as: > > Issued to: Certificate Authority > Issued by: Certificate Authority > Friendly Name: > > This will unfortunately cause confusion among certain end users, so I was > wondering if there's a way to change those attributes? > > Ideally without reinstalling everything, but thankfully we're still early > in the process so it's OK if do blow everything away. > > Do I need to generate a new CA outside of FreeIPA and then use > ipa-cacert-manage to "renew" the base CA? > > Thanks, > > Anthony Clark Hi Anthony, After a brief investigation it appears that ``Friendly Name'' is a property that can be set in a Windows certificate store, and is not part of, or derived from, the certificate itself. Here are a couple of TechNet articles that might help: - https://technet.microsoft.com/en-us/library/cc740218%28v=ws.10%29.aspx - https://blogs.technet.microsoft.com/pki/2008/12/12/defining-the-friendly-name-certificate-property/ Cheers, Fraser From rakesh.rajasekharan at gmail.com Tue Apr 12 09:26:43 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Tue, 12 Apr 2016 14:56:43 +0530 Subject: [Freeipa-users] freeipa restore backup on a new server Message-ID: Hi , I am running ipa-server verison 4.2 on AWS,and testing the freeipa backup and restore . The restoration works fine if its on the same host, wherin i uninstall freeipa and then install it back and then do a full restore. However, if its a new machine with a different ip, the restoration fails. I am running the restoration from an ansible playbook.. heres the output, that I get Preparing restore from /tmp/ipa/ipa-full-2016-04-12 on test-ipa-master-int.xyz.com Performing FULL restore from FULL backup Each master will individually need to be re-initialized or re-created from this one. The replication agreements on masters running IPA 3.1 or earlier will need to be manually re-enabled. See the man page for details. Disabling all replication. Stopping IPA services Systemwide CA database updated. Restoring files Systemwide CA database updated. Restoring from userRoot in xyz-COM Restoring from ipaca in xyz-COM Starting IPA services Command ''ipactl' 'start'' returned non-zero exit status 1 stdout: Configuring certmonger to stop tracking system certificates for CA Is there a limitation that the ip needs to be the same for a restore to happen or am I missing something. Thanks, Rakesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From remco at crunchrapps.com Tue Apr 12 10:14:53 2016 From: remco at crunchrapps.com (Remco Kranenburg) Date: Tue, 12 Apr 2016 12:14:53 +0200 Subject: [Freeipa-users] Adding FreeIPA to an existing infrastructure In-Reply-To: <570BA04F.7060709@redhat.com> References: <1460368928.12466.0@smtp.office365.com> <117018ED-D3BF-4111-ABA6-7108142525BB@uni.lu> <570BA04F.7060709@redhat.com> Message-ID: <1460456093.12466.1@smtp.office365.com> Thanks for all the pointers. I'm tentatively moving forward with a CA-less and DNS-less IPA server, with Letsencrypt certificates. I think this is also the setup that is used by the demo at . Is there some documentation about this setup? I'm trying to install a Letsencrypt certificate into FreeIPA, but when I run the installation: ipa-server-install --http-cert-file cert.pem --http-cert-file privkey.pem --dirsrv-cert-file cert.pem --dirsrv-cert-file privkey.pem It asks for my "Apache Server private key unlock password", even though the key from Letsencrypt is not encrypted with a passphrase. When I give a bogus password, it gives me another error: ipa.ipapython.install.cli.install_tool(Server): ERROR The full certificate chain is not present in cert.pem, privkey.pem Letsencrypt provides me with a few files: cert.pem, chain.pem, fullchain.pem, privkey.pem. Even when I also add chain.pem and fullchain.pem, it gives me the same error. -- Remco From dkupka at redhat.com Tue Apr 12 11:15:02 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 12 Apr 2016 13:15:02 +0200 Subject: [Freeipa-users] freeipa restore backup on a new server In-Reply-To: References: Message-ID: <570CD8B6.7020504@redhat.com> On 12/04/16 11:26, Rakesh Rajasekharan wrote: > Hi , > > I am running ipa-server verison 4.2 on AWS,and testing the freeipa backup and > restore . > > The restoration works fine if its on the same host, wherin i uninstall freeipa > and then install it back and then do a full restore. > > However, if its a new machine with a different ip, the restoration fails. > > I am running the restoration from an ansible playbook.. heres the output, that I get > > Preparing restore from /tmp/ipa/ipa-full-2016-04-12 on > test-ipa-master-int.xyz.com > Performing FULL restore from FULL backup > Each master will individually need to be re-initialized or > re-created from this one. The replication agreements on > masters running IPA 3.1 or earlier will need to be manually > re-enabled. See the man page for details. > Disabling all replication. > Stopping IPA services > Systemwide CA database updated. > Restoring files > Systemwide CA database updated. > Restoring from userRoot in xyz-COM > Restoring from ipaca in xyz-COM > Starting IPA services > Command ''ipactl' 'start'' returned non-zero exit status 1 > stdout: Configuring certmonger to stop tracking system certificates for CA > > Is there a limitation that the ip needs to be the same for a restore to happen > or am I missing something. > > Thanks, > Rakesh > > > Hello Rakesh, it's not possible to determine what happened from information that you have sent. Could you please find the service that failed to start and send its logs? I believe that all services in FreeIPA depends on host names and resolve IP address from DNS when needed. But if DNS server is part of FreeIPA server you're trying to restore it is holding old records with old IP addresses. Maybe this is the cause but it's just wild guess. -- David Kupka From bahanw042014 at gmail.com Tue Apr 12 11:51:00 2016 From: bahanw042014 at gmail.com (bahan w) Date: Tue, 12 Apr 2016 13:51:00 +0200 Subject: [Freeipa-users] How to set passwords which never expire ? Message-ID: Hello ! I am using FreeIPA 3.0 and I would like, for specific accounts, to set passwords unexpirables. I tried to set a pwpolicy for this with the option maxage set to 0, but it did not help and the maxage was 0 (password already expired). Is there a way, with this Ipa version, to set passwords unexpirables ? BR. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From dbischof at hrz.uni-kassel.de Tue Apr 12 12:10:31 2016 From: dbischof at hrz.uni-kassel.de (dbischof at hrz.uni-kassel.de) Date: Tue, 12 Apr 2016 14:10:31 +0200 (CEST) Subject: [Freeipa-users] How to set passwords which never expire ? In-Reply-To: References: Message-ID: Hi, On Tue, 12 Apr 2016, bahan w wrote: > I am using FreeIPA 3.0 and I would like, for specific accounts, to set > passwords unexpirables. > > I tried to set a pwpolicy for this with the option maxage set to 0, but > it did not help and the maxage was 0 (password already expired). > > Is there a way, with this Ipa version, to set passwords unexpirables ? it is possible to create a password policy (tab "Policy" in the web interface) for a user group of your choice and change the password max lifetime to (e.g.) 3650 days = 10 years. That's not exactly "never expiring", but it does the trick for me (I use it for LDAP bind users). Mit freundlichen Gruessen/With best regards, --Daniel. From andreas.calminder at nordnet.se Tue Apr 12 12:41:45 2016 From: andreas.calminder at nordnet.se (Andreas Calminder) Date: Tue, 12 Apr 2016 14:41:45 +0200 Subject: [Freeipa-users] Winsync agreement password sync failing for specific user on the IPA side Message-ID: <570CED09.2090202@nordnet.se> Hello, I've got a pretty strange problem with FreeIPA 4.2.0-15.el7 running on a rhel 7.2 and wondering if anyone can shed some light on it. I've setup a winsync agreement and it seems to be working fine, stuff gets synced from the AD to IPA. I've also got the PassSync application installed on all windows domain controllers and it's behaving a bit unexpected. It would seem that password changes, initiated on the windows side does not work for my user, however a change for another user pass just fine. From the passsync.log from the same Windows DC: User: 04/08/16 16:29:12: Attempting to sync password for user1 04/08/16 16:29:12: Searching for (ntuserdomainid=user1) 04/08/16 16:29:12: Password modified for remote entry: uid=user1,cn=users,cn=accounts,dc=linux,dc=se 04/08/16 16:29:12: Removing password change from list Me: 04/08/16 16:31:45: Searching for (ntuserdomainid=me) 04/08/16 16:31:45: Ldap error in ModifyPassword 50: Insufficient access 04/08/16 16:31:45: Modify password failed for remote entry: uid=me,cn=users,cn=accounts,dc=linux,dc=se 04/08/16 16:31:45: Deferring password change for me 04/08/16 16:31:45: Backing off for 2000ms Are there different permissions per user or do the passsync user on the IPA side need to update it's permissions (the user me is an IPA administrator)? I'm currently running an older ipa version 3.0.0-37.el6 against the same DC's, same passync user and password where this works. It also works fine in my test environment (4.2.0). Am I missing something obvious or am I doing something wrong? Best regards, Andreas From bentech4you at gmail.com Tue Apr 12 12:59:46 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Tue, 12 Apr 2016 15:59:46 +0300 Subject: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version Message-ID: Hi List, Ffrom where can i get repo details for FreeIPA 4.3.1 version. the link provided in website is broken. https://www.freeipa.org/page/Releases/4.3.1 please someone give me right package details. Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From andreas.calminder at nordnet.se Tue Apr 12 13:04:24 2016 From: andreas.calminder at nordnet.se (Andreas Calminder) Date: Tue, 12 Apr 2016 15:04:24 +0200 Subject: [Freeipa-users] Winsync agreement password sync failing for specific user on the IPA side In-Reply-To: <570CED09.2090202@nordnet.se> References: <570CED09.2090202@nordnet.se> Message-ID: <570CF258.4050005@nordnet.se> Sorry for the noise, I did some backtracking in the mailing list archives and found a conversation from December 2015 regarding the same issue with a nice bugzilla attached https://bugzilla.redhat.com/show_bug.cgi?id=1287092, I'll try to work around the issue with group nesting. /andreas On 04/12/2016 02:41 PM, Andreas Calminder wrote: > Hello, > I've got a pretty strange problem with FreeIPA 4.2.0-15.el7 running on > a rhel 7.2 and wondering if anyone can shed some light on it. I've > setup a winsync agreement and it seems to be working fine, stuff gets > synced from the AD to IPA. I've also got the PassSync application > installed on all windows domain controllers and it's behaving a bit > unexpected. It would seem that password changes, initiated on the > windows side does not work for my user, however a change for another > user pass just fine. > > From the passsync.log from the same Windows DC: > > User: > 04/08/16 16:29:12: Attempting to sync password for user1 > 04/08/16 16:29:12: Searching for (ntuserdomainid=user1) > 04/08/16 16:29:12: Password modified for remote entry: > uid=user1,cn=users,cn=accounts,dc=linux,dc=se > 04/08/16 16:29:12: Removing password change from list > > Me: > 04/08/16 16:31:45: Searching for (ntuserdomainid=me) > 04/08/16 16:31:45: Ldap error in ModifyPassword > 50: Insufficient access > 04/08/16 16:31:45: Modify password failed for remote entry: > uid=me,cn=users,cn=accounts,dc=linux,dc=se > 04/08/16 16:31:45: Deferring password change for me > 04/08/16 16:31:45: Backing off for 2000ms > > Are there different permissions per user or do the passsync user on > the IPA side need to update it's permissions (the user me is an IPA > administrator)? > > I'm currently running an older ipa version 3.0.0-37.el6 against the > same DC's, same passync user and password where this works. It also > works fine in my test environment (4.2.0). Am I missing something > obvious or am I doing something wrong? > > Best regards, > Andreas > From boris at datarobot.com Tue Apr 12 12:02:40 2016 From: boris at datarobot.com (Boris Cheperis) Date: Tue, 12 Apr 2016 15:02:40 +0300 Subject: [Freeipa-users] FreeIPA & FreeRadius LDAP auth issue Message-ID: Hi, I?ve started using FreeIPA and got fascinated with it?s capabilities, but recently I tried to configure FreeRadius integration for WiFi authentication and ran into some issues. I?ve configured ldap integration and when I run a test everything seems fine: ---- radtest dmitry.fedorov fedor 127.0.0.1 100 testing123 Sending Access-Request Id 93 from 0.0.0.0:54153 to 127.0.0.1:1812 User-Name = 'dmitry.fedorov' User-Password = 'fedor' NAS-IP-Address = 10.0.0.12 NAS-Port = 100 Message-Authenticator = 0x00 Received Access-Accept Id 93 from 127.0.0.1:1812 to 127.0.0.1:54153 length 20 ----- But when I try to do a real-world test and run authentication on a wifi device I get this: ?? (10) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed (10) eap : Failed in EAP select (10) [eap] = invalid (10) } # authenticate = invalid (10) Failed to authenticate the user (10) Using Post-Auth-Type Reject (10) # Executing group from file /etc/raddb/sites-enabled/default (10) Post-Auth-Type REJECT { (10) attr_filter.access_reject : EXPAND %{User-Name} (10) attr_filter.access_reject : --> dmitry.fedorov (10) attr_filter.access_reject : Matched entry DEFAULT at line 11 (10) [attr_filter.access_reject] = updated (10) eap : Reply already contained an EAP-Message, not inserting EAP-Failure (10) [eap] = noop (10) remove_reply_message_if_eap remove_reply_message_if_eap { (10) if (&reply:EAP-Message && &reply:Reply-Message) (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (10) else else { (10) [noop] = noop (10) } # else else = noop (10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (10) } # Post-Auth-Type REJECT = updated (10) Delaying response for 1 seconds Waking up in 0.1 seconds. Waking up in 0.6 seconds. (10) Sending delayed response (10) Sending Access-Reject packet to host 10.0.0.139 port 62980, id=23, length=0 (10) EAP-Message = 0x040a0004 (10) Message-Authenticator = 0x00000000000000000000000000000000 Sending Access-Reject Id 23 from 10.0.0.12:1812 to 10.0.0.139:62980 EAP-Message = 0x040a0004 Message-Authenticator = 0x0000000000000000000000000000000 ??? before this I see a couple of other errors in the debug output ? WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password (9) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password (9) mschap : Creating challenge hash with username: dmitry.fedorov (9) mschap : Client is using MS-CHAPv2 (9) ERROR: mschap : FAILED: No NT/LM-Password. Cannot perform authentication (9) ERROR: mschap : MS-CHAP2-Response is incorrect (9) [mschap] = reject (9) } # Auth-Type MS-CHAP = reject ? and --- ldap : Processing user attributes (2) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute (2) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (4) (2) [ldap] = ok (2) if ((ok || updated) && User-Password) (2) if ((ok || updated) && User-Password) -> FALSE (2) [expiration] = noop (2) [logintime] = noop (2) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (2) WARNING: pap : Authentication will fail unless a "known good" password is available (2) [pap] = noop ? At first I thought the problem was in the "known good? password, but if it was, most likely the ?radtest' string would not work. And if I change the base_dn to a wrong one, the test fails at once. From my point of view it proves that free radius is able to get to ldap, but there is some over error present. Maybe I?m wrong. Please help to understand what is wrong with my setup. Regards, Boris From mbasti at redhat.com Tue Apr 12 13:09:18 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 12 Apr 2016 15:09:18 +0200 Subject: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version In-Reply-To: References: Message-ID: <570CF37E.7000700@redhat.com> On 12.04.2016 14:59, Ben .T.George wrote: > Hi List, > > Ffrom where can i get repo details for FreeIPA 4.3.1 version. the link > provided in website is broken. > https://www.freeipa.org/page/Releases/4.3.1 > > please someone give me right package details. > > Regards, > Ben > > Hello, thank you for report, I fixed the page CentOS repos: https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Tue Apr 12 13:19:56 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Tue, 12 Apr 2016 16:19:56 +0300 Subject: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version In-Reply-To: <570CF37E.7000700@redhat.com> References: <570CF37E.7000700@redhat.com> Message-ID: Hi Wow.Thanks for your fast response. Regards Ben On 12 Apr 2016 16:09, "Martin Basti" wrote: > > > On 12.04.2016 14:59, Ben .T.George wrote: > > Hi List, > > Ffrom where can i get repo details for FreeIPA 4.3.1 version. the link > provided in website is broken. > https://www.freeipa.org/page/Releases/4.3.1 > > please someone give me right package details. > > Regards, > Ben > > > Hello, > > thank you for report, I fixed the page > > CentOS repos: > https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ > > Martin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Tue Apr 12 14:57:57 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Tue, 12 Apr 2016 20:27:57 +0530 Subject: [Freeipa-users] freeipa restore backup on a new server In-Reply-To: <570CD8B6.7020504@redhat.com> References: <570CD8B6.7020504@redhat.com> Message-ID: Hello David, I figured that out, I am adding the ip address in the /etc/hosts file for reverse dns.. this is coz, am not using the freeipa as a dns. So, while restoring it still had the earlier entry. I just corrected it and things worked fine... Thanks... On Tue, Apr 12, 2016 at 4:45 PM, David Kupka wrote: > On 12/04/16 11:26, Rakesh Rajasekharan wrote: > >> Hi , >> >> I am running ipa-server verison 4.2 on AWS,and testing the freeipa backup >> and >> restore . >> >> The restoration works fine if its on the same host, wherin i uninstall >> freeipa >> and then install it back and then do a full restore. >> >> However, if its a new machine with a different ip, the restoration fails. >> >> I am running the restoration from an ansible playbook.. heres the output, >> that I get >> >> Preparing restore from /tmp/ipa/ipa-full-2016-04-12 on >> test-ipa-master-int.xyz.com >> Performing FULL restore from FULL backup >> Each master will individually need to be re-initialized or >> re-created from this one. The replication agreements on >> masters running IPA 3.1 or earlier will need to be manually >> re-enabled. See the man page for details. >> Disabling all replication. >> Stopping IPA services >> Systemwide CA database updated. >> Restoring files >> Systemwide CA database updated. >> Restoring from userRoot in xyz-COM >> Restoring from ipaca in xyz-COM >> Starting IPA services >> Command ''ipactl' 'start'' returned non-zero exit status 1 >> stdout: Configuring certmonger to stop tracking system certificates for CA >> >> Is there a limitation that the ip needs to be the same for a restore to >> happen >> or am I missing something. >> >> Thanks, >> Rakesh >> >> >> >> > Hello Rakesh, > it's not possible to determine what happened from information that you > have sent. Could you please find the service that failed to start and send > its logs? > > I believe that all services in FreeIPA depends on host names and resolve > IP address from DNS when needed. > But if DNS server is part of FreeIPA server you're trying to restore it is > holding old records with old IP addresses. Maybe this is the cause but it's > just wild guess. > > -- > David Kupka > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zwolfinger at myemma.com Tue Apr 12 15:00:49 2016 From: zwolfinger at myemma.com (Zak Wolfinger) Date: Tue, 12 Apr 2016 10:00:49 -0500 Subject: [Freeipa-users] Change replica hostname and IP address? Message-ID: <3C236636-6125-4509-8BBA-0DF5AE175EA6@myemma.com> We need to do some juggling of servers while we migrate to the latest version. Is it possible to change the hostname and IP addresses of the replicas? Or would I be better off just spinning up new ones? Cheers, Zak Wolfinger Infrastructure Engineer | Emma? zak.wolfinger at myemma.com 800.595.4401 or 615.292.5888 x197 615.292.0777 (fax) Emma helps organizations everywhere communicate & market in style. Visit us online at www.myemma.com -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From david at kreitschmann.de Tue Apr 12 16:33:01 2016 From: david at kreitschmann.de (David Kreitschmann) Date: Tue, 12 Apr 2016 18:33:01 +0200 Subject: [Freeipa-users] FreeIPA & FreeRadius LDAP auth issue In-Reply-To: References: Message-ID: Hi, you are trying to do different things in both cases. radtest does plain text authentication to ldap while your real world example connects as another user and tries to compare the MSCHAPv2 hash. For MSCHAPv2 to work you need: -mschapv2 hashes in ldap (samba schema or activate AD trust feature) -your users will probably need to change their password to create the hash -read access to those fields for freeradius (create ACI) You can use eapol_test from wpa_supplicant to check if it works, use this config: network={ ssid="example" key_mgmt=WPA-EAP eap=PEAP identity="user at freeipa.local" anonymous_identity="anonymous" password="asdfasdf" phase2="autheap=MSCHAPV2" } Regards, David > Am 12.04.2016 um 14:02 schrieb Boris Cheperis : > > Hi, > > I?ve started using FreeIPA and got fascinated with it?s capabilities, but recently I tried to configure FreeRadius integration > for WiFi authentication and ran into some issues. > > I?ve configured ldap integration and when I run a test everything seems fine: > > ---- > radtest dmitry.fedorov fedor 127.0.0.1 100 testing123 > Sending Access-Request Id 93 from 0.0.0.0:54153 to 127.0.0.1:1812 > User-Name = 'dmitry.fedorov' > User-Password = 'fedor' > NAS-IP-Address = 10.0.0.12 > NAS-Port = 100 > Message-Authenticator = 0x00 > Received Access-Accept Id 93 from 127.0.0.1:1812 to 127.0.0.1:54153 length 20 > ----- > > But when I try to do a real-world test and run authentication on a wifi device I get this: > > ?? > (10) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed > (10) eap : Failed in EAP select > (10) [eap] = invalid > (10) } # authenticate = invalid > (10) Failed to authenticate the user > (10) Using Post-Auth-Type Reject > (10) # Executing group from file /etc/raddb/sites-enabled/default > (10) Post-Auth-Type REJECT { > (10) attr_filter.access_reject : EXPAND %{User-Name} > (10) attr_filter.access_reject : --> dmitry.fedorov > (10) attr_filter.access_reject : Matched entry DEFAULT at line 11 > (10) [attr_filter.access_reject] = updated > (10) eap : Reply already contained an EAP-Message, not inserting EAP-Failure > (10) [eap] = noop > (10) remove_reply_message_if_eap remove_reply_message_if_eap { > (10) if (&reply:EAP-Message && &reply:Reply-Message) > (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE > (10) else else { > (10) [noop] = noop > (10) } # else else = noop > (10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop > (10) } # Post-Auth-Type REJECT = updated > (10) Delaying response for 1 seconds > Waking up in 0.1 seconds. > Waking up in 0.6 seconds. > (10) Sending delayed response > (10) Sending Access-Reject packet to host 10.0.0.139 port 62980, id=23, length=0 > (10) EAP-Message = 0x040a0004 > (10) Message-Authenticator = 0x00000000000000000000000000000000 > Sending Access-Reject Id 23 from 10.0.0.12:1812 to 10.0.0.139:62980 > EAP-Message = 0x040a0004 > Message-Authenticator = 0x0000000000000000000000000000000 > ??? > > before this I see a couple of other errors in the debug output > ? > WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password > (9) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password > (9) mschap : Creating challenge hash with username: dmitry.fedorov > (9) mschap : Client is using MS-CHAPv2 > (9) ERROR: mschap : FAILED: No NT/LM-Password. Cannot perform authentication > (9) ERROR: mschap : MS-CHAP2-Response is incorrect > (9) [mschap] = reject > (9) } # Auth-Type MS-CHAP = reject > ? > > and > > --- > ldap : Processing user attributes > (2) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute > (2) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) > rlm_ldap (ldap): Released connection (4) > (2) [ldap] = ok > (2) if ((ok || updated) && User-Password) > (2) if ((ok || updated) && User-Password) -> FALSE > (2) [expiration] = noop > (2) [logintime] = noop > (2) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type > (2) WARNING: pap : Authentication will fail unless a "known good" password is available > (2) [pap] = noop > ? > > At first I thought the problem was in the "known good? password, but if it was, most likely the ?radtest' string would not work. > And if I change the base_dn to a wrong one, the test fails at once. From my point of view it proves that free radius is able to get to ldap, but there is some over error present. > Maybe I?m wrong. > > Please help to understand what is wrong with my setup. > > > Regards, > Boris > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From nagemnna at gmail.com Tue Apr 12 16:47:05 2016 From: nagemnna at gmail.com (Megan .) Date: Tue, 12 Apr 2016 12:47:05 -0400 Subject: [Freeipa-users] local system user with ldap group Message-ID: Good Afternoon, Quick question I hope. I have a group on my IPA server and I would like to add a local system user to the LDAP group. I added the group into /etc/group on the system and it still doesn't show the user as a member of the group. Is this even possible? sssd-1.12.4-47.el6_7.7.x86_64 ipa-client-3.0.0-47.el6.centos.1.x86_64 ipa-server-3.0.0-47.el6.centos.1.x86_64 Centos 6.7 Thanks! From bentech4you at gmail.com Tue Apr 12 18:18:21 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Tue, 12 Apr 2016 21:18:21 +0300 Subject: [Freeipa-users] Good IPA implementation guide Message-ID: Hi List, anyone please send me some refference to IPA server installation with active directory integration guide. I would like to install latest IPA version in RHEL 7. Thanks & Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From jbaird at follett.com Tue Apr 12 18:30:09 2016 From: jbaird at follett.com (Baird, Josh) Date: Tue, 12 Apr 2016 18:30:09 +0000 Subject: [Freeipa-users] Good IPA implementation guide In-Reply-To: References: Message-ID: You can refer to the ?Identity Management? section in the RHEL documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ Josh From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ben .T.George Sent: Tuesday, April 12, 2016 2:18 PM To: freeipa-users Subject: [Freeipa-users] Good IPA implementation guide Hi List, anyone please send me some refference to IPA server installation with active directory integration guide. I would like to install latest IPA version in RHEL 7. Thanks & Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Tue Apr 12 18:50:06 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Tue, 12 Apr 2016 21:50:06 +0300 Subject: [Freeipa-users] Good IPA implementation guide In-Reply-To: References: Message-ID: Hi Thanks. i have istalled IPA server with "ipa-server-install". kinit admin is working for me. now i need to start integrating with active directory. Thanks & Regards, Ben On Tue, Apr 12, 2016 at 9:30 PM, Baird, Josh wrote: > You can refer to the ?Identity Management? section in the RHEL > documentation: > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ > > > > Josh > > > > *From:* freeipa-users-bounces at redhat.com [mailto: > freeipa-users-bounces at redhat.com] *On Behalf Of *Ben .T.George > *Sent:* Tuesday, April 12, 2016 2:18 PM > *To:* freeipa-users > *Subject:* [Freeipa-users] Good IPA implementation guide > > > > Hi List, > > > > anyone please send me some refference to IPA server installation with > active directory integration guide. > > > > I would like to install latest IPA version in RHEL 7. > > > > Thanks & Regards, > > Ben > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Wed Apr 13 04:30:56 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Wed, 13 Apr 2016 00:30:56 -0400 Subject: [Freeipa-users] deleting duplicate groups with groupdel Message-ID: My main ipa server used to be an NIS server. After migrating everything into ipa, there is no need for the users and groups to exist in /etc/passwd and /etc/group. Leaving them around would cause duplicate entries, passwords falling out of sync and other issues on the server. So the right approach is to delete all the local users and groups, and let ipa handle everything. I was able to delete all the local users from /etc/passwd. However, groupdel won't let me delete the local groups. It complains that xyz user's primary group is abc and hence you can't delete it. The user itself is not a part of /etc/passwd anymore. This is a bug as far as I can tell. groupdel should check these constraints only for local users and local groups. It shouldn't mix ipa users and ipa groups with them. Environment: RHEL 7.2, idm 4.x -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed Apr 13 07:24:36 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 13 Apr 2016 09:24:36 +0200 Subject: [Freeipa-users] local system user with ldap group In-Reply-To: References: Message-ID: <20160413072436.GR15447@hendrix.redhat.com> On Tue, Apr 12, 2016 at 12:47:05PM -0400, Megan . wrote: > Good Afternoon, > > Quick question I hope. I have a group on my IPA server and I would > like to add a local system user to the LDAP group. I added the group > into /etc/group on the system and it still doesn't show the user as a > member of the group. Is this even possible? > > sssd-1.12.4-47.el6_7.7.x86_64 > ipa-client-3.0.0-47.el6.centos.1.x86_64 > ipa-server-3.0.0-47.el6.centos.1.x86_64 Only with a recent enough libc: https://sourceware.org/glibc/wiki/Proposals/GroupMerging From jhrozek at redhat.com Wed Apr 13 07:28:25 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 13 Apr 2016 09:28:25 +0200 Subject: [Freeipa-users] deleting duplicate groups with groupdel In-Reply-To: References: Message-ID: <20160413072825.GS15447@hendrix.redhat.com> On Wed, Apr 13, 2016 at 12:30:56AM -0400, Prasun Gera wrote: > My main ipa server used to be an NIS server. After migrating everything > into ipa, there is no need for the users and groups to exist in /etc/passwd > and /etc/group. Leaving them around would cause duplicate entries, > passwords falling out of sync and other issues on the server. So the right > approach is to delete all the local users and groups, and let ipa handle > everything. I was able to delete all the local users from /etc/passwd. > However, groupdel won't let me delete the local groups. It complains that > xyz user's primary group is abc and hence you can't delete it. The user > itself is not a part of /etc/passwd anymore. This is a bug as far as I can > tell. groupdel should check these constraints only for local users and > local groups. It shouldn't mix ipa users and ipa groups with them. > > Environment: RHEL 7.2, idm 4.x Looking at groupdel code, they just loop through all users with getpwent and report a primary group if any of the enumerated users matched the gid trying to be removed. So I would only expect this to happen if enumerate=true is set in sssd.conf, otherwise it should not be possible to reach those users with getpwent (if you removed them from passwd already). As a quick check, you can see if "getent passwd" without a user argument shows those users. From marat.vyshegorodtsev at gmail.com Wed Apr 13 07:47:24 2016 From: marat.vyshegorodtsev at gmail.com (Marat Vyshegorodtsev) Date: Wed, 13 Apr 2016 16:47:24 +0900 Subject: [Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly In-Reply-To: <20160227093206.GA21983@mail.corp.redhat.com> References: <56CDA23D.7050801@redhat.com> <56CDB907.20707@redhat.com> <20160227093206.GA21983@mail.corp.redhat.com> Message-ID: I don't know why, but half of my hosts refused to talk to IPA over kerberos, even after I have re-enrolled them and put new keytabs. I ended up dropping sssd-ipa over sssd-ldap and it is working like a charm (over LDAPS though). Frankly, debugging and working with Kerberos has been a nightmare... Now I have only ports 22, 443, and 636 open, it gives a bit more confidence in stability of the whole set up. Marat On Sat, Feb 27, 2016 at 6:32 PM, Lukas Slebodnik wrote: > On (24/02/16 14:28), Marat Vyshegorodtsev wrote: >>> Are you just toying with this or did something go horribly wrong and >>you're trying to restore a production environment? >> >>This. :-( >> >>I have actually rebuilt the environment from scratch, then wrote a >>perl script that just recreated all users from the ldif using ipa >>user-add and reset password for everyone. >> >>After the fresh install the following command was used for each user: >>ipa user-add --first='John' --last='Doe' --uid=1603600001 >>--gid=1603600001 --email='john.doe at contoso.com' --sshpubkey='ssh-rsa >>' --random john.doe >> >>I had to force uids/gids, so that users don't lose access to their home folders. >> >>I have regenerated keytabs on all client hosts, but now there is some >>weird behavior is demonstrated by sssd: users intermittently fail to >>login. This is a log from a client machine (Amazon Linux 2015.09): >> >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [accept_fd_handler] (0x0400): >>Client connected! >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): >>Received client version [0]. >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): >>Offered version [0]. >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [ssh_cmd_parse_request] >>(0x0400): Requested domain [] >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [ssh_cmd_parse_request] >>(0x0400): Parsing name [marat.vyshegorodtsev][] >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_parse_name_for_domains] >>(0x0200): name 'marat.vyshegorodtsev' matched without domain, user is >>marat.vyshegorodtsev >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_ssh_cmd_get_user_pubkeys] >>(0x0400): Requesting SSH user public keys for [marat.vyshegorodtsev] >>from [] >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_issue_request] >>(0x0400): Issuing request for >>[0x40b2d0:1:marat.vyshegorodtsev at contoso.com] >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_get_account_msg] >>(0x0400): Creating request for >>[contoso.com][1][1][name=marat.vyshegorodtsev] >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sbus_add_timeout] (0x2000): 0xb99c10 >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_internal_get_send] >>(0x0400): Entering request >>[0x40b2d0:1:marat.vyshegorodtsev at contoso.com] >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sbus_remove_timeout] (0x2000): 0xb99c10 >>(Wed Feb 24 22:08:49 2016) [sssd[ssh]] [sss_dp_get_reply] (0x1000): >>Got reply from Data Provider - DP error code: 1 errno: 11 error >>message: Offline > sssd works in offline mode. > You can find reason/more details would be in different log files > (sssd_$domain.log). > > You instaled server from scratch you it might be acertificate issue > (just a wild guess). > > LS From vivshrivastava at gmail.com Wed Apr 13 01:56:51 2016 From: vivshrivastava at gmail.com (Vivek Shrivastava) Date: Tue, 12 Apr 2016 18:56:51 -0700 Subject: [Freeipa-users] Unable to setup FreeIPA and MIT kerberos cross domain trust Message-ID: Hi, I am trying to setup cross domain trust between FreeIPA and MIT Kerberos. I have already created krbtgt in the both FreeIPA and MIT Kerberos. I can successfully get Kerberos ticket from the both domains.However when I try to access Hadoop using the FreeIPA domain then I get this error in trace log. Wondering what is missing? Service ticket not found in the subject >>> Realm doInitialParse: cRealm=[TEST.COM], sRealm=[TEST2.COM] >>> Realm parseCapaths: no cfg entry >>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/ TEST2.COM at TEST.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23 1 3. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=test2company.com. UDP:88, timeout=30000, number of retries =3, #bytes=701 >>> KDCCommunication: kdc=test2company.com. UDP:88, timeout=30000,Attempt =1, #bytes=701 >>> KrbKdcReq send: #bytes read=637 >>> KdcAccessibility: remove test2company.com.:88 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> Credentials acquireServiceCreds: global OK-AS-DELEGATE turned off at krbtgt/TEST2.COM at TEST.COM >>> Credentials acquireServiceCreds: got tgt >>> Credentials acquireServiceCreds: got right tgt >>> Credentials acquireServiceCreds: obtaining service creds for nn/ testcompany.com at TEST2.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23 1 3. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbKdcReq send: kdc=testcompany.com UDP:88, timeout=30000, number of retries =3, #bytes=662 >>> KDCCommunication: kdc=testcompany.com UDP:88, timeout=30000,Attempt =1, #bytes=662 >>> KrbKdcReq send: #bytes read=150 >>> KdcAccessibility: remove testcompany.com >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: cTime is Sun Jun 01 13:55:49 EDT 1975 170877349000 sTime is Sat Apr 09 15:01:16 EDT 2016 1460228476000 suSec is 693381 error code is 31 error Message is Integrity check on decrypted field failed realm is TEST2.COM sname is nn/testcompany.com msgType is 30 -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Wed Apr 13 08:32:08 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Wed, 13 Apr 2016 04:32:08 -0400 Subject: [Freeipa-users] deleting duplicate groups with groupdel In-Reply-To: <20160413072825.GS15447@hendrix.redhat.com> References: <20160413072825.GS15447@hendrix.redhat.com> Message-ID: Yes, getent passwd shows the users, and sssd.conf didn't have enumerate=true. As it turns out, this happens because ypbind was running on the server, which binds to ipa's fake nis server on the same machine. Once I stopped ypbind, I was able to delete those groups. This was an interesting case. On Wed, Apr 13, 2016 at 3:28 AM, Jakub Hrozek wrote: > On Wed, Apr 13, 2016 at 12:30:56AM -0400, Prasun Gera wrote: > > My main ipa server used to be an NIS server. After migrating everything > > into ipa, there is no need for the users and groups to exist in > /etc/passwd > > and /etc/group. Leaving them around would cause duplicate entries, > > passwords falling out of sync and other issues on the server. So the > right > > approach is to delete all the local users and groups, and let ipa handle > > everything. I was able to delete all the local users from /etc/passwd. > > However, groupdel won't let me delete the local groups. It complains that > > xyz user's primary group is abc and hence you can't delete it. The user > > itself is not a part of /etc/passwd anymore. This is a bug as far as I > can > > tell. groupdel should check these constraints only for local users and > > local groups. It shouldn't mix ipa users and ipa groups with them. > > > > Environment: RHEL 7.2, idm 4.x > > Looking at groupdel code, they just loop through all users with > getpwent and report a primary group if any of the enumerated users > matched the gid trying to be removed. > > So I would only expect this to happen if enumerate=true is set in > sssd.conf, otherwise it should not be possible to reach those users with > getpwent (if you removed them from passwd already). As a quick check, > you can see if "getent passwd" without a user argument shows those > users. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed Apr 13 08:42:42 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 13 Apr 2016 10:42:42 +0200 Subject: [Freeipa-users] Unable to setup FreeIPA and MIT kerberos cross domain trust In-Reply-To: References: Message-ID: <20160413084241.GB21707@p.redhat.com> On Tue, Apr 12, 2016 at 06:56:51PM -0700, Vivek Shrivastava wrote: > Hi, > > > I am trying to setup cross domain trust between FreeIPA and MIT Kerberos. I > have already created krbtgt in the both FreeIPA and MIT Kerberos. I can > successfully get Kerberos ticket from the both domains.However when I try Which kind of tickets did you try, only TGTs or services tickets as well? Have you tried kinit user at TEST.COM kvno server/host.test2.com at TEST.COM i.e. to get a service ticket from TEST2.COM for a user from TEST.COM? I'm asking because the error below "error Message is Integrity check on decrypted field failed" looks a bit like the shared key in the cross-realm TGTs (krbtgt/TEST2.COM at TEST.COM and krbtgt/TEST.COM at TEST2.COM) are not the same. HTH bye, Sumit > to access Hadoop using the FreeIPA domain then I get this error in trace > log. Wondering what is missing? > > > Service ticket not found in the subject > > >>> Realm doInitialParse: cRealm=[TEST.COM], sRealm=[TEST2.COM] > > >>> Realm parseCapaths: no cfg entry > > >>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/ > TEST2.COM at TEST.COM > > Using builtin default etypes for default_tgs_enctypes > > default etypes for default_tgs_enctypes: 18 17 16 23 1 3. > > >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType > > >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType > > getKDCFromDNS using UDP > > >>> KrbKdcReq send: kdc=test2company.com. UDP:88, timeout=30000, number of > retries =3, #bytes=701 > > >>> KDCCommunication: kdc=test2company.com. UDP:88, timeout=30000,Attempt > =1, #bytes=701 > > >>> KrbKdcReq send: #bytes read=637 > > >>> KdcAccessibility: remove test2company.com.:88 > > >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType > > >>> Credentials acquireServiceCreds: global OK-AS-DELEGATE turned off at > krbtgt/TEST2.COM at TEST.COM > > >>> Credentials acquireServiceCreds: got tgt > > >>> Credentials acquireServiceCreds: got right tgt > > >>> Credentials acquireServiceCreds: obtaining service creds for nn/ > testcompany.com at TEST2.COM > > Using builtin default etypes for default_tgs_enctypes > > default etypes for default_tgs_enctypes: 18 17 16 23 1 3. > > >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType > > >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType > > >>> KrbKdcReq send: kdc=testcompany.com UDP:88, timeout=30000, number of > retries =3, #bytes=662 > > >>> KDCCommunication: kdc=testcompany.com UDP:88, timeout=30000,Attempt =1, > #bytes=662 > > >>> KrbKdcReq send: #bytes read=150 > > >>> KdcAccessibility: remove testcompany.com > > >>> KDCRep: init() encoding tag is 126 req type is 13 > > >>>KRBError: > > cTime is Sun Jun 01 13:55:49 EDT 1975 170877349000 > > sTime is Sat Apr 09 15:01:16 EDT 2016 1460228476000 > > suSec is 693381 > > error code is 31 > > error Message is Integrity check on decrypted field failed > > realm is TEST2.COM > > sname is nn/testcompany.com > > msgType is 30 > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From bentech4you at gmail.com Wed Apr 13 08:59:11 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 13 Apr 2016 11:59:11 +0300 Subject: [Freeipa-users] error while adding conditional forwarder for AD domain Message-ID: Hi LIst, getting below error while adding conditional forwarder for AD domain on IPA [root at ipa ~]# ipa dnsforwardzone-add ad.example.com --forwarder=192.168.37.131 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: DNS check for domain ad.example.com. failed: All nameservers failed to answer the query ad.example.com. IN SOA: Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL. how to fix this issue. Operating system : CentOs 7.2 IPA VERSION: 4.3.1, API_VERSION: 2.164 Thanks & Regards Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From mail at kilian-ries.de Wed Apr 13 09:25:49 2016 From: mail at kilian-ries.de (Kilian Ries) Date: Wed, 13 Apr 2016 09:25:49 +0000 Subject: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted In-Reply-To: References: Message-ID: Does nobody have an idea whats the problem here? Thanks Kilian ________________________________ Von: freeipa-users-bounces at redhat.com im Auftrag von Kilian Ries Gesendet: Mittwoch, 6. April 2016 10:41 An: freeipa-users at redhat.com Betreff: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted Hello, i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm trying to add an replication partner. During the installation i got the following error: ### Restarting the directory and certificate servers Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the ldap service principals is missing. Replication agreement cannot be converted. ### The installation Log shows the following: ### 2016-04-06T08:22:34Z INFO Getting ldap service principals for conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU) 2016-04-06T08:22:34Z DEBUG Unable to find entry for (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636 2016-04-06T08:22:34Z INFO Setting agreement cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping tree,cn=config 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 438, in __convert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1104, in convert_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 797, in gssapi_update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 767, in setup_krb_princs_as_replica_binddns (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 751, in get_replica_principal_dns raise RuntimeError(error) RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. 2016-04-06T08:22:36Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, in _configure executor.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 879, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 295, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 586, in install krb = install_krb(config, setup_pkinit=not options.no_pkinit) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 93, in install_krb setup_pkinit, pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 214, in create_replica self.start_creation(runtime=30) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 438, in __convert_to_gssapi_replication r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1104, in convert_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 797, in gssapi_update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 767, in setup_krb_princs_as_replica_binddns (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 751, in get_replica_principal_dns raise RuntimeError(error) 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: One of the ldap service principals is missing. Replication agreement cannot be converted. 2016-04-06T08:22:36Z ERROR One of the ldap service principals is missing. Replication agreement cannot be converted. ### Can anybody help me? Thanks Greets Kilian -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Wed Apr 13 09:27:02 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 13 Apr 2016 11:27:02 +0200 Subject: [Freeipa-users] Change replica hostname and IP address? In-Reply-To: <3C236636-6125-4509-8BBA-0DF5AE175EA6@myemma.com> References: <3C236636-6125-4509-8BBA-0DF5AE175EA6@myemma.com> Message-ID: <570E10E6.9080206@redhat.com> On 04/12/2016 05:00 PM, Zak Wolfinger wrote: > We need to do some juggling of servers while we migrate to the latest version. > > Is it possible to change the hostname and IP addresses of the replicas? Or > would I be better off just spinning up new ones? Usually it is easier to spin up a new one assuming that clients are configured to use DNS discover(i.e. are not configured just against the to be removed replica) Changing IP is possible - one has to make sure that all DNS records are changed. But changing hostname is not supported - it would require many manual intervention in IPA internals. > > Cheers, > *Zak Wolfinger* > > Infrastructure Engineer | Emma? > zak.wolfinger at myemma.com > 800.595.4401 or 615.292.5888 x197 > 615.292.0777 (fax) > * > * > Emma helps organizations everywhere communicate & market in style. > Visit us online at www.myemma.com > > > > > -- Petr Vobornik From dev at mdfive.dz Wed Apr 13 09:30:39 2016 From: dev at mdfive.dz (dev at mdfive.dz) Date: Wed, 13 Apr 2016 11:30:39 +0200 Subject: [Freeipa-users] Restrict WebUI access Message-ID: <4fad83b5d36a1008a335d24013d7e796@mdfive.dz> Hi, I want to restrict FreeIP WebUI access to a limited users only. How can I proceed. Thanks in advance, Regards -- Omar AKHAM From mbasti at redhat.com Wed Apr 13 10:56:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 13 Apr 2016 12:56:54 +0200 Subject: [Freeipa-users] error while adding conditional forwarder for AD domain In-Reply-To: References: Message-ID: <570E25F6.3060407@redhat.com> On 13.04.2016 10:59, Ben .T.George wrote: > Hi LIst, > > getting below error while adding conditional forwarder for AD domain > on IPA > > [root at ipa ~]# ipa dnsforwardzone-add ad.example.com > --forwarder=192.168.37.131 --forward-policy=only > Server will check DNS forwarder(s). > This may take some time, please wait ... > ipa: ERROR: DNS check for domain ad.example.com > . failed: All nameservers failed to answer the > query ad.example.com . IN SOA: Server 127.0.0.1 > UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP > port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP > port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP > port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP > port 53 anwered SERVFAIL. > > how to fix this issue. > > Operating system : CentOs 7.2 > IPA VERSION: 4.3.1, API_VERSION: 2.164 > > Thanks & Regards > Ben > > > Hello, that timeout error is suspicious, are all IPA DNS working? can you try dig @youripaserveraddress ad.example.com SOA and post result? Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Wed Apr 13 11:04:01 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 13 Apr 2016 13:04:01 +0200 Subject: [Freeipa-users] Restrict WebUI access In-Reply-To: <4fad83b5d36a1008a335d24013d7e796@mdfive.dz> References: <4fad83b5d36a1008a335d24013d7e796@mdfive.dz> Message-ID: <570E27A1.7050700@redhat.com> On 04/13/2016 11:30 AM, dev at mdfive.dz wrote: > Hi, > > I want to restrict FreeIP WebUI access to a limited users only. How can > I proceed. > > Thanks in advance, > Regards > -- > Omar AKHAM > What do you mean by restrict access to Web UI? Prevent certain group of users to log in? This is not possible to configure atm. It is possible to develop a Web UI plugin that does it but it is not straightforward. Either-way it won't prevent users from using FreeIPA API or CLI to get the information if it is not restricted via RBAC. Limit what user can see/search for? This is possible to configure via Role-based access control (RBAC)[1]. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html -- Petr Vobornik From pspacek at redhat.com Wed Apr 13 11:20:59 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 13 Apr 2016 13:20:59 +0200 Subject: [Freeipa-users] Good IPA implementation guide In-Reply-To: References: Message-ID: <570E2B9B.6010102@redhat.com> On 12.4.2016 20:50, Ben .T.George wrote: > Hi > > Thanks. > > i have istalled IPA server with "ipa-server-install". kinit admin is > working for me. > > now i need to start integrating with active directory. This is covered in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html Petr^2 Spacek > > Thanks & Regards, > Ben > > On Tue, Apr 12, 2016 at 9:30 PM, Baird, Josh wrote: > >> You can refer to the ?Identity Management? section in the RHEL >> documentation: >> >> >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ >> >> >> >> Josh >> >> >> >> *From:* freeipa-users-bounces at redhat.com [mailto: >> freeipa-users-bounces at redhat.com] *On Behalf Of *Ben .T.George >> *Sent:* Tuesday, April 12, 2016 2:18 PM >> *To:* freeipa-users >> *Subject:* [Freeipa-users] Good IPA implementation guide >> >> >> >> Hi List, >> >> >> >> anyone please send me some refference to IPA server installation with >> active directory integration guide. >> >> >> >> I would like to install latest IPA version in RHEL 7. >> >> >> >> Thanks & Regards, >> >> Ben >> > > > -- Petr^2 Spacek From rcritten at redhat.com Wed Apr 13 14:18:55 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Apr 2016 10:18:55 -0400 Subject: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted In-Reply-To: References: Message-ID: <570E554F.7050109@redhat.com> Kilian Ries wrote: > Does nobody have an idea whats the problem here? TL;DR you are best off deleting this failed replica install and trying again. Initial replication is done over TLS. When replication is completed both sides of the agreement are converted to using GSSAPI and both ldap principals are needed to do this. Given that replication just completed both principals should be available but rarely one is not (hence the vague-ish error message). In this case the new ldap principal for the new replica wasn't found on the remote master so things blew up. There is no continuing the installation after this type of failure so you'll need to remove the failed install as a master on auth01 (ipa-replica-manage del auth02...) and then run ipa-server-install --uninstall on autho02 and try again. rob > > > Thanks > > Kilian > > > > ------------------------------------------------------------------------ > *Von:* freeipa-users-bounces at redhat.com > im Auftrag von Kilian Ries > > *Gesendet:* Mittwoch, 6. April 2016 10:41 > *An:* freeipa-users at redhat.com > *Betreff:* [Freeipa-users] Error setting up Replication: ldap service > principals is missing. Replication agreement cannot be converted > > Hello, > > > i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm > trying to add an replication partner. > > > During the installation i got the following error: > > > ### > > Restarting the directory and certificate servers > > Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds > > [1/8]: adding sasl mappings to the directory > > [2/8]: configuring KDC > > [3/8]: creating a keytab for the directory > > [4/8]: creating a keytab for the machine > > [5/8]: adding the password extension to the directory > > [6/8]: enable GSSAPI for replication > > [error] RuntimeError: One of the ldap service principals is missing. > Replication agreement cannot be converted. > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the > ldap service principals is missing. Replication agreement cannot be > converted. > > ### > > > > The installation Log shows the following: > > > > ### > > 2016-04-06T08:22:34Z INFO Getting ldap service principals for > conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and > (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU) > > 2016-04-06T08:22:34Z DEBUG Unable to find entry for > (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636 > > 2016-04-06T08:22:34Z INFO Setting agreement > cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping > tree,cn=config schedule to 2358-2359 0 to force synch > > 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement > cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping > tree,cn=config > > 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: > 0 Replica acquired successfully: Incremental update succeeded: start: 0: > end: 0 > > 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", > line 438, in __convert_to_gssapi_replication > > r_bindpw=self.dm_password) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 1104, in convert_to_gssapi_replication > > self.gssapi_update_agreements(self.conn, r_conn) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 797, in gssapi_update_agreements > > self.setup_krb_princs_as_replica_binddns(a, b) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 767, in setup_krb_princs_as_replica_binddns > > (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 751, in get_replica_principal_dns > > raise RuntimeError(error) > > RuntimeError: One of the ldap service principals is missing. Replication > agreement cannot be converted. > > > 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap > service principals is missing. Replication agreement cannot be converted. > > 2016-04-06T08:22:36Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > > return_value = self.run() > > File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", > line 311, in run > > cfgr.run() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 281, in run > > self.execute() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 303, in execute > > for nothing in self._executor(): > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 343, in __runner > > self._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 333, in __runner > > step() > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 87, in run_generator_with_yield_from > > raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 65, in run_generator_with_yield_from > > value = gen.send(prev_value) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 524, in _configure > > executor.next() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 343, in __runner > > self._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 421, in _handle_exception > > self.__parent._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 418, in _handle_exception > > super(ComponentBase, self)._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 333, in __runner > > step() > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 87, in run_generator_with_yield_from > > raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 65, in run_generator_with_yield_from > > value = gen.send(prev_value) > > File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", > line 63, in _install > > for nothing in self._installer(self.parent): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 879, in main > > install(self) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 295, in decorated > > func(installer) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 586, in install > > krb = install_krb(config, setup_pkinit=not options.no_pkinit) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 93, in install_krb > > setup_pkinit, pkcs12_info) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", > line 214, in create_replica > > self.start_creation(runtime=30) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", > line 438, in __convert_to_gssapi_replication > > r_bindpw=self.dm_password) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 1104, in convert_to_gssapi_replication > > self.gssapi_update_agreements(self.conn, r_conn) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 797, in gssapi_update_agreements > > self.setup_krb_princs_as_replica_binddns(a, b) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 767, in setup_krb_princs_as_replica_binddns > > (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 751, in get_replica_principal_dns > > raise RuntimeError(error) > > > 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed, > exception: RuntimeError: One of the ldap service principals is missing. > Replication agreement cannot be converted. > > 2016-04-06T08:22:36Z ERROR One of the ldap service principals is > missing. Replication agreement cannot be converted. > > ### > > > > Can anybody help me? > > > Thanks > > Greets > > Kilian > > > From florent.bello at ville-kourou.fr Wed Apr 13 15:44:21 2016 From: florent.bello at ville-kourou.fr (Bello Florent) Date: Wed, 13 Apr 2016 12:44:21 -0300 Subject: [Freeipa-users] ipalib documentation Message-ID: Hi, I try to create a dhcp server using freeipa ldap backend. I found this guide https://github.com/encukou/freeipa/blob/master/doc/guide/guide.org, [1] and i added schema http://www.freeipa.org/page/DHCP_Integration_Design [2]. But when i create a LdapObject "dhcp", i have an python error "KeyError: 'dhcp'" when i restart ipa service or when i use some command "ipa". Where i can find other documentation about ipalib and how to create other LdapObject which is not already exists in freeipa ? Cordialement, Florent BELLO Service Informatique informatique at ville-kourou.fr 0594 22 31 22 Mairie de Kourou Links: ------ [1] https://github.com/encukou/freeipa/blob/master/doc/guide/guide.org, [2] http://www.freeipa.org/page/DHCP_Integration_Design -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.mathis+freeipa at betteradmin.com Wed Apr 13 20:12:09 2016 From: brian.mathis+freeipa at betteradmin.com (Brian Mathis) Date: Wed, 13 Apr 2016 16:12:09 -0400 Subject: [Freeipa-users] Restrict WebUI access In-Reply-To: <4fad83b5d36a1008a335d24013d7e796@mdfive.dz> References: <4fad83b5d36a1008a335d24013d7e796@mdfive.dz> Message-ID: A simple way would be to edit the apache configuration and add a basic http authentication popup. Its ugly but if you only need to restrict it to admins, it might be good enough. ~ Brian Mathis @orev On Wed, Apr 13, 2016 at 5:30 AM, wrote: > Hi, > > I want to restrict FreeIP WebUI access to a limited users only. How can I > proceed. > > Thanks in advance, > Regards > -- > Omar AKHAM > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Apr 14 07:38:05 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 14 Apr 2016 09:38:05 +0200 Subject: [Freeipa-users] ipalib documentation In-Reply-To: References: Message-ID: <570F48DD.7050802@redhat.com> On 13.04.2016 17:44, Bello Florent wrote: > > Hi, > > I try to create a dhcp server using freeipa ldap backend. I found this > guide > https://github.com/encukou/freeipa/blob/master/doc/guide/guide.org, > and i added schema http://www.freeipa.org/page/DHCP_Integration_Design. > > But when i create a LdapObject "dhcp", i have an python error > "KeyError: 'dhcp'" when i restart ipa service or when i use some > command "ipa". > > Where i can find other documentation about ipalib and how to create > other LdapObject which is not already exists in freeipa ? > > Cordialement, > > Florent BELLO > Service Informatique > informatique at ville-kourou.fr > 0594 22 31 22 > Mairie de Kourou > > > Hello, this page contains developer docs: http://www.freeipa.org/page/Documentation#Developer_Documentation Especially this may help: https://abbra.fedorapeople.org/guide.html Anyway, with patch and exact traceback we will be able to help you more likely Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From dev at mdfive.dz Thu Apr 14 08:22:43 2016 From: dev at mdfive.dz (dev at mdfive.dz) Date: Thu, 14 Apr 2016 10:22:43 +0200 Subject: [Freeipa-users] Restrict WebUI access In-Reply-To: <570E27A1.7050700@redhat.com> References: <4fad83b5d36a1008a335d24013d7e796@mdfive.dz> <570E27A1.7050700@redhat.com> Message-ID: <25b95553471fdb2fe2ef00b232027b09@mdfive.dz> Hi, Yes, I want to restrict simple authenticated users on the WebUI from seeying the list of all users. Is it configurable with the role based access control? Best regards. On 2016-04-13 13:04, Petr Vobornik wrote: > On 04/13/2016 11:30 AM, dev at mdfive.dz wrote: >> Hi, >> >> I want to restrict FreeIP WebUI access to a limited users only. How >> can >> I proceed. >> >> Thanks in advance, >> Regards >> -- >> Omar AKHAM >> > > What do you mean by restrict access to Web UI? > > Prevent certain group of users to log in? This is not possible to > configure atm. It is possible to develop a Web UI plugin that does it > but it is not straightforward. Either-way it won't prevent users from > using FreeIPA API or CLI to get the information if it is not restricted > via RBAC. > > Limit what user can see/search for? This is possible to configure via > Role-based access control (RBAC)[1]. > > > [1] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html From dev at mdfive.dz Thu Apr 14 11:57:52 2016 From: dev at mdfive.dz (dev at mdfive.dz) Date: Thu, 14 Apr 2016 13:57:52 +0200 Subject: [Freeipa-users] Restrict WebUI access In-Reply-To: <25b95553471fdb2fe2ef00b232027b09@mdfive.dz> References: <4fad83b5d36a1008a335d24013d7e796@mdfive.dz> <570E27A1.7050700@redhat.com> <25b95553471fdb2fe2ef00b232027b09@mdfive.dz> Message-ID: <3d2c8840a2aa61de22835ece3f11edd0@mdfive.dz> Hi, By default, a simple user which authenticate on WebUI has access to his profile info page and can list all users and access to their infos (read only). I want to limit a simple user to his profile info page only (where he can change its own password) and disable access to users list and their info. Best regards. On 2016-04-14 10:22, dev at mdfive.dz wrote: > Hi, > > Yes, I want to restrict simple authenticated users on the WebUI from > seeying the list of all users. > > Is it configurable with the role based access control? > > Best regards. > > On 2016-04-13 13:04, Petr Vobornik wrote: >> On 04/13/2016 11:30 AM, dev at mdfive.dz wrote: >>> Hi, >>> >>> I want to restrict FreeIP WebUI access to a limited users only. How >>> can >>> I proceed. >>> >>> Thanks in advance, >>> Regards >>> -- >>> Omar AKHAM >>> >> >> What do you mean by restrict access to Web UI? >> >> Prevent certain group of users to log in? This is not possible to >> configure atm. It is possible to develop a Web UI plugin that does it >> but it is not straightforward. Either-way it won't prevent users from >> using FreeIPA API or CLI to get the information if it is not >> restricted >> via RBAC. >> >> Limit what user can see/search for? This is possible to configure via >> Role-based access control (RBAC)[1]. >> >> >> [1] >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html From stephen.berg.ctr at nrlssc.navy.mil Thu Apr 14 12:28:43 2016 From: stephen.berg.ctr at nrlssc.navy.mil (Stephen Berg (Contractor)) Date: Thu, 14 Apr 2016 07:28:43 -0500 Subject: [Freeipa-users] Getting client status Message-ID: <20GhfZvOiq9a8RnUnqfvHL4kOCCRvtnjoD59onaGHyqre6o_xurOlA@cipher.nrlssc.navy.mil> I'm looking for a command line method to get current status on a client without having a ticket or authenticating to the IPA domain. Back in the NIS days from a client you could run "ypwhich" and be able to know if that system were bound to the NIS and which server it had bound to. So far I can't find a way to do a similar function in FreeIPA. I'd to do this from a cron job on each client once a day. We're running a mix of SciLinux 6.7 and 7.2. The servers are all on 7.2 running ipa VERSION: 4.2.0, API_VERSION: 2.156. -- Stephen Berg Systems Administrator NRL Code: 7320 Office: 228-688-5738 stephen.berg.ctr at nrlssc.navy.mil From pvoborni at redhat.com Thu Apr 14 12:39:09 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 14 Apr 2016 14:39:09 +0200 Subject: [Freeipa-users] Restrict WebUI access In-Reply-To: <3d2c8840a2aa61de22835ece3f11edd0@mdfive.dz> References: <4fad83b5d36a1008a335d24013d7e796@mdfive.dz> <570E27A1.7050700@redhat.com> <25b95553471fdb2fe2ef00b232027b09@mdfive.dz> <3d2c8840a2aa61de22835ece3f11edd0@mdfive.dz> Message-ID: <570F8F6D.5020606@redhat.com> On 04/14/2016 01:57 PM, dev at mdfive.dz wrote: > Hi, > > By default, a simple user which authenticate on WebUI has access to his > profile info page and can list all users and access to their infos (read > only). > > I want to limit a simple user to his profile info page only (where he > can change its own password) and disable access to users list and their > info. Check RBAC in the previous mail, otherwise it is security by obscurity. E.g it is possible to use following UI plugin (created for demonstration purposes): https://pvoborni.fedorapeople.org/plugins/simpleuser/simpleuser.js The plugin limits capabilities of self-service page, basically by replacing it, disabling breadcrumb navigation and removing menu items. Installation (on each IPA server): # cd /usr/share/ipa/ui/js/plugins/ # mkdir simpleuser # cd simpleuser/ # wget https://pvoborni.fedorapeople.org/plugins/simpleuser/simpleuser.js then access Web UI... But anybody can change URL and view information of certain user. Other possibility is to run the attached script locally(example usable only on server, but can be easily changed) to run ipa user-find by communicating with FreeIPA API. > > Best regards. > > On 2016-04-14 10:22, dev at mdfive.dz wrote: >> Hi, >> >> Yes, I want to restrict simple authenticated users on the WebUI from >> seeying the list of all users. >> >> Is it configurable with the role based access control? >> >> Best regards. >> >> On 2016-04-13 13:04, Petr Vobornik wrote: >>> On 04/13/2016 11:30 AM, dev at mdfive.dz wrote: >>>> Hi, >>>> >>>> I want to restrict FreeIP WebUI access to a limited users only. How can >>>> I proceed. >>>> >>>> Thanks in advance, >>>> Regards >>>> -- >>>> Omar AKHAM >>>> >>> >>> What do you mean by restrict access to Web UI? >>> >>> Prevent certain group of users to log in? This is not possible to >>> configure atm. It is possible to develop a Web UI plugin that does it >>> but it is not straightforward. Either-way it won't prevent users from >>> using FreeIPA API or CLI to get the information if it is not restricted >>> via RBAC. >>> >>> Limit what user can see/search for? This is possible to configure via >>> Role-based access control (RBAC)[1]. >>> >>> >>> [1] >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html >>> > -- Petr Vobornik -------------- next part -------------- #!/bin/bash echo '{"method":"user_find","params":[[],{"sizelimit":0,"pkey_only":true}]}' > /tmp/js1 curl --cacert /etc/ipa/ca.crt \ -c /tmp/ipauicookie \ --data "user=admin&password=Secret123" \ https://$(hostname)/ipa/session/login_password curl -H "Content-Type:application/json" \ -H "Referer: https://$(hostname)/ipa/xml" \ -H "Accept:application/json" \ -H "Accept-Language:en" \ --cacert /etc/ipa/ca.crt \ -d @/tmp/js1 \ -X POST \ -b /tmp/ipauicookie \ -c /tmp/ipauicookie \ https://$(hostname)/ipa/session/json From mbasti at redhat.com Thu Apr 14 12:44:34 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 14 Apr 2016 14:44:34 +0200 Subject: [Freeipa-users] Getting client status In-Reply-To: <20GhfZvOiq9a8RnUnqfvHL4kOCCRvtnjoD59onaGHyqre6o_xurOlA@cipher.nrlssc.navy.mil> References: <20GhfZvOiq9a8RnUnqfvHL4kOCCRvtnjoD59onaGHyqre6o_xurOlA@cipher.nrlssc.navy.mil> Message-ID: <570F90B2.9070806@redhat.com> On 14.04.2016 14:28, Stephen Berg (Contractor) wrote: > I'm looking for a command line method to get current status on a > client without having a ticket or authenticating to the IPA domain. > > Back in the NIS days from a client you could run "ypwhich" and be able > to know if that system were bound to the NIS and which server it had > bound to. So far I can't find a way to do a similar function in FreeIPA. > > I'd to do this from a cron job on each client once a day. > > We're running a mix of SciLinux 6.7 and 7.2. The servers are all on > 7.2 running ipa VERSION: 4.2.0, API_VERSION: 2.156. > Hello, sorry but it is not clear to me what kind of status you would like to get on a client. IPA client (SSSD) uses dynamic detection of IPA servers (unless you configured it manually). Martin From natxo.asenjo at gmail.com Thu Apr 14 12:53:15 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Thu, 14 Apr 2016 14:53:15 +0200 Subject: [Freeipa-users] Getting client status In-Reply-To: <20GhfZvOiq9a8RnUnqfvHL4kOCCRvtnjoD59onaGHyqre6o_xurOlA@cipher.nrlssc.navy.mil> References: <20GhfZvOiq9a8RnUnqfvHL4kOCCRvtnjoD59onaGHyqre6o_xurOlA@cipher.nrlssc.navy.mil> Message-ID: On Thu, Apr 14, 2016 at 2:28 PM, Stephen Berg (Contractor) < stephen.berg.ctr at nrlssc.navy.mil> wrote: > I'm looking for a command line method to get current status on a client > without having a ticket or authenticating to the IPA domain. > > Back in the NIS days from a client you could run "ypwhich" and be able to > know if that system were bound to the NIS and which server it had bound > to. So far I can't find a way to do a similar function in FreeIPA. > > I'd to do this from a cron job on each client once a day. > interesting. In a fast review in some domain joined hosts you could get the info in /var/lib/sss/pubconf/kdcinfo.YOUR.REALM, there you see the ip address of the kdc last contated by the host before renewing its secure channel, I guess. The file is world readable, so you should not need any special privileges to read it. Otherwise you would have to enable some logging in sssd (out of the box it does not log nearly anything) and parse the logs in /var/log/sssd/* HTH -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From mail at kilian-ries.de Thu Apr 14 14:19:07 2016 From: mail at kilian-ries.de (Kilian Ries) Date: Thu, 14 Apr 2016 14:19:07 +0000 Subject: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted In-Reply-To: <570E554F.7050109@redhat.com> References: , <570E554F.7050109@redhat.com> Message-ID: Hello Rob, thanks for your explanations. I followed your hints and did a complete uninstall and started over with a fresh installation. I ended up with exactly the same error as the first time... I did the following steps: auth01$ ipa-replica-manage del auth02 auth02$ ipa-server-install --uninstall auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg Are there other logfiles i can check for more specific errors? Greets Kilian ________________________________________ Von: Rob Crittenden Gesendet: Mittwoch, 13. April 2016 16:18 An: Kilian Ries; freeipa-users at redhat.com Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted Kilian Ries wrote: > Does nobody have an idea whats the problem here? TL;DR you are best off deleting this failed replica install and trying again. Initial replication is done over TLS. When replication is completed both sides of the agreement are converted to using GSSAPI and both ldap principals are needed to do this. Given that replication just completed both principals should be available but rarely one is not (hence the vague-ish error message). In this case the new ldap principal for the new replica wasn't found on the remote master so things blew up. There is no continuing the installation after this type of failure so you'll need to remove the failed install as a master on auth01 (ipa-replica-manage del auth02...) and then run ipa-server-install --uninstall on autho02 and try again. rob > > > Thanks > > Kilian > > > > ------------------------------------------------------------------------ > *Von:* freeipa-users-bounces at redhat.com > im Auftrag von Kilian Ries > > *Gesendet:* Mittwoch, 6. April 2016 10:41 > *An:* freeipa-users at redhat.com > *Betreff:* [Freeipa-users] Error setting up Replication: ldap service > principals is missing. Replication agreement cannot be converted > > Hello, > > > i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm > trying to add an replication partner. > > > During the installation i got the following error: > > > ### > > Restarting the directory and certificate servers > > Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds > > [1/8]: adding sasl mappings to the directory > > [2/8]: configuring KDC > > [3/8]: creating a keytab for the directory > > [4/8]: creating a keytab for the machine > > [5/8]: adding the password extension to the directory > > [6/8]: enable GSSAPI for replication > > [error] RuntimeError: One of the ldap service principals is missing. > Replication agreement cannot be converted. > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the > ldap service principals is missing. Replication agreement cannot be > converted. > > ### > > > > The installation Log shows the following: > > > > ### > > 2016-04-06T08:22:34Z INFO Getting ldap service principals for > conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and > (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU) > > 2016-04-06T08:22:34Z DEBUG Unable to find entry for > (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636 > > 2016-04-06T08:22:34Z INFO Setting agreement > cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping > tree,cn=config schedule to 2358-2359 0 to force synch > > 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement > cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping > tree,cn=config > > 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: > 0 Replica acquired successfully: Incremental update succeeded: start: 0: > end: 0 > > 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", > line 438, in __convert_to_gssapi_replication > > r_bindpw=self.dm_password) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 1104, in convert_to_gssapi_replication > > self.gssapi_update_agreements(self.conn, r_conn) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 797, in gssapi_update_agreements > > self.setup_krb_princs_as_replica_binddns(a, b) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 767, in setup_krb_princs_as_replica_binddns > > (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 751, in get_replica_principal_dns > > raise RuntimeError(error) > > RuntimeError: One of the ldap service principals is missing. Replication > agreement cannot be converted. > > > 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap > service principals is missing. Replication agreement cannot be converted. > > 2016-04-06T08:22:36Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > > return_value = self.run() > > File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", > line 311, in run > > cfgr.run() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 281, in run > > self.execute() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 303, in execute > > for nothing in self._executor(): > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 343, in __runner > > self._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 333, in __runner > > step() > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 87, in run_generator_with_yield_from > > raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 65, in run_generator_with_yield_from > > value = gen.send(prev_value) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 524, in _configure > > executor.next() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 343, in __runner > > self._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 421, in _handle_exception > > self.__parent._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 418, in _handle_exception > > super(ComponentBase, self)._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 333, in __runner > > step() > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 87, in run_generator_with_yield_from > > raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 65, in run_generator_with_yield_from > > value = gen.send(prev_value) > > File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", > line 63, in _install > > for nothing in self._installer(self.parent): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 879, in main > > install(self) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 295, in decorated > > func(installer) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 586, in install > > krb = install_krb(config, setup_pkinit=not options.no_pkinit) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 93, in install_krb > > setup_pkinit, pkcs12_info) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", > line 214, in create_replica > > self.start_creation(runtime=30) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", > line 438, in __convert_to_gssapi_replication > > r_bindpw=self.dm_password) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 1104, in convert_to_gssapi_replication > > self.gssapi_update_agreements(self.conn, r_conn) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 797, in gssapi_update_agreements > > self.setup_krb_princs_as_replica_binddns(a, b) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 767, in setup_krb_princs_as_replica_binddns > > (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 751, in get_replica_principal_dns > > raise RuntimeError(error) > > > 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed, > exception: RuntimeError: One of the ldap service principals is missing. > Replication agreement cannot be converted. > > 2016-04-06T08:22:36Z ERROR One of the ldap service principals is > missing. Replication agreement cannot be converted. > > ### > > > > Can anybody help me? > > > Thanks > > Greets > > Kilian > > > From lkrispen at redhat.com Thu Apr 14 14:46:46 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 14 Apr 2016 16:46:46 +0200 Subject: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted In-Reply-To: References: , <570E554F.7050109@redhat.com> Message-ID: <570FAD56.5000604@redhat.com> On 04/14/2016 04:19 PM, Kilian Ries wrote: > Hello Rob, > > thanks for your explanations. I followed your hints and did a complete uninstall and started over with a fresh installation. I ended up with exactly the same error as the first time... > > I did the following steps: > > > auth01$ ipa-replica-manage del auth02 > > auth02$ ipa-server-install --uninstall > > auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu > > auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg > > > Are there other logfiles i can check for more specific errors? you should have a look to the DS error logs in /var/log/dirsrv on both instances > > Greets > Kilian > > ________________________________________ > Von: Rob Crittenden > Gesendet: Mittwoch, 13. April 2016 16:18 > An: Kilian Ries; freeipa-users at redhat.com > Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted > > Kilian Ries wrote: >> Does nobody have an idea whats the problem here? > TL;DR you are best off deleting this failed replica install and trying > again. > > Initial replication is done over TLS. When replication is completed both > sides of the agreement are converted to using GSSAPI and both ldap > principals are needed to do this. Given that replication just completed > both principals should be available but rarely one is not (hence the > vague-ish error message). > > In this case the new ldap principal for the new replica wasn't found on > the remote master so things blew up. > > There is no continuing the installation after this type of failure so > you'll need to remove the failed install as a master on auth01 > (ipa-replica-manage del auth02...) and then run ipa-server-install > --uninstall on autho02 and try again. > > rob > >> >> Thanks >> >> Kilian >> >> >> >> ------------------------------------------------------------------------ >> *Von:* freeipa-users-bounces at redhat.com >> im Auftrag von Kilian Ries >> >> *Gesendet:* Mittwoch, 6. April 2016 10:41 >> *An:* freeipa-users at redhat.com >> *Betreff:* [Freeipa-users] Error setting up Replication: ldap service >> principals is missing. Replication agreement cannot be converted >> >> Hello, >> >> >> i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm >> trying to add an replication partner. >> >> >> During the installation i got the following error: >> >> >> ### >> >> Restarting the directory and certificate servers >> >> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds >> >> [1/8]: adding sasl mappings to the directory >> >> [2/8]: configuring KDC >> >> [3/8]: creating a keytab for the directory >> >> [4/8]: creating a keytab for the machine >> >> [5/8]: adding the password extension to the directory >> >> [6/8]: enable GSSAPI for replication >> >> [error] RuntimeError: One of the ldap service principals is missing. >> Replication agreement cannot be converted. >> >> Your system may be partly configured. >> >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the >> ldap service principals is missing. Replication agreement cannot be >> converted. >> >> ### >> >> >> >> The installation Log shows the following: >> >> >> >> ### >> >> 2016-04-06T08:22:34Z INFO Getting ldap service principals for >> conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and >> (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU) >> >> 2016-04-06T08:22:34Z DEBUG Unable to find entry for >> (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636 >> >> 2016-04-06T08:22:34Z INFO Setting agreement >> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >> tree,cn=config schedule to 2358-2359 0 to force synch >> >> 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement >> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >> tree,cn=config >> >> 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: >> 0 Replica acquired successfully: Incremental update succeeded: start: 0: >> end: 0 >> >> 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 418, in start_creation >> >> run_step(full_msg, method) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >> line 438, in __convert_to_gssapi_replication >> >> r_bindpw=self.dm_password) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 1104, in convert_to_gssapi_replication >> >> self.gssapi_update_agreements(self.conn, r_conn) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 797, in gssapi_update_agreements >> >> self.setup_krb_princs_as_replica_binddns(a, b) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 767, in setup_krb_princs_as_replica_binddns >> >> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 751, in get_replica_principal_dns >> >> raise RuntimeError(error) >> >> RuntimeError: One of the ldap service principals is missing. Replication >> agreement cannot be converted. >> >> >> 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap >> service principals is missing. Replication agreement cannot be converted. >> >> 2016-04-06T08:22:36Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >> execute >> >> return_value = self.run() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >> line 311, in run >> >> cfgr.run() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 281, in run >> >> self.execute() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 303, in execute >> >> for nothing in self._executor(): >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 524, in _configure >> >> executor.next() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 421, in _handle_exception >> >> self.__parent._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 418, in _handle_exception >> >> super(ComponentBase, self)._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >> line 63, in _install >> >> for nothing in self._installer(self.parent): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 879, in main >> >> install(self) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 295, in decorated >> >> func(installer) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 586, in install >> >> krb = install_krb(config, setup_pkinit=not options.no_pkinit) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 93, in install_krb >> >> setup_pkinit, pkcs12_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >> line 214, in create_replica >> >> self.start_creation(runtime=30) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 418, in start_creation >> >> run_step(full_msg, method) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >> line 438, in __convert_to_gssapi_replication >> >> r_bindpw=self.dm_password) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 1104, in convert_to_gssapi_replication >> >> self.gssapi_update_agreements(self.conn, r_conn) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 797, in gssapi_update_agreements >> >> self.setup_krb_princs_as_replica_binddns(a, b) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 767, in setup_krb_princs_as_replica_binddns >> >> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 751, in get_replica_principal_dns >> >> raise RuntimeError(error) >> >> >> 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed, >> exception: RuntimeError: One of the ldap service principals is missing. >> Replication agreement cannot be converted. >> >> 2016-04-06T08:22:36Z ERROR One of the ldap service principals is >> missing. Replication agreement cannot be converted. >> >> ### >> >> >> >> Can anybody help me? >> >> >> Thanks >> >> Greets >> >> Kilian >> >> >> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill From jhrozek at redhat.com Thu Apr 14 15:17:08 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 14 Apr 2016 17:17:08 +0200 Subject: [Freeipa-users] Announcing SSSD 1.13.4 Message-ID: <20160414151708.GW15447@hendrix.redhat.com> == SSSD 1.13.4 === The SSSD team is proud to announce the release of version 1.13.4 of the System Security Services Daemon. As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * The IPA sudo provider was reimplemented. The new version reads the data from IPA's LDAP tree (as opposed to the compat tree populated by the slapi-nis plugin that was used previously). The benefit is that deployments which don't require the compat tree for other purposes, such as support for non-SSSD clients can disable those autogenerated LDAP trees to conserve resources that slapi-nis otherwise requires. There should be no visible changes to the end user. * SSSD now has the ability to renew the machine credentials (keytabs) when the ad provider is used. Please note that a recent version of the adcli (0.8 or newer) package is required for this feature to work. * The automatic ID mapping feature was improved so that the administrator is no longer required to manually set the range size in case a RID in the AD domain is larger than the default range size * A potential infinite loop in the NFS ID mapping plugin that was resulting in an excessive memory usage was fixed * Clients that are pinned to a particular AD site using the ad_site option no longer communicate with DCs outside that site during service discovery. * The IPA identity provider is now able to resolve external (typically coming from a trusted AD forest) group members during get-group-information requests. Please note that resolving external group memberships for AD users during the initgroup requests used to work even prior to this update. This feature is mostly useful for cases where an IPA client is using the compat tree to resolve AD trust users. * The IPA ID views feature now works correctly even for deployments without a trust relationship. Previously, the subdomains IPA provider failed to read the views data if no master domain record was created on the IPA server during trust establishment. * A race condition in the client libraries between the SSSD closing the socket as idle and the client application using the socket was fixed. This bug manifested with a Broken Pipe error message on the client. * SSSD is now able to resolve users with the same usernames in different OUs of an AD domain * The smartcard authentication now works properly with gnome-screensaver == Packaging Changes == * The krb5.include.d directory is now owned by the sssd user and packaged in the krb5-common subpackage == Documentation Changes == * A new option ldap_idmap_helper_table_size was added. This option can help tune allocation of new ID mapping slices for AD domains with a high RID values. Most deployments can use the default value of this option. * Several PAM services were added to the lists that are used to map Windows logon services to Linux PAM services. The newly added PAM services include login managers (lightdm, lxdm, sddm and xdm) as well as the cockpit service. * The AD machine credentials renewal task can be fine-tuned using the ad_machine_account_password_renewal_opts to change the initial delay and period of the credentials renewal task. In addition, the new ad_maximum_machine_account_password_age option allows the administrator to select how old the machine credential must be before trying to renew it. * The administrator can use the new option pam_account_locked_message to set a custom informational message when the account logging in is locked. == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1041 [RFE] Support Automatic Renewing of Kerberos Host Keytabs https://fedorahosted.org/sssd/ticket/1108 [RFE] SUDO: Support the IPA schema https://fedorahosted.org/sssd/ticket/2188 automatically assign new slices for any AD domain https://fedorahosted.org/sssd/ticket/2522 [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid https://fedorahosted.org/sssd/ticket/2626 Retry EPIPE from clients https://fedorahosted.org/sssd/ticket/2764 the colondb intreface has no unit tests https://fedorahosted.org/sssd/ticket/2765 ad_site parameter does not work https://fedorahosted.org/sssd/ticket/2785 incompatibility between sparkleshare and sss_ssh_knownhostsproxy due to setlocale() https://fedorahosted.org/sssd/ticket/2791 sssd dereference processing failed : Input/output error https://fedorahosted.org/sssd/ticket/2829 collapse_srv_lookups frees fo_server structure that is returned by fail over API https://fedorahosted.org/sssd/ticket/2839 Allow SSSD to notify user of denial due to AD account lockout https://fedorahosted.org/sssd/ticket/2849 cache_req: don't search override values in LDAP when using LOCAL view https://fedorahosted.org/sssd/ticket/2865 sssd_nss memory usage keeps growing on sssd-1.12.4-47.el6.x86_64 (RHEL6.7) when trying to retrieve non-existing netgroups https://fedorahosted.org/sssd/ticket/2881 MAN: Clarify that subdomains always use service discovery https://fedorahosted.org/sssd/ticket/2888 SRV lookups with id_provider=proxy and auth_provider=krb5 https://fedorahosted.org/sssd/ticket/2899 [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected. https://fedorahosted.org/sssd/ticket/2902 Review and update wiki pages for 1.13.4 https://fedorahosted.org/sssd/ticket/2904 sssd_be AD segfaults on missing A record https://fedorahosted.org/sssd/ticket/2906 Cannot retrieve users after upgrade from 1.12 to 1.13 https://fedorahosted.org/sssd/ticket/2909 extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members https://fedorahosted.org/sssd/ticket/2910 sssd mixup nested group from AD trusted domains https://fedorahosted.org/sssd/ticket/2912 refresh_expired_interval stops sss_cache from working https://fedorahosted.org/sssd/ticket/2917 Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore https://fedorahosted.org/sssd/ticket/2922 ID mapping - bug in computing max id for slice range https://fedorahosted.org/sssd/ticket/2925 Add gnome-screensaver to the list of PAM services considered for Smartcard authentication https://fedorahosted.org/sssd/ticket/2931 Warn if user cannot read krb5.conf https://fedorahosted.org/sssd/ticket/2934 After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user https://fedorahosted.org/sssd/ticket/2937 sss_obfuscate: SyntaxError: Missing parentheses in call to 'print' https://fedorahosted.org/sssd/ticket/2938 Cannot start sssd after switching to non-root https://fedorahosted.org/sssd/ticket/2959 The delete operation of the memberof plugin allocates memory on NULL context https://fedorahosted.org/sssd/ticket/2960 IPA view: view name not stored properly with default FreeIPA installation https://fedorahosted.org/sssd/ticket/2961 Initgroups in AD provider might fail if user is stored in a non-default ou https://fedorahosted.org/sssd/ticket/2962 GPO: Access denied in non-root mode https://fedorahosted.org/sssd/ticket/2964 GPO: Access denied after blocking connection to AD. https://fedorahosted.org/sssd/ticket/2969 sudorule not working with ipa sudo_provider on older freeipa https://fedorahosted.org/sssd/ticket/2970 sudo smart refresh does not work correctly on openldap https://fedorahosted.org/sssd/ticket/2971 SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo https://fedorahosted.org/sssd/ticket/2972 IPA sudo: support the externalUser attribute https://fedorahosted.org/sssd/ticket/2980 sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000] == Detailed Changelog == Dan Lavu (1): * PAM: Fix man for pam_account_{expired,locked}_message David Disseldorp (1): * build: detect endianness at configure time Jakub Hrozek (17): * Upgrading the version for the 1.13.4 release * SDAP: Make it possible to silence errors from dereference * Add a new option ldap_group_external_member * IPA: Add interface to call into IPA provider from LDAP provider * LDAP: Use the IPA provider interface to resolve external group members * FO: Don't free rc-allocated structure * tests: Reduce failover code duplication * FO: Use refcount to keep track of servers returned to callers * FO: Use tevent_req_defer_callback() when notifying callers * memberof: Don't allocate on a NULL context * tests: Add a unit test for the external groups resolution * MAN: Remove duplicate description of the pam_account_locked_message option * AD: Recognize Windows Server 2016 * memberof: Fix a memory leak when removing ghost users * memberof: Don't allocate on NULL when deleting memberUids * tests: Check NULL context in sysdb-tests when removing group members * Updating translations for the 1.13.4 release Lukas Slebodnik (33): * SPEC: Change package ownership of %{pubconfpath}/krb5.include.d * CONFIGURE: Replace obsoleted macro AC_PROG_LIBTOOL * TESTS: Fix race condition in python test * PYTHON: sss_obfuscate should work with python3 * PYTHON: Fix pep8 errors in sss_obfuscate * UTIL: Backport error code ERR_ACCOUNT_LOCKED * sss_idmap-tests: Fix segmentation fault * krb5_child: Warn if user cannot read krb5.conf * Fix typos reported by lintian * UTIL: Use prefix for debug function * UTIL: Provide varargs version of debug_fn * UTIL: Use sss_vdebug_fn for callbacks * Revert "DEBUG: Preventing chown_debug_file if journald on" * DEBUG: Ignore ENOENT for change owner of log files * TOOLS: Fix minor memory leak in sss_colondb_writeline * CI: Use yum-deprecated instead of dnf * FAIL_OVER: Fix warning value computed is not used * UTIL: Fix indentation in dlinklist.h * UTIL: Fix warning misleading-indentation * CLIENT: Reduce code duplication * CLIENT: Retry request after EPIPE * UTIL: Move debug part from util.h -> new debug.h * UTIL: Allow to append new line in sss_vdebug_fn * AUTOMAKE: Force usage of parallel test harness * CI: Use make check instead of make-check-wrap * test_ipa_subdom_server: Workaround for slow krb5 + SELinux * SPEC: Run extra unit tests with epel * GPO: Soften umask in gpo_child * GPO_CHILD: Create directories in gpo_cache with right permissions * GPO: Process GPOS in offline mode if ldap search failed * IPA: Check RDN in ipa_add_ad_memberships_get_next * dp_ptask: Fix memory leak in synchronous ptask * test_be_ptask: Check leaks in tests Michal ?idek (6): * NSS: do not skip cache check for netgoups * util: Continue if setlocale fails * server_setup: Log failed attempt to set locale * tests: Run intgcheck without libsemanage * tests: Regression test with wrong LC_ALL * GPO: log specific ini parse error messages Pavel B?ezina (37): * AD SRV: prefer site-local DCs in LDAP ping * SDAP: do not fail if refs are found but not processed * SDAP: Add request that iterates over all search bases * SDAP: rename sdap_get_id_specific_filter * SDAP: support empty filters in sdap_combine_filters() * SUDO: use sdap_search_bases instead custom sb iterator * SUDO: make sudo sysdb interface more reusable * SUDO: move code shared between ldap and ipa to separate module * SUDO: allow to disable ptask * SUDO: fail on failed request that cannot be retry * IPA: add ipa_get_rdn and ipa_check_rdn * SDAP: use ipa_get_rdn() in nested groups * IPA SUDO: choose between IPA and LDAP schema * IPA SUDO: Add ipasudorule mapping * IPA SUDO: Add ipasudocmdgrp mapping * IPA SUDO: Add ipasudocmd mapping * IPA SUDO: Implement sudo handler * IPA SUDO: Implement full refresh * IPA SUDO: Implement rules refresh * IPA SUDO: Remember USN * SDAP: Add sdap_or_filters * IPA SUDO: Implement smart refresh * SUDO: sdap_sudo_set_usn() do not steal usn * SUDO: remove full_refresh_in_progress * SUDO: assume zero if usn is unknown * SUDO: allow disabling full refresh * SUDO: remember usn as number instead of string * SUDO: simplify usn filter * IPA SUDO: Add support for ipaSudoRunAsExt* attributes * sdap_connect_send: fail if uri or sockaddr is NULL * cache_req: simplify cache_req_cache_check() * cache_req: do not lookup views if possible * remove user certificate if not found on the server * IPA SUDO: download externalUser attribute * IPA SUDO: fix typo * IPA SUDO: support old ipasudocmd rdn * SUDO: be able to parse modifyTimestamp correctly Pavel Reichl (11): * sudo: remove unused param name in sdap_sudo_get_usn() * sudo: remove unused param. in ldap_get_sudo_options * IDMAP: Fix computing max id for slice range * IDMAP: New structure for domain range params * IDMAP: Add support for automatic adding of ranges * IDMAP: Fix minor memory leak * IDMAP: Man change for ldap_idmap_range_size option * NSS: Fix memory leak netgroup * IDMAP: Add test to validate off by one bug * SDAP: Add return code ERR_ACCOUNT_LOCKED * PAM: Pass account lockout status and display message Petr Cech (6): * KRB5: Adding DNS SRV lookup for krb5 provider * TOOLS: Fix memory leak after getline() failed * TOOLS: Add comments on functions in colondb * TEST_TOOLS_COLONDB: Add tests for sss_colondb_* * REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK) * REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK) Stephen Gallagher (2): * GPO: Add Cockpit to the Remote Interactive defaults * GPO: Add other display managers to interactive logon Sumit Bose (20): * nfs idmap: fix infinite loop * Use right domain for user lookups * sdap_save_grpmem: determine domain by SID if possible * ipa_s2n_save_objects(): use configured user and group timeout * ldap: remove originalMeberOf if there is no memberOf * UTIL: allow to skip default options for child processes * DP_TASK: add be_ptask_get_timeout() * AD: add task to renew the machine account password if needed * FO: add fo_get_active_server() * FO: add be_fo_get_active_server_name() * AD: try to use current server in the renewal task * p11: add gnome-screensaver to list of allowed services * IPA: lookup idview name even if there is no master domain record * IPA: invalidate override data if original view is missing * sdap: improve filtering of multiple results in GC lookups * pam_sss: reorder pam_message array * sss_override: do not generate DN, search object * tools: read additional data of the master domain * sss_override: only add domain if name is not fully qualified * intg: local override for user with mixed case name From Tina.Caton at state.nm.us Thu Apr 14 17:59:56 2016 From: Tina.Caton at state.nm.us (Caton, Tina, CYFD) Date: Thu, 14 Apr 2016 17:59:56 +0000 Subject: [Freeipa-users] How To: Create Admin Account with all Permissions but the ability to Delete? Message-ID: As a policy we disable accounts, never delete accounts. We wish to create an Administrator account with Account Creation, Change and Disable Permissions - No Deletion Permissions. Is that possible? How would one do it? Thank you. Regards, Tina Caton -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeff.hallyburton at bloomip.com Fri Apr 15 01:53:23 2016 From: jeff.hallyburton at bloomip.com (Jeff Hallyburton) Date: Thu, 14 Apr 2016 21:53:23 -0400 Subject: [Freeipa-users] Servers intermittently losing connection to IPA Message-ID: We're seeing the following issue with our jump servers in a client environment: One (sometimes both) jump servers will fall back to local logins at regular intervals. This seems to happen for a brief period every 10 - 15 minutes. Once IPA access is restored the only indication of a problem in the logs is: Apr 14 18:09:25 jump01 [sssd[krb5_child[24814]]]: Generic error (see e-text) Apr 14 18:09:25 jump01 [sssd[krb5_child[24814]]]: Generic error (see e-text) (Fri Apr 8 01:06:25 2016) [sssd[be[example.com]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Fri Apr 8 01:06:25 2016) [sssd[be[example.com]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. This doesn't shed much light on what's going on. Do you have any suggestions for troubleshooting? Jeff Hallyburton Strategic Systems Engineer Bloomip Inc. Web: http://www.bloomip.com Engineering Support: support at bloomip.com Billing Support: billing at bloomip.com Customer Support Portal: https://my.bloomip.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Fri Apr 15 06:30:51 2016 From: dkupka at redhat.com (David Kupka) Date: Fri, 15 Apr 2016 08:30:51 +0200 Subject: [Freeipa-users] How To: Create Admin Account with all Permissions but the ability to Delete? In-Reply-To: References: Message-ID: <57108A9B.90908@redhat.com> On 14/04/16 19:59, Caton, Tina, CYFD wrote: > As a policy we disable accounts, never delete accounts. > > We wish to create an Administrator account with Account Creation, Change and > Disable Permissions - No Deletion Permissions. Is that possible? How would one > do it? Thank you. > > Regards, > Tina Caton > > > Hello Tina, this can be done. FreeIPA uses RBAC (role based access control). On the lowest level there are individual permissions ($ ipa permission-find) which are just 389-ds ACIs (access control instructions). Then there are privileges ($ ipa privilege-find) that hold some set of permissions. Another layer consists of roles ($ ipa role-find) that can hold multiple privileges. Users and groups can be assigned a role ($ ipa role-add-member [--user ] [--group ]). What you need to do is to create a privilege (e.g. "Never delete user administrator") similar to "User Administrator" with only difference that it won't have "System: Remove Users" permission and then create a role very similar to "User Administrator" with privilege "User Administrator" replaced with "Never delete user administrator". Then you can give this role to the any user or group (don't forget to remove the origina "User Administrator" role). Alternatively, if you're sure that no admin user in your deployment will ever need to delete user. You can simply remove "System: Remove User" permission from "User Administrator" privilege ($ ipa privilege-remove-permission "User Administrators" --permissions "System: Remove Users"). HTH, -- David Kupka From sbose at redhat.com Fri Apr 15 07:14:41 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 15 Apr 2016 09:14:41 +0200 Subject: [Freeipa-users] Servers intermittently losing connection to IPA In-Reply-To: References: Message-ID: <20160415071441.GD16887@p.redhat.com> On Thu, Apr 14, 2016 at 09:53:23PM -0400, Jeff Hallyburton wrote: > We're seeing the following issue with our jump servers in a client > environment: > > One (sometimes both) jump servers will fall back to local logins at regular > intervals. This seems to happen for a brief period every 10 - 15 minutes. > Once IPA access is restored the only indication of a problem in the logs is: > > Apr 14 18:09:25 jump01 [sssd[krb5_child[24814]]]: Generic error (see > e-text) > Apr 14 18:09:25 jump01 [sssd[krb5_child[24814]]]: Generic error (see > e-text) > > (Fri Apr 8 01:06:25 2016) [sssd[be[example.com]]] [krb5_auth_store_creds] > (0x0010): unsupported PAM command [249]. > (Fri Apr 8 01:06:25 2016) [sssd[be[example.com]]] [krb5_auth_store_creds] > (0x0010): password not available, offline auth may not work. at least the messages from krb5_auth_store_creds() are unrelated. I will write a patch to silence this messages. I would expect that SSSD switches to offline mode for some reason. If you run SSSD with debug_level 8 or higher in the [domain/...] section you should see messages like 'Going offline!' which indicate the switching into the offline mode. The log lines before should help to identify the reason. HTH bye, Sumit > > > This doesn't shed much light on what's going on. Do you have any > suggestions for troubleshooting? > > Jeff Hallyburton > Strategic Systems Engineer > Bloomip Inc. > Web: http://www.bloomip.com > > Engineering Support: support at bloomip.com > Billing Support: billing at bloomip.com > Customer Support Portal: https://my.bloomip.com > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mail at kilian-ries.de Fri Apr 15 08:14:32 2016 From: mail at kilian-ries.de (Kilian Ries) Date: Fri, 15 Apr 2016 08:14:32 +0000 Subject: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted In-Reply-To: <570FAD56.5000604@redhat.com> References: , <570E554F.7050109@redhat.com> , <570FAD56.5000604@redhat.com> Message-ID: Hi, on auht01 i see the following error just before installation fails: [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999 [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 [14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn [14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, string="" [14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn "krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu" was in the entryrdn index, but it did not exist in id2entry of instance userRoot. [14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN (dn: krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu) is already in the entryrdn file with different ID 252. Expected ID is 625. [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999 [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 [14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn [14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, string="" [14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn [14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://auth02.intern.eu:389/o%3Dipaca) failed. Greets Kilian ________________________________________ Von: freeipa-users-bounces at redhat.com im Auftrag von Ludwig Krispenz Gesendet: Donnerstag, 14. April 2016 16:46 An: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted On 04/14/2016 04:19 PM, Kilian Ries wrote: > Hello Rob, > > thanks for your explanations. I followed your hints and did a complete uninstall and started over with a fresh installation. I ended up with exactly the same error as the first time... > > I did the following steps: > > > auth01$ ipa-replica-manage del auth02 > > auth02$ ipa-server-install --uninstall > > auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu > > auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg > > > Are there other logfiles i can check for more specific errors? you should have a look to the DS error logs in /var/log/dirsrv on both instances > > Greets > Kilian > > ________________________________________ > Von: Rob Crittenden > Gesendet: Mittwoch, 13. April 2016 16:18 > An: Kilian Ries; freeipa-users at redhat.com > Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted > > Kilian Ries wrote: >> Does nobody have an idea whats the problem here? > TL;DR you are best off deleting this failed replica install and trying > again. > > Initial replication is done over TLS. When replication is completed both > sides of the agreement are converted to using GSSAPI and both ldap > principals are needed to do this. Given that replication just completed > both principals should be available but rarely one is not (hence the > vague-ish error message). > > In this case the new ldap principal for the new replica wasn't found on > the remote master so things blew up. > > There is no continuing the installation after this type of failure so > you'll need to remove the failed install as a master on auth01 > (ipa-replica-manage del auth02...) and then run ipa-server-install > --uninstall on autho02 and try again. > > rob > >> >> Thanks >> >> Kilian >> >> >> >> ------------------------------------------------------------------------ >> *Von:* freeipa-users-bounces at redhat.com >> im Auftrag von Kilian Ries >> >> *Gesendet:* Mittwoch, 6. April 2016 10:41 >> *An:* freeipa-users at redhat.com >> *Betreff:* [Freeipa-users] Error setting up Replication: ldap service >> principals is missing. Replication agreement cannot be converted >> >> Hello, >> >> >> i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm >> trying to add an replication partner. >> >> >> During the installation i got the following error: >> >> >> ### >> >> Restarting the directory and certificate servers >> >> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds >> >> [1/8]: adding sasl mappings to the directory >> >> [2/8]: configuring KDC >> >> [3/8]: creating a keytab for the directory >> >> [4/8]: creating a keytab for the machine >> >> [5/8]: adding the password extension to the directory >> >> [6/8]: enable GSSAPI for replication >> >> [error] RuntimeError: One of the ldap service principals is missing. >> Replication agreement cannot be converted. >> >> Your system may be partly configured. >> >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the >> ldap service principals is missing. Replication agreement cannot be >> converted. >> >> ### >> >> >> >> The installation Log shows the following: >> >> >> >> ### >> >> 2016-04-06T08:22:34Z INFO Getting ldap service principals for >> conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and >> (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU) >> >> 2016-04-06T08:22:34Z DEBUG Unable to find entry for >> (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636 >> >> 2016-04-06T08:22:34Z INFO Setting agreement >> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >> tree,cn=config schedule to 2358-2359 0 to force synch >> >> 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement >> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >> tree,cn=config >> >> 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: >> 0 Replica acquired successfully: Incremental update succeeded: start: 0: >> end: 0 >> >> 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 418, in start_creation >> >> run_step(full_msg, method) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >> line 438, in __convert_to_gssapi_replication >> >> r_bindpw=self.dm_password) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 1104, in convert_to_gssapi_replication >> >> self.gssapi_update_agreements(self.conn, r_conn) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 797, in gssapi_update_agreements >> >> self.setup_krb_princs_as_replica_binddns(a, b) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 767, in setup_krb_princs_as_replica_binddns >> >> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 751, in get_replica_principal_dns >> >> raise RuntimeError(error) >> >> RuntimeError: One of the ldap service principals is missing. Replication >> agreement cannot be converted. >> >> >> 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap >> service principals is missing. Replication agreement cannot be converted. >> >> 2016-04-06T08:22:36Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >> execute >> >> return_value = self.run() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >> line 311, in run >> >> cfgr.run() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 281, in run >> >> self.execute() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 303, in execute >> >> for nothing in self._executor(): >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 524, in _configure >> >> executor.next() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 421, in _handle_exception >> >> self.__parent._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 418, in _handle_exception >> >> super(ComponentBase, self)._handle_exception(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >> line 63, in _install >> >> for nothing in self._installer(self.parent): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 879, in main >> >> install(self) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 295, in decorated >> >> func(installer) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 586, in install >> >> krb = install_krb(config, setup_pkinit=not options.no_pkinit) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >> line 93, in install_krb >> >> setup_pkinit, pkcs12_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >> line 214, in create_replica >> >> self.start_creation(runtime=30) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 418, in start_creation >> >> run_step(full_msg, method) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >> line 438, in __convert_to_gssapi_replication >> >> r_bindpw=self.dm_password) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 1104, in convert_to_gssapi_replication >> >> self.gssapi_update_agreements(self.conn, r_conn) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 797, in gssapi_update_agreements >> >> self.setup_krb_princs_as_replica_binddns(a, b) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 767, in setup_krb_princs_as_replica_binddns >> >> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 751, in get_replica_principal_dns >> >> raise RuntimeError(error) >> >> >> 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed, >> exception: RuntimeError: One of the ldap service principals is missing. >> Replication agreement cannot be converted. >> >> 2016-04-06T08:22:36Z ERROR One of the ldap service principals is >> missing. Replication agreement cannot be converted. >> >> ### >> >> >> >> Can anybody help me? >> >> >> Thanks >> >> Greets >> >> Kilian >> >> >> -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From harald.dunkel at aixigo.de Fri Apr 15 09:42:38 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Fri, 15 Apr 2016 11:42:38 +0200 Subject: [Freeipa-users] ipa -v ping lies about the cert database Message-ID: Hi folks, If I run "kinit admin; ipa -v ping" as a regular user, then I get ipa: INFO: trying https://ipa2.example.com/ipa/json ipa: INFO: Connection to https://ipa2.example.com/ipa/json failed with (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. ipa: INFO: trying https://ipa1.example.com/ipa/json ipa: INFO: Connection to https://ipa1.example.com/ipa/json failed with (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa2.example.com/ipa/json, https://ipa1.example.com/ipa/json Using root there is no problem. Obviously this is a Unix access problem, not an old database. I would like to avoid running maintenance scripts as root, if possible. The error message doesn't include any path information, so I wonder how I can fix the access problem without opening the system too wide? Every helpful hint is highly appreciated Harri From lkrispen at redhat.com Fri Apr 15 10:31:00 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 15 Apr 2016 12:31:00 +0200 Subject: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted In-Reply-To: References: , <570E554F.7050109@redhat.com> , <570FAD56.5000604@redhat.com> Message-ID: <5710C2E4.5050507@redhat.com> On 04/15/2016 10:14 AM, Kilian Ries wrote: > Hi, > > on auht01 i see the following error just before installation fails: > > > [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999 > [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 > [14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn > [14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, string="" > [14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn "krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu" was in the entryrdn index, but it did not exist in id2entry of instance userRoot. > [14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN (dn: krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu) is already in the entryrdn file with different ID 252. Expected ID is 625. > [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999 > [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 > [14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn > [14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, string="" > [14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn this looks like a database/index corruption. There are traces for the ldapprincipal for auth02in the database, but teh index and the database are inconsistent. you can try to reindex teh database and see if this helps: db2index.pl -D ... -w .. -Z -t entryrdn #only this index or db2index.pl -D ... -w .. -Z # full reindex > > > [14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://auth02.intern.eu:389/o%3Dipaca) failed. > > > Greets > Kilian > > > ________________________________________ > Von: freeipa-users-bounces at redhat.com im Auftrag von Ludwig Krispenz > Gesendet: Donnerstag, 14. April 2016 16:46 > An: freeipa-users at redhat.com > Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted > > On 04/14/2016 04:19 PM, Kilian Ries wrote: >> Hello Rob, >> >> thanks for your explanations. I followed your hints and did a complete uninstall and started over with a fresh installation. I ended up with exactly the same error as the first time... >> >> I did the following steps: >> >> >> auth01$ ipa-replica-manage del auth02 >> >> auth02$ ipa-server-install --uninstall >> >> auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu >> >> auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg >> >> >> Are there other logfiles i can check for more specific errors? > you should have a look to the DS error logs in /var/log/dirsrv on both > instances >> Greets >> Kilian >> >> ________________________________________ >> Von: Rob Crittenden >> Gesendet: Mittwoch, 13. April 2016 16:18 >> An: Kilian Ries; freeipa-users at redhat.com >> Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted >> >> Kilian Ries wrote: >>> Does nobody have an idea whats the problem here? >> TL;DR you are best off deleting this failed replica install and trying >> again. >> >> Initial replication is done over TLS. When replication is completed both >> sides of the agreement are converted to using GSSAPI and both ldap >> principals are needed to do this. Given that replication just completed >> both principals should be available but rarely one is not (hence the >> vague-ish error message). >> >> In this case the new ldap principal for the new replica wasn't found on >> the remote master so things blew up. >> >> There is no continuing the installation after this type of failure so >> you'll need to remove the failed install as a master on auth01 >> (ipa-replica-manage del auth02...) and then run ipa-server-install >> --uninstall on autho02 and try again. >> >> rob >> >>> Thanks >>> >>> Kilian >>> >>> >>> >>> ------------------------------------------------------------------------ >>> *Von:* freeipa-users-bounces at redhat.com >>> im Auftrag von Kilian Ries >>> >>> *Gesendet:* Mittwoch, 6. April 2016 10:41 >>> *An:* freeipa-users at redhat.com >>> *Betreff:* [Freeipa-users] Error setting up Replication: ldap service >>> principals is missing. Replication agreement cannot be converted >>> >>> Hello, >>> >>> >>> i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm >>> trying to add an replication partner. >>> >>> >>> During the installation i got the following error: >>> >>> >>> ### >>> >>> Restarting the directory and certificate servers >>> >>> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds >>> >>> [1/8]: adding sasl mappings to the directory >>> >>> [2/8]: configuring KDC >>> >>> [3/8]: creating a keytab for the directory >>> >>> [4/8]: creating a keytab for the machine >>> >>> [5/8]: adding the password extension to the directory >>> >>> [6/8]: enable GSSAPI for replication >>> >>> [error] RuntimeError: One of the ldap service principals is missing. >>> Replication agreement cannot be converted. >>> >>> Your system may be partly configured. >>> >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the >>> ldap service principals is missing. Replication agreement cannot be >>> converted. >>> >>> ### >>> >>> >>> >>> The installation Log shows the following: >>> >>> >>> >>> ### >>> >>> 2016-04-06T08:22:34Z INFO Getting ldap service principals for >>> conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and >>> (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU) >>> >>> 2016-04-06T08:22:34Z DEBUG Unable to find entry for >>> (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636 >>> >>> 2016-04-06T08:22:34Z INFO Setting agreement >>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >>> tree,cn=config schedule to 2358-2359 0 to force synch >>> >>> 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement >>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >>> tree,cn=config >>> >>> 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: >>> 0 Replica acquired successfully: Incremental update succeeded: start: 0: >>> end: 0 >>> >>> 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 418, in start_creation >>> >>> run_step(full_msg, method) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 408, in run_step >>> >>> method() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>> line 438, in __convert_to_gssapi_replication >>> >>> r_bindpw=self.dm_password) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 1104, in convert_to_gssapi_replication >>> >>> self.gssapi_update_agreements(self.conn, r_conn) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 797, in gssapi_update_agreements >>> >>> self.setup_krb_princs_as_replica_binddns(a, b) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 767, in setup_krb_princs_as_replica_binddns >>> >>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 751, in get_replica_principal_dns >>> >>> raise RuntimeError(error) >>> >>> RuntimeError: One of the ldap service principals is missing. Replication >>> agreement cannot be converted. >>> >>> >>> 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap >>> service principals is missing. Replication agreement cannot be converted. >>> >>> 2016-04-06T08:22:36Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >>> execute >>> >>> return_value = self.run() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>> line 311, in run >>> >>> cfgr.run() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 281, in run >>> >>> self.execute() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 303, in execute >>> >>> for nothing in self._executor(): >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 343, in __runner >>> >>> self._handle_exception(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> >>> util.raise_exc_info(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 333, in __runner >>> >>> step() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 87, in run_generator_with_yield_from >>> >>> raise_exc_info(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 65, in run_generator_with_yield_from >>> >>> value = gen.send(prev_value) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 524, in _configure >>> >>> executor.next() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 343, in __runner >>> >>> self._handle_exception(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 421, in _handle_exception >>> >>> self.__parent._handle_exception(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> >>> util.raise_exc_info(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 418, in _handle_exception >>> >>> super(ComponentBase, self)._handle_exception(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> >>> util.raise_exc_info(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 333, in __runner >>> >>> step() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 87, in run_generator_with_yield_from >>> >>> raise_exc_info(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 65, in run_generator_with_yield_from >>> >>> value = gen.send(prev_value) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >>> line 63, in _install >>> >>> for nothing in self._installer(self.parent): >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>> line 879, in main >>> >>> install(self) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>> line 295, in decorated >>> >>> func(installer) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>> line 586, in install >>> >>> krb = install_krb(config, setup_pkinit=not options.no_pkinit) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>> line 93, in install_krb >>> >>> setup_pkinit, pkcs12_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>> line 214, in create_replica >>> >>> self.start_creation(runtime=30) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 418, in start_creation >>> >>> run_step(full_msg, method) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 408, in run_step >>> >>> method() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>> line 438, in __convert_to_gssapi_replication >>> >>> r_bindpw=self.dm_password) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 1104, in convert_to_gssapi_replication >>> >>> self.gssapi_update_agreements(self.conn, r_conn) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 797, in gssapi_update_agreements >>> >>> self.setup_krb_princs_as_replica_binddns(a, b) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 767, in setup_krb_princs_as_replica_binddns >>> >>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 751, in get_replica_principal_dns >>> >>> raise RuntimeError(error) >>> >>> >>> 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed, >>> exception: RuntimeError: One of the ldap service principals is missing. >>> Replication agreement cannot be converted. >>> >>> 2016-04-06T08:22:36Z ERROR One of the ldap service principals is >>> missing. Replication agreement cannot be converted. >>> >>> ### >>> >>> >>> >>> Can anybody help me? >>> >>> >>> Thanks >>> >>> Greets >>> >>> Kilian >>> >>> >>> > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill From harald.dunkel at aixigo.de Fri Apr 15 11:31:23 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Fri, 15 Apr 2016 13:31:23 +0200 Subject: [Freeipa-users] howto ldapsearch for disabled/enabled users? Message-ID: Hi folks, I have no luck with the ipa cli, so I wonder if it is possible to ldapsearch for disabled or enabled users? A command line like ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com uid=somebody doesn't show :-(. Every helpful hint is highly welcome Harri From dkupka at redhat.com Fri Apr 15 12:15:28 2016 From: dkupka at redhat.com (David Kupka) Date: Fri, 15 Apr 2016 14:15:28 +0200 Subject: [Freeipa-users] ipa -v ping lies about the cert database In-Reply-To: References: Message-ID: <5710DB60.7070508@redhat.com> On 15/04/16 11:42, Harald Dunkel wrote: > Hi folks, > > If I run "kinit admin; ipa -v ping" as a regular user, then I get > > ipa: INFO: trying https://ipa2.example.com/ipa/json > ipa: INFO: Connection to https://ipa2.example.com/ipa/json failed with (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. > ipa: INFO: trying https://ipa1.example.com/ipa/json > ipa: INFO: Connection to https://ipa1.example.com/ipa/json failed with (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. > ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa2.example.com/ipa/json, https://ipa1.example.com/ipa/json > > Using root there is no problem. Obviously this is a Unix > access problem, not an old database. > > I would like to avoid running maintenance scripts as root, > if possible. The error message doesn't include any path > information, so I wonder how I can fix the access problem > without opening the system too wide? > > > Every helpful hint is highly appreciated > Harri > Hello Harri, the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the permissions are set to: $ ls -dl /etc/ipa/nssdb/ drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/ $ ls -l /etc/ipa/nssdb/ total 80 -rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db -rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db -rw-------. 1 root root 40 Apr 15 14:00 pwdfile.txt -rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db Please check the permission on your system. If it's different and you (or system admin) haven't changed it please file a ticket (https://fedorahosted.org/freeipa/newticket). -- David Kupka From dkupka at redhat.com Fri Apr 15 13:11:55 2016 From: dkupka at redhat.com (David Kupka) Date: Fri, 15 Apr 2016 15:11:55 +0200 Subject: [Freeipa-users] howto ldapsearch for disabled/enabled users? In-Reply-To: References: Message-ID: <5710E89B.6030109@redhat.com> On 15/04/16 13:31, Harald Dunkel wrote: > Hi folks, > > I have no luck with the ipa cli, so I wonder if it is > possible to ldapsearch for disabled or enabled users? > A command line like > > ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com uid=somebody > > doesn't show :-(. > > > Every helpful hint is highly welcome > Harri > Hello Harri, the attribute you're looking for is 'nsaccountlock'. This command should give you uids of all disabled users: $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test "(nsaccountlock=TRUE)" uid -- David Kupka From harald.dunkel at aixigo.de Fri Apr 15 13:16:04 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Fri, 15 Apr 2016 15:16:04 +0200 Subject: [Freeipa-users] ipa -v ping lies about the cert database In-Reply-To: <5710DB60.7070508@redhat.com> References: <5710DB60.7070508@redhat.com> Message-ID: Hi David, > Hello Harri, > > the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the permissions are set to: > > $ ls -dl /etc/ipa/nssdb/ > drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/ > > $ ls -l /etc/ipa/nssdb/ > total 80 > -rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db > -rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db > -rw-------. 1 root root 40 Apr 15 14:00 pwdfile.txt > -rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db > > Please check the permission on your system. If it's different and you (or system admin) haven't changed it please file a ticket (https://fedorahosted.org/freeipa/newticket). > Sorry, I should have mentioned that the client runs Debian with freeipa 4.0.5. # ls -al /etc/ipa/ total 24 drwxr-xr-x 2 root root 4096 Dec 29 08:32 . drwxr-xr-x 190 root root 12288 Apr 15 12:44 .. -rw-r--r-- 1 root root 1792 Dec 29 08:32 ca.crt -rw-r--r-- 1 root root 194 Dec 29 08:32 default.conf No nssdb. AFAICS only the ipa servers in my lan have a directory /etc/ipa/nssdb (CentOS 7). On the clients I can see a cert8.db in /etc/pki/nssdb. Looking at the time stamp it seems to be related to freeipa. # ls -al /etc/pki/nssdb/ total 76 drwxr-xr-x 2 root root 4096 Dec 29 08:32 . drwxr-xr-x 3 root root 4096 Dec 28 16:09 .. -rw------- 1 root root 65536 Dec 29 08:32 cert8.db -rw------- 1 root root 16384 Dec 29 08:32 key3.db -rw------- 1 root root 16384 Dec 29 08:32 secmod.db No pwdfile.txt . I would guess the key database has been created with --empty-password. Does this look familiar, or is this misconfigured and weird? Sorry for asking stupid questions, but the setup in my lan is all I have. I have never had a chance to see another freeipa installation. Hope you don't mind? Regards Harri From natxo.asenjo at gmail.com Fri Apr 15 13:18:25 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 15 Apr 2016 15:18:25 +0200 Subject: [Freeipa-users] howto ldapsearch for disabled/enabled users? In-Reply-To: References: Message-ID: hi Harald, On Fri, Apr 15, 2016 at 1:31 PM, Harald Dunkel wrote: > Hi folks, > > I have no luck with the ipa cli, so I wonder if it is > possible to ldapsearch for disabled or enabled users? > A command line like > > ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com > uid=somebody > > doesn't show :-(. I just tested using the public demo1.freeipa.org instance and it works using the 'hidden' nsaccountlock attribute: $ ldapsearch -LLL -Y GSSAPI -h ipa.demo1.freeipa.org -b cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org "(nsaccountlock=TRUE)" uid SASL/GSSAPI authentication started SASL username: helpdesk at DEMO1.FREEIPA.ORG SASL SSF: 56 SASL data security layer installed. dn: uid=test,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org uid: test dn: uid=bladibla,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org uid: bladibla I found out about the nsaccountlock in https://www.mail-archive.com/search?l=freeipa-devel at redhat.com&q=subject:%22Re\%3A+\[Freeipa\-devel\]+User+status%22&o=newest&f=1 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dennis.Ott at mckesson.com Fri Apr 15 13:51:40 2016 From: Dennis.Ott at mckesson.com (Ott, Dennis) Date: Fri, 15 Apr 2016 13:51:40 +0000 Subject: [Freeipa-users] 7.x replica install from 6.x master fails In-Reply-To: References: <56FA5C2F.3070200@redhat.com> <570674EC.1060204@redhat.com> Message-ID: Looks like we're out of ideas. I'll proceed with Plan B. -----Original Message----- From: Ott, Dennis Sent: Monday, April 11, 2016 12:27 PM To: Ott, Dennis; Petr Vobornik; Freeipa-users at redhat.com Subject: RE: [Freeipa-users] 7.x replica install from 6.x master fails As a test, I attempted to do a replica install on a Fedora 23 machine. It fails with the same error. Dennis -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ott, Dennis Sent: Thursday, April 07, 2016 5:39 PM To: Petr Vobornik; Freeipa-users at redhat.com Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails It doesn't look like that is my problem. The output of pki-server ca-group-member-find "Subsystem Group" gives: User ID: CA-ptipa1.example.com-9443 Common Name: CA-ptipa1.example.com-9443 Surname: CA-ptipa1.example.com-9443 Type: agentType Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM E-mail: All the certs seem valid: # getcert list | grep expires expires: 2017-07-18 00:55:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-07-18 00:54:14 UTC expires: 2017-08-09 00:54:19 UTC expires: 2017-08-09 00:54:19 UTC expires: 2017-08-09 00:54:21 UTC # I was wondering if I might be hitting this: http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJhbctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh http://cp.mcafee.com/d/5fHCNEg3zqb3BXKfI3D3pJ55d5VBdZZ4SyyCyYOCUOyrdCPqJyLQFm7bCNPFEV72GtD3hOaEXHbdQZ5hTS82H3W6yHOrJNlNRSRTD64XqOrdCPpIDeqR4INTQaNQDmA_gU03yNmmjBoHYYhod7bVIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora (many months ago), but is not yet available for enterprise. Dennis -----Original Message----- From: Petr Vobornik [mailto:pvoborni at redhat.com] Sent: Thursday, April 07, 2016 10:56 AM To: Ott, Dennis; Freeipa-users at redhat.com Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails Sorry for the late response. It looks like a bug http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbParza9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdCPpesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub6qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure. Anyway, java.io.IOException: 2 actually means authentication failure. The authentication problem might be caused by a missing subsystem user (bug #1225589) and there's already a tool to restore it. However, before running the script, please run this command on the master to verify the problem: $ pki-server ca-group-member-find "Subsystem Group" Ideally it should return a user ID "CA--9443" and the description attribute should contain the subsystem certificate in this format ";;;". If that's not the case, please run this tool to restore the subsystem user: $ python /usr/share/pki/scripts/restore-subsystem-user.py Then run this command again to verify the fix: $ pki-server ca-group-member-find "Subsystem Group" If everything works well, please try installing the replica again. Also verify that all certificates in `getcert list` output are not expired. On 03/31/2016 09:07 PM, Ott, Dennis wrote: > Petr, > > Original 6.x master installed at: > > ipa-server-2.1.3-9 > > pki-ca-9.0.3-20 > > > At the time the migration was attempted, the 6.x master had been updated to: > > ipa-server-3.0.0-47 > > pki-ca-9.0.3-45 > > > The 7.x replica install has been attempted using a variety of versions. The log excerpts at the beginning of this email were from an installation attempt using: > > ipa-server-4.2.0-15.0.1 > > pki-ca-10.2.5-6 > > > It's a standard CA installation. This line is from /var/log/ipaserverinstall.log showing selfsign as False: > > 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked > with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': > None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, > 'subject': None, 'no_forwarders': False, 'persistent_search': True, > 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': > True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, > 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, > 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, > 'forwarders': None, 'idstart': 900000000, 'external_ca': False, > 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, > 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': > False, 'external_cert_file': None, 'uninstall': False} > 2013-09-04T18:41:20Z DEBUG missing options might be asked for > interactively later > > > -----Original Message----- > From: Petr Vobornik [mailto:pvoborni at redhat.com] > Sent: Tuesday, March 29, 2016 6:43 AM > To: Ott, Dennis; Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > On 03/24/2016 04:29 PM, Ott, Dennis wrote: >> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. >> After working through and solving a few issues, my current efforts >> fail when setting up the replica CA. >> >> If I set up a new, pristine master on OS 6.7, I am able to create an >> OS 7.x replica without any problem. However, if I try to create a >> replica from my two year old test lab instance (production will be >> another matter for the future) it fails. The test lab master was >> created a couple of years ago on OS 6.3 / IPA 2.x and has been >> upgraded to the latest versions in the 6.x chain. It is old enough to >> have had all the certificates renewed, but I believe I have worked through all the issues related to that. >> >> Below is what I believe are the useful portions of the pertinent logs. >> I?ve not been able to find anything online that speaks to the errors >> I am seeing >> >> Thanks for your help. > > Hello Dennis, > > what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica? > > What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA? > > I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less). > >> >> /var/log/ipareplica-install.log >> >> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). >> Estimated time: 3 minutes 30 seconds >> >> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user >> >> 2016-03-23T21:55:11Z DEBUG group pkiuser exists >> >> 2016-03-23T21:55:11Z DEBUG user pkiuser exists >> >> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds >> >> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance >> >> 2016-03-23T21:55:11Z DEBUG Loading StateFile from >> '/var/lib/ipa/sysrestore/sysrestore.state' >> >> 2016-03-23T21:55:11Z DEBUG Saving StateFile to >> '/var/lib/ipa/sysrestore/sysrestore.state' >> >> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC): >> >> [CA] >> >> pki_security_domain_name = IPA >> >> pki_enable_proxy = True >> >> pki_restart_configured_instance = False >> >> pki_backup_keys = True >> >> pki_backup_password = XXXXXXXX >> >> pki_profiles_in_ldap = True >> >> pki_client_database_dir = /tmp/tmp-g0CKZ3 >> >> pki_client_database_password = XXXXXXXX >> >> pki_client_database_purge = False >> >> pki_client_pkcs12_password = XXXXXXXX >> >> pki_admin_name = admin >> >> pki_admin_uid = admin >> >> pki_admin_email = root at localhost >> >> pki_admin_password = XXXXXXXX >> >> pki_admin_nickname = ipa-ca-agent >> >> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM >> >> pki_client_admin_cert_p12 = /root/ca-agent.p12 >> >> pki_ds_ldap_port = 389 >> >> pki_ds_password = XXXXXXXX >> >> pki_ds_base_dn = o=ipaca >> >> pki_ds_database = ipaca >> >> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM >> >> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM >> >> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM >> >> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM >> >> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM >> >> pki_subsystem_nickname = subsystemCert cert-pki-ca >> >> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca >> >> pki_ssl_server_nickname = Server-Cert cert-pki-ca >> >> pki_audit_signing_nickname = auditSigningCert cert-pki-ca >> >> pki_ca_signing_nickname = caSigningCert cert-pki-ca >> >> pki_ca_signing_key_algorithm = SHA256withRSA >> >> pki_security_domain_hostname = ptipa1.example.com >> >> pki_security_domain_https_port = 443 >> >> pki_security_domain_user = admin >> >> pki_security_domain_password = XXXXXXXX >> >> pki_clone = True >> >> pki_clone_pkcs12_path = /tmp/ca.p12 >> >> pki_clone_pkcs12_password = XXXXXXXX >> >> pki_clone_replication_security = TLS >> >> pki_clone_replication_master_port = 7389 >> >> pki_clone_replication_clone_port = 389 >> >> pki_clone_replicate_schema = False >> >> pki_clone_uri = >> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISrd >> G >> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbcm >> D >> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSbN >> _ >> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKV >> J >> USyrh >> >> 2016-03-23T21:55:11Z DEBUG Starting external process >> >> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC' >> >> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 >> >> 2016-03-23T21:56:51Z DEBUG stdout=Log file: >> /var/log/pki/pki-ca-spawn.20160323175511.log >> >> Loading deployment configuration from /tmp/tmpGQ59ZC. >> >> Installing CA into /var/lib/pki/pki-tomcat. >> >> Storing deployment configuration into >> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >> >> Installation failed. >> >> 2016-03-23T21:56:51Z DEBUG >> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >> InsecureRequestWarning: Unverified HTTPS request is being made. >> Adding certificate verification is strongly advised. See: >> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUOy >> r >> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsVH >> k >> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2ga >> z >> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh >> 0 >> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> >> InsecureRequestWarning) >> >> pkispawn : WARNING ....... unable to validate security domain user/password >> through REST interface. Interface not available >> >> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 >> Server Error: Internal Server Error >> >> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line >> 1, column 0: >> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >> PKIException","Code":500,"Message":"Error >> while updating security domain: java.io.IOException: 2"} >> >> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: >> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' >> returned non-zero exit status 1 >> >> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the >> following files/directories for more information: >> >> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log >> >> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat >> >> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 418, in start_creation >> >> run_step(full_msg, method) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 620, in __spawn_instance >> >> DogtagInstance.spawn_instance(self, cfg_file) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 201, in spawn_instance >> >> self.handle_setup_error(e) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 465, in handle_setup_error >> >> raise RuntimeError("%s configuration failed." % self.subsystem) >> >> RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >> in execute >> >> return_value = self.run() >> >> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >> line 311, in run >> >> cfgr.run() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 281, in run >> >> self.execute() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 303, in execute >> >> for nothing in self._executor(): >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 524, in _configure >> >> executor.next() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 343, in __runner >> >> self._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 421, in _handle_exception >> >> self.__parent._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 418, in _handle_exception >> >> super(ComponentBase, self)._handle_exception(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 365, in _handle_exception >> >> util.raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >> line 333, in __runner >> >> step() >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 87, in run_generator_with_yield_from >> >> raise_exc_info(exc_info) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >> line 65, in run_generator_with_yield_from >> >> value = gen.send(prev_value) >> >> File >> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line >> 63, in _install >> >> for nothing in self._installer(self.parent): >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >> t >> all.py", >> line 879, in main >> >> install(self) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >> t >> all.py", >> line 295, in decorated >> >> func(installer) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >> t >> all.py", >> line 584, in install >> >> ca.install(False, config, options) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >> line 106, in install >> >> install_step_0(standalone, replica_config, options) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >> line 130, in >> install_step_0 >> >> ra_p12=getattr(options, 'ra_p12', None)) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 1543, in install_replica_ca >> >> subject_base=config.subject_base) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 486, in configure_instance >> >> self.start_creation(runtime=210) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 418, in start_creation >> >> run_step(full_msg, method) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 408, in run_step >> >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 620, in __spawn_instance >> >> DogtagInstance.spawn_instance(self, cfg_file) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 201, in spawn_instance >> >> self.handle_setup_error(e) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >> , >> line 465, in handle_setup_error >> >> raise RuntimeError("%s configuration failed." % self.subsystem) >> >> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: >> RuntimeError: CA configuration failed. >> >> 2016-03-23T21:56:51Z ERROR CA configuration failed. >> >> /var/log/pki/pki-ca-spawn..log >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f >> /etc/pki/pki-tomcat/ca/noise >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s >> /lib/systemd/system/pki-tomcatd at .service >> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.s >> e >> rvice >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 >> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.s >> e >> rvice >> >> 2016-03-23 17:55:12 pkispawn : INFO ... configuring >> 'pki.server.deployment.scriptlets.configuration' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >> /root/.dogtag/pki-tomcat/ca >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >> '/root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >> '/root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >> /root/.dogtag/pki-tomcat/ca/password.conf >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >> /root/.dogtag/pki-tomcat/ca/password.conf >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 >> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d >> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl >> daemon-reload' >> >> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start >> pki-tomcatd at pki-tomcat.service' >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server >> may still be down >> >> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception >> thrown: ('Connection aborted.', error(111, 'Connection refused')) >> >> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server >> may still be down >> >> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception >> thrown: ('Connection aborted.', error(111, 'Connection refused')) >> >> 2016-03-23 17:55:24 pkispawn : DEBUG ........... > encoding="UTF-8" >> standalone="no"?>0CA >> r unning10.2.5-6.el7 >> >> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI >> configuration data. >> >> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration >> data. >> >> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java >> Configuration Servlet: 500 Server Error: Internal Server Error >> >> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed >> (invalid token): line 1, column 0: >> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >> PKIException","Code":500,"Message":"Error >> while updating security domain: java.io.IOException: 2"} >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not >> well-formed (invalid token): line 1, column 0 >> >> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", >> line 597, in main >> >> rv = instance.spawn(deployer) >> >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/co >> n >> figuration.py", >> line 116, in spawn >> >> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) >> >> File >> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" >> , >> line 3906, in configure_pki_data >> >> root = ET.fromstring(e.response.text) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, >> in XML >> >> parser.feed(text) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, >> in feed >> >> self._raiseerror(v) >> >> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, >> in _raiseerror >> >> raise err >> >> /var/log/pki/pki-tomcat/ca/debug >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >> ok: store in memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >> makeConnection errorIfDown is false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >> errorIfDown false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >> connection using basic authentication to host pt-idm-vm01.example.com >> port 389 as cn=Directory Manager >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >> port 389, secure connection, false, authentication type 1 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >> connections by 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >> LdapBoundConnFactory::getConn() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >> true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >> connected true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >> 2 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >> param=preop.internaldb.manager_ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file = /usr/share/pki/server/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP >> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >> exception in adding entry >> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: >> error result (20) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): >> start >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating >> LdapBoundConnFactor(ConfigurationUtils) >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: >> init >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: >> LdapBoundConnFactory:doCloning true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >> begins >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >> prompt is internaldb >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try >> getting from memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got >> password from memory >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >> password found for prompt. >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >> ok: store in memory cache >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >> makeConnection errorIfDown is false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >> errorIfDown false >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >> connection using basic authentication to host pt-idm-vm01.example.com >> port 389 as cn=Directory Manager >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >> port 389, secure connection, false, authentication type 1 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >> connections by 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >> connections 3 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >> LdapBoundConnFactory::getConn() >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >> true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >> connected true >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >> 2 >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >> param=preop.internaldb.post_ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file = /usr/share/pki/ca/conf/vlv.ldif >> >> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >> file = /usr/share/pki/ca/conf/vlvtasks.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif >> >> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn >> cn=index1160589769, cn=index, cn=tasks, cn=config >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: >> SystemConfigService:processCerts(): san_server_cert not found for tag >> sslserver >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >> local >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >> remote (revised) >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: >> updateConfig() for certTag sslserver >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >> public key >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >> private key >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this >> Cloned CA, always use its Master CA to generate the 'sslserver' >> certificate to avoid any changes which may have been made to the X500Name directory string encoding order. >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: >> injectSAN=false >> >> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil >> createRemoteCert: content >> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAu >> t >> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true& >> s >> essionID=-4495713718673639316 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil >> createRemoteCert: status=0 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: >> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> x >> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: >> handleCertRequest() begins >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >> tag=sslserver >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: >> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >> created cert request >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate: >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert >> tag 'sslserver' using cert type 'remote' >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process >> remote...import cert >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: >> nickname=Server-Cert cert-pki-ca >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert >> deleted successfully >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): >> certchains length=2 >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import >> certificate successfully, certTag=sslserver >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate. >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert >> Panel/SavePKCS12 Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing >> security domain >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): >> Getting domain.xml from CA... >> >> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: >> domainInfo=> standalone="no"?>IPAptipa1. >> example.com443443> e >> cureAgentPort>443> cureAgentPort>t >> hPort>44380> hPort>n >> e>FALSEpki-cadT >> e>R >> UE1> S >> PList>0> PList>m >> Count>00> Count>m >> Count>0< >> Count>T >> PSList>0 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ptipa1.example.com port=443 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >> failed to update security domain using admin port 443: >> org.xml.sax.SAXParseException; >> lineNumber: 1; columnNumber: 50; White spaces are required between >> publicId and systemId. >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >> now trying agent port with client auth >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >> updateDomainXML start hostname=ptipa1.example.com port=443 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() >> nickname=subsystemCert cert-pki-ca >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: >> status=1 >> >> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating >> security >> domain: java.io.IOException: 2 >> >> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, >> authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. >> >> /var/log/pki/pki-tomcat/ca/system >> >> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot >> build CA chain. Error java.security.cert.CertificateException: >> Certificate is not a PKCS >> #11 certificate >> >> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz >> instance DirAclAuthz initialization failed and skipped, >> error=Property internaldb.ldapconn.port missing value >> >> *Dennis M Ott* >> Infrastructure Administrator >> Infrastructure and Security Operations >> >> *McKesson Corporation >> McKesson Pharmacy Systems and Automation* www.mckesson.com >> >>> -- > Petr Vobornik > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: http://cp.mcafee.com/d/5fHCMUe6gUSyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJhbcat7Q2uPVv1dnoovaAVgtHzIv-iSBSWv6xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh Go to http://cp.mcafee.com/d/FZsSd3gArhosLtNZwsUrdEEFELcFLLECQkkQnCkT6kjpISrlIl-BaMVsSetd78UljIUqehl7tppKDEGe-N0lovgQlujtKaKeKSKYUMDrmjpISrdw0To_YBJU03xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh for more info on the project From harald.dunkel at aixigo.de Fri Apr 15 14:06:01 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Fri, 15 Apr 2016 16:06:01 +0200 Subject: [Freeipa-users] howto ldapsearch for disabled/enabled users? In-Reply-To: <5710E89B.6030109@redhat.com> References: <5710E89B.6030109@redhat.com> Message-ID: <7bfc4375-120b-4c29-532e-646069ed38c2@aixigo.de> Hi David, On 04/15/16 15:11, David Kupka wrote: > > Hello Harri, > > the attribute you're looking for is 'nsaccountlock'. This command should give you uids of all disabled users: > > $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test "(nsaccountlock=TRUE)" uid > Thats exactly what I was looking for. For the record: Searching for "nsaccountlock=FALSE" did not work. I had to use ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test '(!(nsaccountlock=TRUE))' uid instead. Thanx very much for your help Harri From pvoborni at redhat.com Fri Apr 15 14:06:27 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 15 Apr 2016 16:06:27 +0200 Subject: [Freeipa-users] 7.x replica install from 6.x master fails In-Reply-To: References: <56FA5C2F.3070200@redhat.com> <570674EC.1060204@redhat.com> Message-ID: <5710F563.1050507@redhat.com> On 04/15/2016 03:51 PM, Ott, Dennis wrote: > Looks like we're out of ideas. > > I'll proceed with Plan B. > A possibility is also to check if Serial number of certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca' matches serial number of the cert below (4) and if uid=CA-$HOST-8443,ou=people,o=ipaca has actually the same cert in userCertificate attribute Or maybe to do the same with other PKI users in ou=people,o=ipaca > -----Original Message----- > From: Ott, Dennis > Sent: Monday, April 11, 2016 12:27 PM > To: Ott, Dennis; Petr Vobornik; Freeipa-users at redhat.com > Subject: RE: [Freeipa-users] 7.x replica install from 6.x master fails > > As a test, I attempted to do a replica install on a Fedora 23 machine. It fails with the same error. > > Dennis > > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ott, Dennis > Sent: Thursday, April 07, 2016 5:39 PM > To: Petr Vobornik; Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > It doesn't look like that is my problem. The output of pki-server ca-group-member-find "Subsystem Group" gives: > > > User ID: CA-ptipa1.example.com-9443 > Common Name: CA-ptipa1.example.com-9443 > Surname: CA-ptipa1.example.com-9443 > Type: agentType > Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM > E-mail: > > All the certs seem valid: > > # getcert list | grep expires > expires: 2017-07-18 00:55:14 UTC > expires: 2017-07-18 00:54:14 UTC > expires: 2017-07-18 00:54:14 UTC > expires: 2017-07-18 00:54:14 UTC > expires: 2017-07-18 00:54:14 UTC > expires: 2017-08-09 00:54:19 UTC > expires: 2017-08-09 00:54:19 UTC > expires: 2017-08-09 00:54:21 UTC # > > I was wondering if I might be hitting this: > > http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJhbctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > http://cp.mcafee.com/d/5fHCNEg3zqb3BXKfI3D3pJ55d5VBdZZ4SyyCyYOCUOyrdCPqJyLQFm7bCNPFEV72GtD3hOaEXHbdQZ5hTS82H3W6yHOrJNlNRSRTD64XqOrdCPpIDeqR4INTQaNQDmA_gU03yNmmjBoHYYhod7bVIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > > It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora (many months ago), but is not yet available for enterprise. > > Dennis > > > > > -----Original Message----- > From: Petr Vobornik [mailto:pvoborni at redhat.com] > Sent: Thursday, April 07, 2016 10:56 AM > To: Ott, Dennis; Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > Sorry for the late response. > > It looks like a bug http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbParza9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdCPpesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub6qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure. > > Anyway, > java.io.IOException: 2 actually means authentication failure. > > The authentication problem might be caused by a missing subsystem user (bug #1225589) and there's already a tool to restore it. However, before running the script, please run this command on the master to verify the > problem: > > $ pki-server ca-group-member-find "Subsystem Group" > > Ideally it should return a user ID "CA--9443" and the description attribute should contain the subsystem certificate in this format ";;;". > > If that's not the case, please run this tool to restore the subsystem user: > > $ python /usr/share/pki/scripts/restore-subsystem-user.py > > Then run this command again to verify the fix: > > $ pki-server ca-group-member-find "Subsystem Group" > > If everything works well, please try installing the replica again. > > Also verify that all certificates in `getcert list` output are not expired. > > > On 03/31/2016 09:07 PM, Ott, Dennis wrote: >> Petr, >> >> Original 6.x master installed at: >> >> ipa-server-2.1.3-9 >> >> pki-ca-9.0.3-20 >> >> >> At the time the migration was attempted, the 6.x master had been updated to: >> >> ipa-server-3.0.0-47 >> >> pki-ca-9.0.3-45 >> >> >> The 7.x replica install has been attempted using a variety of versions. The log excerpts at the beginning of this email were from an installation attempt using: >> >> ipa-server-4.2.0-15.0.1 >> >> pki-ca-10.2.5-6 >> >> >> It's a standard CA installation. This line is from /var/log/ipaserverinstall.log showing selfsign as False: >> >> 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked >> with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': >> None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, >> 'subject': None, 'no_forwarders': False, 'persistent_search': True, >> 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': >> True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': False, >> 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, >> 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, >> 'forwarders': None, 'idstart': 900000000, 'external_ca': False, >> 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, >> 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': >> False, 'external_cert_file': None, 'uninstall': False} >> 2013-09-04T18:41:20Z DEBUG missing options might be asked for >> interactively later >> >> >> -----Original Message----- >> From: Petr Vobornik [mailto:pvoborni at redhat.com] >> Sent: Tuesday, March 29, 2016 6:43 AM >> To: Ott, Dennis; Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails >> >> On 03/24/2016 04:29 PM, Ott, Dennis wrote: >>> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. >>> After working through and solving a few issues, my current efforts >>> fail when setting up the replica CA. >>> >>> If I set up a new, pristine master on OS 6.7, I am able to create an >>> OS 7.x replica without any problem. However, if I try to create a >>> replica from my two year old test lab instance (production will be >>> another matter for the future) it fails. The test lab master was >>> created a couple of years ago on OS 6.3 / IPA 2.x and has been >>> upgraded to the latest versions in the 6.x chain. It is old enough to >>> have had all the certificates renewed, but I believe I have worked through all the issues related to that. >>> >>> Below is what I believe are the useful portions of the pertinent logs. >>> I?ve not been able to find anything online that speaks to the errors >>> I am seeing >>> >>> Thanks for your help. >> >> Hello Dennis, >> >> what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica? >> >> What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA? >> >> I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less). >> >>> >>> /var/log/ipareplica-install.log >>> >>> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). >>> Estimated time: 3 minutes 30 seconds >>> >>> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user >>> >>> 2016-03-23T21:55:11Z DEBUG group pkiuser exists >>> >>> 2016-03-23T21:55:11Z DEBUG user pkiuser exists >>> >>> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds >>> >>> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance >>> >>> 2016-03-23T21:55:11Z DEBUG Loading StateFile from >>> '/var/lib/ipa/sysrestore/sysrestore.state' >>> >>> 2016-03-23T21:55:11Z DEBUG Saving StateFile to >>> '/var/lib/ipa/sysrestore/sysrestore.state' >>> >>> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC): >>> >>> [CA] >>> >>> pki_security_domain_name = IPA >>> >>> pki_enable_proxy = True >>> >>> pki_restart_configured_instance = False >>> >>> pki_backup_keys = True >>> >>> pki_backup_password = XXXXXXXX >>> >>> pki_profiles_in_ldap = True >>> >>> pki_client_database_dir = /tmp/tmp-g0CKZ3 >>> >>> pki_client_database_password = XXXXXXXX >>> >>> pki_client_database_purge = False >>> >>> pki_client_pkcs12_password = XXXXXXXX >>> >>> pki_admin_name = admin >>> >>> pki_admin_uid = admin >>> >>> pki_admin_email = root at localhost >>> >>> pki_admin_password = XXXXXXXX >>> >>> pki_admin_nickname = ipa-ca-agent >>> >>> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM >>> >>> pki_client_admin_cert_p12 = /root/ca-agent.p12 >>> >>> pki_ds_ldap_port = 389 >>> >>> pki_ds_password = XXXXXXXX >>> >>> pki_ds_base_dn = o=ipaca >>> >>> pki_ds_database = ipaca >>> >>> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM >>> >>> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM >>> >>> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM >>> >>> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM >>> >>> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM >>> >>> pki_subsystem_nickname = subsystemCert cert-pki-ca >>> >>> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca >>> >>> pki_ssl_server_nickname = Server-Cert cert-pki-ca >>> >>> pki_audit_signing_nickname = auditSigningCert cert-pki-ca >>> >>> pki_ca_signing_nickname = caSigningCert cert-pki-ca >>> >>> pki_ca_signing_key_algorithm = SHA256withRSA >>> >>> pki_security_domain_hostname = ptipa1.example.com >>> >>> pki_security_domain_https_port = 443 >>> >>> pki_security_domain_user = admin >>> >>> pki_security_domain_password = XXXXXXXX >>> >>> pki_clone = True >>> >>> pki_clone_pkcs12_path = /tmp/ca.p12 >>> >>> pki_clone_pkcs12_password = XXXXXXXX >>> >>> pki_clone_replication_security = TLS >>> >>> pki_clone_replication_master_port = 7389 >>> >>> pki_clone_replication_clone_port = 389 >>> >>> pki_clone_replicate_schema = False >>> >>> pki_clone_uri = >>> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISrd >>> G >>> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbcm >>> D >>> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSbN >>> _ >>> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKV >>> J >>> USyrh >>> >>> 2016-03-23T21:55:11Z DEBUG Starting external process >>> >>> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC' >>> >>> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 >>> >>> 2016-03-23T21:56:51Z DEBUG stdout=Log file: >>> /var/log/pki/pki-ca-spawn.20160323175511.log >>> >>> Loading deployment configuration from /tmp/tmpGQ59ZC. >>> >>> Installing CA into /var/lib/pki/pki-tomcat. >>> >>> Storing deployment configuration into >>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >>> >>> Installation failed. >>> >>> 2016-03-23T21:56:51Z DEBUG >>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >>> InsecureRequestWarning: Unverified HTTPS request is being made. >>> Adding certificate verification is strongly advised. See: >>> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUOy >>> r >>> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsVH >>> k >>> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2ga >>> z >>> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh >>> 0 >>> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >>> >>> InsecureRequestWarning) >>> >>> pkispawn : WARNING ....... unable to validate security domain user/password >>> through REST interface. Interface not available >>> >>> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 >>> Server Error: Internal Server Error >>> >>> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line >>> 1, column 0: >>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >>> PKIException","Code":500,"Message":"Error >>> while updating security domain: java.io.IOException: 2"} >>> >>> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: >>> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' >>> returned non-zero exit status 1 >>> >>> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the >>> following files/directories for more information: >>> >>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log >>> >>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat >>> >>> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >>> 418, in start_creation >>> >>> run_step(full_msg, method) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >>> 408, in run_step >>> >>> method() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 620, in __spawn_instance >>> >>> DogtagInstance.spawn_instance(self, cfg_file) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>> , >>> line 201, in spawn_instance >>> >>> self.handle_setup_error(e) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>> , >>> line 465, in handle_setup_error >>> >>> raise RuntimeError("%s configuration failed." % self.subsystem) >>> >>> RuntimeError: CA configuration failed. >>> >>> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. >>> >>> 2016-03-23T21:56:51Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >>> in execute >>> >>> return_value = self.run() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>> line 311, in run >>> >>> cfgr.run() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 281, in run >>> >>> self.execute() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 303, in execute >>> >>> for nothing in self._executor(): >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 343, in __runner >>> >>> self._handle_exception(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> >>> util.raise_exc_info(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 333, in __runner >>> >>> step() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 87, in run_generator_with_yield_from >>> >>> raise_exc_info(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 65, in run_generator_with_yield_from >>> >>> value = gen.send(prev_value) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 524, in _configure >>> >>> executor.next() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 343, in __runner >>> >>> self._handle_exception(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 421, in _handle_exception >>> >>> self.__parent._handle_exception(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> >>> util.raise_exc_info(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 418, in _handle_exception >>> >>> super(ComponentBase, self)._handle_exception(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> >>> util.raise_exc_info(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 333, in __runner >>> >>> step() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 87, in run_generator_with_yield_from >>> >>> raise_exc_info(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 65, in run_generator_with_yield_from >>> >>> value = gen.send(prev_value) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line >>> 63, in _install >>> >>> for nothing in self._installer(self.parent): >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >>> t >>> all.py", >>> line 879, in main >>> >>> install(self) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >>> t >>> all.py", >>> line 295, in decorated >>> >>> func(installer) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicains >>> t >>> all.py", >>> line 584, in install >>> >>> ca.install(False, config, options) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >>> line 106, in install >>> >>> install_step_0(standalone, replica_config, options) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >>> line 130, in >>> install_step_0 >>> >>> ra_p12=getattr(options, 'ra_p12', None)) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 1543, in install_replica_ca >>> >>> subject_base=config.subject_base) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 486, in configure_instance >>> >>> self.start_creation(runtime=210) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >>> 418, in start_creation >>> >>> run_step(full_msg, method) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >>> 408, in run_step >>> >>> method() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 620, in __spawn_instance >>> >>> DogtagInstance.spawn_instance(self, cfg_file) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>> , >>> line 201, in spawn_instance >>> >>> self.handle_setup_error(e) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>> , >>> line 465, in handle_setup_error >>> >>> raise RuntimeError("%s configuration failed." % self.subsystem) >>> >>> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: >>> RuntimeError: CA configuration failed. >>> >>> 2016-03-23T21:56:51Z ERROR CA configuration failed. >>> >>> /var/log/pki/pki-ca-spawn..log >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f >>> /etc/pki/pki-tomcat/ca/noise >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s >>> /lib/systemd/system/pki-tomcatd at .service >>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.s >>> e >>> rvice >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 >>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat.s >>> e >>> rvice >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ... configuring >>> 'pki.server.deployment.scriptlets.configuration' >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p >>> /root/.dogtag/pki-tomcat/ca >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 >>> /root/.dogtag/pki-tomcat/ca >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >>> /root/.dogtag/pki-tomcat/ca >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >>> '/root/.dogtag/pki-tomcat/ca/password.conf' >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >>> '/root/.dogtag/pki-tomcat/ca/password.conf' >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >>> /root/.dogtag/pki-tomcat/ca/password.conf >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >>> /root/.dogtag/pki-tomcat/ca/password.conf >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 >>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d >>> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl >>> daemon-reload' >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start >>> pki-tomcatd at pki-tomcat.service' >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server >>> may still be down >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception >>> thrown: ('Connection aborted.', error(111, 'Connection refused')) >>> >>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server >>> may still be down >>> >>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception >>> thrown: ('Connection aborted.', error(111, 'Connection refused')) >>> >>> 2016-03-23 17:55:24 pkispawn : DEBUG ........... >> encoding="UTF-8" >>> standalone="no"?>0CA >>> r unning10.2.5-6.el7 >>> >>> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI >>> configuration data. >>> >>> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration >>> data. >>> >>> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java >>> Configuration Servlet: 500 Server Error: Internal Server Error >>> >>> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed >>> (invalid token): line 1, column 0: >>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >>> PKIException","Code":500,"Message":"Error >>> while updating security domain: java.io.IOException: 2"} >>> >>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError >>> >>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not >>> well-formed (invalid token): line 1, column 0 >>> >>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", >>> line 597, in main >>> >>> rv = instance.spawn(deployer) >>> >>> File >>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/co >>> n >>> figuration.py", >>> line 116, in spawn >>> >>> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) >>> >>> File >>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" >>> , >>> line 3906, in configure_pki_data >>> >>> root = ET.fromstring(e.response.text) >>> >>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, >>> in XML >>> >>> parser.feed(text) >>> >>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, >>> in feed >>> >>> self._raiseerror(v) >>> >>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, >>> in _raiseerror >>> >>> raise err >>> >>> /var/log/pki/pki-tomcat/ca/debug >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >>> ok: store in memory cache >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >>> makeConnection errorIfDown is false >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >>> errorIfDown false >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >>> connection using basic authentication to host pt-idm-vm01.example.com >>> port 389 as cn=Directory Manager >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >>> port 389, secure connection, false, authentication type 1 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >>> connections by 3 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >>> connections 3 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >>> connections 3 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >>> LdapBoundConnFactory::getConn() >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >>> true >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >>> connected true >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >>> 2 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >>> param=preop.internaldb.manager_ldif >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>> file = /usr/share/pki/server/conf/manager.ldif >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP >>> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >>> exception in adding entry >>> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >>> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: >>> error result (20) >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): >>> start >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating >>> LdapBoundConnFactor(ConfigurationUtils) >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: >>> init >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: >>> LdapBoundConnFactory:doCloning true >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>> begins >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>> prompt is internaldb >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: try >>> getting from memory cache >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: got >>> password from memory >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>> password found for prompt. >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >>> ok: store in memory cache >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init ends >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >>> makeConnection errorIfDown is false >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >>> errorIfDown false >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >>> connection using basic authentication to host pt-idm-vm01.example.com >>> port 389 as cn=Directory Manager >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >>> port 389, secure connection, false, authentication type 1 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >>> connections by 3 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >>> connections 3 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >>> connections 3 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >>> LdapBoundConnFactory::getConn() >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >>> true >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >>> connected true >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >>> 2 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >>> param=preop.internaldb.post_ldif >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>> file = /usr/share/pki/ca/conf/vlv.ldif >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif >>> >>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >>> file = /usr/share/pki/ca/conf/vlvtasks.ldif >>> >>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif >>> >>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn >>> cn=index1160589769, cn=index, cn=tasks, cn=config >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: >>> SystemConfigService:processCerts(): san_server_cert not found for tag >>> sslserver >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >>> local >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >>> remote (revised) >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: >>> updateConfig() for certTag sslserver >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >>> public key >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >>> private key >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this >>> Cloned CA, always use its Master CA to generate the 'sslserver' >>> certificate to avoid any changes which may have been made to the X500Name directory string encoding order. >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: >>> injectSAN=false >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil >>> createRemoteCert: content >>> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalAu >>> t >>> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxxx >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true& >>> s >>> essionID=-4495713718673639316 >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil >>> createRemoteCert: status=0 >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: >>> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: >>> handleCertRequest() begins >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >>> tag=sslserver >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: >>> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >>> created cert request >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate: >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for cert >>> tag 'sslserver' using cert type 'remote' >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process >>> remote...import cert >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: >>> nickname=Server-Cert cert-pki-ca >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert >>> deleted successfully >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): >>> certchains length=2 >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import >>> certificate successfully, certTag=sslserver >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate. >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert >>> Panel/SavePKCS12 Panel === >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing >>> security domain >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): >>> Getting domain.xml from CA... >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: >>> domainInfo=>> standalone="no"?>IPAptipa1. >>> example.com443443>> e >>> cureAgentPort>443>> cureAgentPort>t >>> hPort>44380>> hPort>n >>> e>FALSEpki-cadT >>> e>R >>> UE1>> S >>> PList>0>> PList>m >>> Count>00>> Count>m >>> Count>0< >>> Count>T >>> PSList>0 >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain master >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >>> updateDomainXML start hostname=ptipa1.example.com port=443 >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >>> failed to update security domain using admin port 443: >>> org.xml.sax.SAXParseException; >>> lineNumber: 1; columnNumber: 50; White spaces are required between >>> publicId and systemId. >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >>> now trying agent port with client auth >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >>> updateDomainXML start hostname=ptipa1.example.com port=443 >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() >>> nickname=subsystemCert cert-pki-ca >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: >>> status=1 >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating >>> security >>> domain: java.io.IOException: 2 >>> >>> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, >>> authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. >>> >>> /var/log/pki/pki-tomcat/ca/system >>> >>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot >>> build CA chain. Error java.security.cert.CertificateException: >>> Certificate is not a PKCS >>> #11 certificate >>> >>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz >>> instance DirAclAuthz initialization failed and skipped, >>> error=Property internaldb.ldapconn.port missing value >>> >>> *Dennis M Ott* >>> Infrastructure Administrator >>> Infrastructure and Security Operations >>> >>> *McKesson Corporation >>> McKesson Pharmacy Systems and Automation* www.mckesson.com >>> >>>> -- >> Petr Vobornik >> > -- > Petr Vobornik > > -- > Manage your subscription for the Freeipa-users mailing list: > http://cp.mcafee.com/d/5fHCMUe6gUSyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJhbcat7Q2uPVv1dnoovaAVgtHzIv-iSBSWv6xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > Go to http://cp.mcafee.com/d/FZsSd3gArhosLtNZwsUrdEEFELcFLLECQkkQnCkT6kjpISrlIl-BaMVsSetd78UljIUqehl7tppKDEGe-N0lovgQlujtKaKeKSKYUMDrmjpISrdw0To_YBJU03xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh for more info on the project > -- Petr Vobornik From mail at kilian-ries.de Fri Apr 15 14:47:34 2016 From: mail at kilian-ries.de (Kilian Ries) Date: Fri, 15 Apr 2016 14:47:34 +0000 Subject: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted In-Reply-To: <5710C2E4.5050507@redhat.com> References: , <570E554F.7050109@redhat.com> , <570FAD56.5000604@redhat.com> , <5710C2E4.5050507@redhat.com> Message-ID: <5944cfadc22244a3b31b545840a9f4d3@kilian-ries.de> I'm not quite familiar with the db2index.pl script ... what am i doing wrong? db2index.pl -n userRoot -D cn=admin -w ldap_bind: No such object (32) Failed to search the server for indexes, error (32) db2index.pl -n userRoot -D cn=admin -w -v -t entryrdn ldap_bind: No such object (32) Failed to add task entry "cn=db2index_2016_4_15_16_44_19, cn=index, cn=tasks, cn=config" error (32) ________________________________________ Von: Ludwig Krispenz Gesendet: Freitag, 15. April 2016 12:31 An: Kilian Ries Cc: freeipa-users at redhat.com Betreff: Re: AW: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted On 04/15/2016 10:14 AM, Kilian Ries wrote: > Hi, > > on auht01 i see the following error just before installation fails: > > > [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999 > [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 > [14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn > [14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, string="" > [14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn "krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu" was in the entryrdn index, but it did not exist in id2entry of instance userRoot. > [14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN (dn: krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu) is already in the entryrdn file with different ID 252. Expected ID is 625. > [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999 > [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 > [14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn > [14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, string="" > [14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn this looks like a database/index corruption. There are traces for the ldapprincipal for auth02in the database, but teh index and the database are inconsistent. you can try to reindex teh database and see if this helps: db2index.pl -D ... -w .. -Z -t entryrdn #only this index or db2index.pl -D ... -w .. -Z # full reindex > > > [14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://auth02.intern.eu:389/o%3Dipaca) failed. > > > Greets > Kilian > > > ________________________________________ > Von: freeipa-users-bounces at redhat.com im Auftrag von Ludwig Krispenz > Gesendet: Donnerstag, 14. April 2016 16:46 > An: freeipa-users at redhat.com > Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted > > On 04/14/2016 04:19 PM, Kilian Ries wrote: >> Hello Rob, >> >> thanks for your explanations. I followed your hints and did a complete uninstall and started over with a fresh installation. I ended up with exactly the same error as the first time... >> >> I did the following steps: >> >> >> auth01$ ipa-replica-manage del auth02 >> >> auth02$ ipa-server-install --uninstall >> >> auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu >> >> auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg >> >> >> Are there other logfiles i can check for more specific errors? > you should have a look to the DS error logs in /var/log/dirsrv on both > instances >> Greets >> Kilian >> >> ________________________________________ >> Von: Rob Crittenden >> Gesendet: Mittwoch, 13. April 2016 16:18 >> An: Kilian Ries; freeipa-users at redhat.com >> Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted >> >> Kilian Ries wrote: >>> Does nobody have an idea whats the problem here? >> TL;DR you are best off deleting this failed replica install and trying >> again. >> >> Initial replication is done over TLS. When replication is completed both >> sides of the agreement are converted to using GSSAPI and both ldap >> principals are needed to do this. Given that replication just completed >> both principals should be available but rarely one is not (hence the >> vague-ish error message). >> >> In this case the new ldap principal for the new replica wasn't found on >> the remote master so things blew up. >> >> There is no continuing the installation after this type of failure so >> you'll need to remove the failed install as a master on auth01 >> (ipa-replica-manage del auth02...) and then run ipa-server-install >> --uninstall on autho02 and try again. >> >> rob >> >>> Thanks >>> >>> Kilian >>> >>> >>> >>> ------------------------------------------------------------------------ >>> *Von:* freeipa-users-bounces at redhat.com >>> im Auftrag von Kilian Ries >>> >>> *Gesendet:* Mittwoch, 6. April 2016 10:41 >>> *An:* freeipa-users at redhat.com >>> *Betreff:* [Freeipa-users] Error setting up Replication: ldap service >>> principals is missing. Replication agreement cannot be converted >>> >>> Hello, >>> >>> >>> i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm >>> trying to add an replication partner. >>> >>> >>> During the installation i got the following error: >>> >>> >>> ### >>> >>> Restarting the directory and certificate servers >>> >>> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds >>> >>> [1/8]: adding sasl mappings to the directory >>> >>> [2/8]: configuring KDC >>> >>> [3/8]: creating a keytab for the directory >>> >>> [4/8]: creating a keytab for the machine >>> >>> [5/8]: adding the password extension to the directory >>> >>> [6/8]: enable GSSAPI for replication >>> >>> [error] RuntimeError: One of the ldap service principals is missing. >>> Replication agreement cannot be converted. >>> >>> Your system may be partly configured. >>> >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the >>> ldap service principals is missing. Replication agreement cannot be >>> converted. >>> >>> ### >>> >>> >>> >>> The installation Log shows the following: >>> >>> >>> >>> ### >>> >>> 2016-04-06T08:22:34Z INFO Getting ldap service principals for >>> conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and >>> (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU) >>> >>> 2016-04-06T08:22:34Z DEBUG Unable to find entry for >>> (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636 >>> >>> 2016-04-06T08:22:34Z INFO Setting agreement >>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >>> tree,cn=config schedule to 2358-2359 0 to force synch >>> >>> 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement >>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >>> tree,cn=config >>> >>> 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: >>> 0 Replica acquired successfully: Incremental update succeeded: start: 0: >>> end: 0 >>> >>> 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 418, in start_creation >>> >>> run_step(full_msg, method) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 408, in run_step >>> >>> method() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>> line 438, in __convert_to_gssapi_replication >>> >>> r_bindpw=self.dm_password) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 1104, in convert_to_gssapi_replication >>> >>> self.gssapi_update_agreements(self.conn, r_conn) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 797, in gssapi_update_agreements >>> >>> self.setup_krb_princs_as_replica_binddns(a, b) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 767, in setup_krb_princs_as_replica_binddns >>> >>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 751, in get_replica_principal_dns >>> >>> raise RuntimeError(error) >>> >>> RuntimeError: One of the ldap service principals is missing. Replication >>> agreement cannot be converted. >>> >>> >>> 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap >>> service principals is missing. Replication agreement cannot be converted. >>> >>> 2016-04-06T08:22:36Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >>> execute >>> >>> return_value = self.run() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>> line 311, in run >>> >>> cfgr.run() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 281, in run >>> >>> self.execute() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 303, in execute >>> >>> for nothing in self._executor(): >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 343, in __runner >>> >>> self._handle_exception(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> >>> util.raise_exc_info(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 333, in __runner >>> >>> step() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 87, in run_generator_with_yield_from >>> >>> raise_exc_info(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 65, in run_generator_with_yield_from >>> >>> value = gen.send(prev_value) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 524, in _configure >>> >>> executor.next() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 343, in __runner >>> >>> self._handle_exception(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 421, in _handle_exception >>> >>> self.__parent._handle_exception(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> >>> util.raise_exc_info(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 418, in _handle_exception >>> >>> super(ComponentBase, self)._handle_exception(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> >>> util.raise_exc_info(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 333, in __runner >>> >>> step() >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 87, in run_generator_with_yield_from >>> >>> raise_exc_info(exc_info) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 65, in run_generator_with_yield_from >>> >>> value = gen.send(prev_value) >>> >>> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >>> line 63, in _install >>> >>> for nothing in self._installer(self.parent): >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>> line 879, in main >>> >>> install(self) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>> line 295, in decorated >>> >>> func(installer) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>> line 586, in install >>> >>> krb = install_krb(config, setup_pkinit=not options.no_pkinit) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>> line 93, in install_krb >>> >>> setup_pkinit, pkcs12_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>> line 214, in create_replica >>> >>> self.start_creation(runtime=30) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 418, in start_creation >>> >>> run_step(full_msg, method) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 408, in run_step >>> >>> method() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>> line 438, in __convert_to_gssapi_replication >>> >>> r_bindpw=self.dm_password) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 1104, in convert_to_gssapi_replication >>> >>> self.gssapi_update_agreements(self.conn, r_conn) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 797, in gssapi_update_agreements >>> >>> self.setup_krb_princs_as_replica_binddns(a, b) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 767, in setup_krb_princs_as_replica_binddns >>> >>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 751, in get_replica_principal_dns >>> >>> raise RuntimeError(error) >>> >>> >>> 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed, >>> exception: RuntimeError: One of the ldap service principals is missing. >>> Replication agreement cannot be converted. >>> >>> 2016-04-06T08:22:36Z ERROR One of the ldap service principals is >>> missing. Replication agreement cannot be converted. >>> >>> ### >>> >>> >>> >>> Can anybody help me? >>> >>> >>> Thanks >>> >>> Greets >>> >>> Kilian >>> >>> >>> > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill From rcritten at redhat.com Fri Apr 15 14:50:57 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Apr 2016 10:50:57 -0400 Subject: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted In-Reply-To: <5944cfadc22244a3b31b545840a9f4d3@kilian-ries.de> References: <570E554F.7050109@redhat.com> <570FAD56.5000604@redhat.com> <5710C2E4.5050507@redhat.com> <5944cfadc22244a3b31b545840a9f4d3@kilian-ries.de> Message-ID: <5710FFD1.3000604@redhat.com> Kilian Ries wrote: > I'm not quite familiar with the db2index.pl script ... what am i doing wrong? > > db2index.pl -n userRoot -D cn=admin -w > ldap_bind: No such object (32) > Failed to search the server for indexes, error (32) > > > db2index.pl -n userRoot -D cn=admin -w -v -t entryrdn > ldap_bind: No such object (32) > Failed to add task entry "cn=db2index_2016_4_15_16_44_19, cn=index, cn=tasks, cn=config" error (32) Use 'cn=Directory Manager' instead of cn=admin rob > > ________________________________________ > Von: Ludwig Krispenz > Gesendet: Freitag, 15. April 2016 12:31 > An: Kilian Ries > Cc: freeipa-users at redhat.com > Betreff: Re: AW: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted > > On 04/15/2016 10:14 AM, Kilian Ries wrote: >> Hi, >> >> on auht01 i see the following error just before installation fails: >> >> >> [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999 >> [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 >> [14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn >> [14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, string="" >> [14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn "krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu" was in the entryrdn index, but it did not exist in id2entry of instance userRoot. >> [14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN (dn: krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu) is already in the entryrdn file with different ID 252. Expected ID is 625. >> [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999 >> [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 >> [14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn >> [14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, string="" >> [14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn > this looks like a database/index corruption. There are traces for the > ldapprincipal for auth02in the database, but teh index and the database > are inconsistent. you can try to reindex teh database and see if this helps: > db2index.pl -D ... -w .. -Z -t entryrdn #only this index > or > db2index.pl -D ... -w .. -Z # full reindex >> >> >> [14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://auth02.intern.eu:389/o%3Dipaca) failed. >> >> >> Greets >> Kilian >> >> >> ________________________________________ >> Von: freeipa-users-bounces at redhat.com im Auftrag von Ludwig Krispenz >> Gesendet: Donnerstag, 14. April 2016 16:46 >> An: freeipa-users at redhat.com >> Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted >> >> On 04/14/2016 04:19 PM, Kilian Ries wrote: >>> Hello Rob, >>> >>> thanks for your explanations. I followed your hints and did a complete uninstall and started over with a fresh installation. I ended up with exactly the same error as the first time... >>> >>> I did the following steps: >>> >>> >>> auth01$ ipa-replica-manage del auth02 >>> >>> auth02$ ipa-server-install --uninstall >>> >>> auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu >>> >>> auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg >>> >>> >>> Are there other logfiles i can check for more specific errors? >> you should have a look to the DS error logs in /var/log/dirsrv on both >> instances >>> Greets >>> Kilian >>> >>> ________________________________________ >>> Von: Rob Crittenden >>> Gesendet: Mittwoch, 13. April 2016 16:18 >>> An: Kilian Ries; freeipa-users at redhat.com >>> Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted >>> >>> Kilian Ries wrote: >>>> Does nobody have an idea whats the problem here? >>> TL;DR you are best off deleting this failed replica install and trying >>> again. >>> >>> Initial replication is done over TLS. When replication is completed both >>> sides of the agreement are converted to using GSSAPI and both ldap >>> principals are needed to do this. Given that replication just completed >>> both principals should be available but rarely one is not (hence the >>> vague-ish error message). >>> >>> In this case the new ldap principal for the new replica wasn't found on >>> the remote master so things blew up. >>> >>> There is no continuing the installation after this type of failure so >>> you'll need to remove the failed install as a master on auth01 >>> (ipa-replica-manage del auth02...) and then run ipa-server-install >>> --uninstall on autho02 and try again. >>> >>> rob >>> >>>> Thanks >>>> >>>> Kilian >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> *Von:* freeipa-users-bounces at redhat.com >>>> im Auftrag von Kilian Ries >>>> >>>> *Gesendet:* Mittwoch, 6. April 2016 10:41 >>>> *An:* freeipa-users at redhat.com >>>> *Betreff:* [Freeipa-users] Error setting up Replication: ldap service >>>> principals is missing. Replication agreement cannot be converted >>>> >>>> Hello, >>>> >>>> >>>> i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm >>>> trying to add an replication partner. >>>> >>>> >>>> During the installation i got the following error: >>>> >>>> >>>> ### >>>> >>>> Restarting the directory and certificate servers >>>> >>>> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds >>>> >>>> [1/8]: adding sasl mappings to the directory >>>> >>>> [2/8]: configuring KDC >>>> >>>> [3/8]: creating a keytab for the directory >>>> >>>> [4/8]: creating a keytab for the machine >>>> >>>> [5/8]: adding the password extension to the directory >>>> >>>> [6/8]: enable GSSAPI for replication >>>> >>>> [error] RuntimeError: One of the ldap service principals is missing. >>>> Replication agreement cannot be converted. >>>> >>>> Your system may be partly configured. >>>> >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>> >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the >>>> ldap service principals is missing. Replication agreement cannot be >>>> converted. >>>> >>>> ### >>>> >>>> >>>> >>>> The installation Log shows the following: >>>> >>>> >>>> >>>> ### >>>> >>>> 2016-04-06T08:22:34Z INFO Getting ldap service principals for >>>> conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and >>>> (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU) >>>> >>>> 2016-04-06T08:22:34Z DEBUG Unable to find entry for >>>> (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636 >>>> >>>> 2016-04-06T08:22:34Z INFO Setting agreement >>>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >>>> tree,cn=config schedule to 2358-2359 0 to force synch >>>> >>>> 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement >>>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >>>> tree,cn=config >>>> >>>> 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: >>>> 0 Replica acquired successfully: Incremental update succeeded: start: 0: >>>> end: 0 >>>> >>>> 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 418, in start_creation >>>> >>>> run_step(full_msg, method) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 408, in run_step >>>> >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>>> line 438, in __convert_to_gssapi_replication >>>> >>>> r_bindpw=self.dm_password) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 1104, in convert_to_gssapi_replication >>>> >>>> self.gssapi_update_agreements(self.conn, r_conn) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 797, in gssapi_update_agreements >>>> >>>> self.setup_krb_princs_as_replica_binddns(a, b) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 767, in setup_krb_princs_as_replica_binddns >>>> >>>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 751, in get_replica_principal_dns >>>> >>>> raise RuntimeError(error) >>>> >>>> RuntimeError: One of the ldap service principals is missing. Replication >>>> agreement cannot be converted. >>>> >>>> >>>> 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap >>>> service principals is missing. Replication agreement cannot be converted. >>>> >>>> 2016-04-06T08:22:36Z DEBUG File >>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >>>> execute >>>> >>>> return_value = self.run() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>>> line 311, in run >>>> >>>> cfgr.run() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 281, in run >>>> >>>> self.execute() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 303, in execute >>>> >>>> for nothing in self._executor(): >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 343, in __runner >>>> >>>> self._handle_exception(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 333, in __runner >>>> >>>> step() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 87, in run_generator_with_yield_from >>>> >>>> raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 65, in run_generator_with_yield_from >>>> >>>> value = gen.send(prev_value) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 524, in _configure >>>> >>>> executor.next() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 343, in __runner >>>> >>>> self._handle_exception(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 421, in _handle_exception >>>> >>>> self.__parent._handle_exception(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 418, in _handle_exception >>>> >>>> super(ComponentBase, self)._handle_exception(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 333, in __runner >>>> >>>> step() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 87, in run_generator_with_yield_from >>>> >>>> raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 65, in run_generator_with_yield_from >>>> >>>> value = gen.send(prev_value) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >>>> line 63, in _install >>>> >>>> for nothing in self._installer(self.parent): >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>>> line 879, in main >>>> >>>> install(self) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>>> line 295, in decorated >>>> >>>> func(installer) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>>> line 586, in install >>>> >>>> krb = install_krb(config, setup_pkinit=not options.no_pkinit) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>>> line 93, in install_krb >>>> >>>> setup_pkinit, pkcs12_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>>> line 214, in create_replica >>>> >>>> self.start_creation(runtime=30) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 418, in start_creation >>>> >>>> run_step(full_msg, method) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 408, in run_step >>>> >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>>> line 438, in __convert_to_gssapi_replication >>>> >>>> r_bindpw=self.dm_password) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 1104, in convert_to_gssapi_replication >>>> >>>> self.gssapi_update_agreements(self.conn, r_conn) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 797, in gssapi_update_agreements >>>> >>>> self.setup_krb_princs_as_replica_binddns(a, b) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 767, in setup_krb_princs_as_replica_binddns >>>> >>>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 751, in get_replica_principal_dns >>>> >>>> raise RuntimeError(error) >>>> >>>> >>>> 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed, >>>> exception: RuntimeError: One of the ldap service principals is missing. >>>> Replication agreement cannot be converted. >>>> >>>> 2016-04-06T08:22:36Z ERROR One of the ldap service principals is >>>> missing. Replication agreement cannot be converted. >>>> >>>> ### >>>> >>>> >>>> >>>> Can anybody help me? >>>> >>>> >>>> Thanks >>>> >>>> Greets >>>> >>>> Kilian >>>> >>>> >>>> >> -- >> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, >> Commercial register: Amtsgericht Muenchen, HRB 153243, >> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > From Dennis.Ott at mckesson.com Fri Apr 15 15:13:25 2016 From: Dennis.Ott at mckesson.com (Ott, Dennis) Date: Fri, 15 Apr 2016 15:13:25 +0000 Subject: [Freeipa-users] 7.x replica install from 6.x master fails In-Reply-To: <5710F563.1050507@redhat.com> References: <56FA5C2F.3070200@redhat.com> <570674EC.1060204@redhat.com> <5710F563.1050507@redhat.com> Message-ID: My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have a cert database at: /etc/pki/pki-tomcat/alias At: /var/lib/pki-ca/alias subsystemCert cert-pki-ca has a serial number of 18 (0x12) At: uid=CA-$HOST-8443,ou=people,o=ipaca the certificate has a serial number of 4. What is the best way to fix this? If it matters, the master installation is old enough to have had its certs auto-renewed. Dennis -----Original Message----- From: Petr Vobornik [mailto:pvoborni at redhat.com] Sent: Friday, April 15, 2016 10:06 AM To: Ott, Dennis; Freeipa-users at redhat.com Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails On 04/15/2016 03:51 PM, Ott, Dennis wrote: > Looks like we're out of ideas. > > I'll proceed with Plan B. > A possibility is also to check if Serial number of certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca' matches serial number of the cert below (4) and if uid=CA-$HOST-8443,ou=people,o=ipaca has actually the same cert in userCertificate attribute Or maybe to do the same with other PKI users in ou=people,o=ipaca > -----Original Message----- > From: Ott, Dennis > Sent: Monday, April 11, 2016 12:27 PM > To: Ott, Dennis; Petr Vobornik; Freeipa-users at redhat.com > Subject: RE: [Freeipa-users] 7.x replica install from 6.x master fails > > As a test, I attempted to do a replica install on a Fedora 23 machine. It fails with the same error. > > Dennis > > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ott, Dennis > Sent: Thursday, April 07, 2016 5:39 PM > To: Petr Vobornik; Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > It doesn't look like that is my problem. The output of pki-server ca-group-member-find "Subsystem Group" gives: > > > User ID: CA-ptipa1.example.com-9443 > Common Name: CA-ptipa1.example.com-9443 > Surname: CA-ptipa1.example.com-9443 > Type: agentType > Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM > E-mail: > > All the certs seem valid: > > # getcert list | grep expires > expires: 2017-07-18 00:55:14 UTC > expires: 2017-07-18 00:54:14 UTC > expires: 2017-07-18 00:54:14 UTC > expires: 2017-07-18 00:54:14 UTC > expires: 2017-07-18 00:54:14 UTC > expires: 2017-08-09 00:54:19 UTC > expires: 2017-08-09 00:54:19 UTC > expires: 2017-08-09 00:54:21 UTC # > > I was wondering if I might be hitting this: > > http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpI > SHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJh > bctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalI > l-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh > 0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > http://cp.mcafee.com/d/5fHCNEg3zqb3BXKfI3D3pJ55d5VBdZZ4SyyCyYOCUOyrdCP > qJyLQFm7bCNPFEV72GtD3hOaEXHbdQZ5hTS82H3W6yHOrJNlNRSRTD64XqOrdCPpIDeqR4 > INTQaNQDmA_gU03yNmmjBoHYYhod7bVIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-B > aMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VM > uq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > > It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora (many months ago), but is not yet available for enterprise. > > Dennis > > > > > -----Original Message----- > From: Petr Vobornik [mailto:pvoborni at redhat.com] > Sent: Thursday, April 07, 2016 10:56 AM > To: Ott, Dennis; Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > Sorry for the late response. > > It looks like a bug > http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbParz > a9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdCP > pesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub6 > qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDC > y1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure. > > Anyway, > java.io.IOException: 2 actually means authentication failure. > > The authentication problem might be caused by a missing subsystem user > (bug #1225589) and there's already a tool to restore it. However, > before running the script, please run this command on the master to > verify the > problem: > > $ pki-server ca-group-member-find "Subsystem Group" > > Ideally it should return a user ID "CA--9443" and the description attribute should contain the subsystem certificate in this format ";;;". > > If that's not the case, please run this tool to restore the subsystem user: > > $ python /usr/share/pki/scripts/restore-subsystem-user.py > > Then run this command again to verify the fix: > > $ pki-server ca-group-member-find "Subsystem Group" > > If everything works well, please try installing the replica again. > > Also verify that all certificates in `getcert list` output are not expired. > > > On 03/31/2016 09:07 PM, Ott, Dennis wrote: >> Petr, >> >> Original 6.x master installed at: >> >> ipa-server-2.1.3-9 >> >> pki-ca-9.0.3-20 >> >> >> At the time the migration was attempted, the 6.x master had been updated to: >> >> ipa-server-3.0.0-47 >> >> pki-ca-9.0.3-45 >> >> >> The 7.x replica install has been attempted using a variety of versions. The log excerpts at the beginning of this email were from an installation attempt using: >> >> ipa-server-4.2.0-15.0.1 >> >> pki-ca-10.2.5-6 >> >> >> It's a standard CA installation. This line is from /var/log/ipaserverinstall.log showing selfsign as False: >> >> 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked >> with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': >> None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, >> 'subject': None, 'no_forwarders': False, 'persistent_search': True, >> 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': >> True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': >> False, >> 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, >> 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, >> 'forwarders': None, 'idstart': 900000000, 'external_ca': False, >> 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, >> 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': >> False, 'external_cert_file': None, 'uninstall': False} >> 2013-09-04T18:41:20Z DEBUG missing options might be asked for >> interactively later >> >> >> -----Original Message----- >> From: Petr Vobornik [mailto:pvoborni at redhat.com] >> Sent: Tuesday, March 29, 2016 6:43 AM >> To: Ott, Dennis; Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master >> fails >> >> On 03/24/2016 04:29 PM, Ott, Dennis wrote: >>> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. >>> After working through and solving a few issues, my current efforts >>> fail when setting up the replica CA. >>> >>> If I set up a new, pristine master on OS 6.7, I am able to create an >>> OS 7.x replica without any problem. However, if I try to create a >>> replica from my two year old test lab instance (production will be >>> another matter for the future) it fails. The test lab master was >>> created a couple of years ago on OS 6.3 / IPA 2.x and has been >>> upgraded to the latest versions in the 6.x chain. It is old enough >>> to have had all the certificates renewed, but I believe I have worked through all the issues related to that. >>> >>> Below is what I believe are the useful portions of the pertinent logs. >>> I?ve not been able to find anything online that speaks to the errors >>> I am seeing >>> >>> Thanks for your help. >> >> Hello Dennis, >> >> what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica? >> >> What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA? >> >> I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less). >> >>> >>> /var/log/ipareplica-install.log >>> >>> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). >>> Estimated time: 3 minutes 30 seconds >>> >>> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user >>> >>> 2016-03-23T21:55:11Z DEBUG group pkiuser exists >>> >>> 2016-03-23T21:55:11Z DEBUG user pkiuser exists >>> >>> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds >>> >>> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance >>> >>> 2016-03-23T21:55:11Z DEBUG Loading StateFile from >>> '/var/lib/ipa/sysrestore/sysrestore.state' >>> >>> 2016-03-23T21:55:11Z DEBUG Saving StateFile to >>> '/var/lib/ipa/sysrestore/sysrestore.state' >>> >>> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC): >>> >>> [CA] >>> >>> pki_security_domain_name = IPA >>> >>> pki_enable_proxy = True >>> >>> pki_restart_configured_instance = False >>> >>> pki_backup_keys = True >>> >>> pki_backup_password = XXXXXXXX >>> >>> pki_profiles_in_ldap = True >>> >>> pki_client_database_dir = /tmp/tmp-g0CKZ3 >>> >>> pki_client_database_password = XXXXXXXX >>> >>> pki_client_database_purge = False >>> >>> pki_client_pkcs12_password = XXXXXXXX >>> >>> pki_admin_name = admin >>> >>> pki_admin_uid = admin >>> >>> pki_admin_email = root at localhost >>> >>> pki_admin_password = XXXXXXXX >>> >>> pki_admin_nickname = ipa-ca-agent >>> >>> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM >>> >>> pki_client_admin_cert_p12 = /root/ca-agent.p12 >>> >>> pki_ds_ldap_port = 389 >>> >>> pki_ds_password = XXXXXXXX >>> >>> pki_ds_base_dn = o=ipaca >>> >>> pki_ds_database = ipaca >>> >>> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM >>> >>> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM >>> >>> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM >>> >>> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM >>> >>> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM >>> >>> pki_subsystem_nickname = subsystemCert cert-pki-ca >>> >>> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca >>> >>> pki_ssl_server_nickname = Server-Cert cert-pki-ca >>> >>> pki_audit_signing_nickname = auditSigningCert cert-pki-ca >>> >>> pki_ca_signing_nickname = caSigningCert cert-pki-ca >>> >>> pki_ca_signing_key_algorithm = SHA256withRSA >>> >>> pki_security_domain_hostname = ptipa1.example.com >>> >>> pki_security_domain_https_port = 443 >>> >>> pki_security_domain_user = admin >>> >>> pki_security_domain_password = XXXXXXXX >>> >>> pki_clone = True >>> >>> pki_clone_pkcs12_path = /tmp/ca.p12 >>> >>> pki_clone_pkcs12_password = XXXXXXXX >>> >>> pki_clone_replication_security = TLS >>> >>> pki_clone_replication_master_port = 7389 >>> >>> pki_clone_replication_clone_port = 389 >>> >>> pki_clone_replicate_schema = False >>> >>> pki_clone_uri = >>> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISr >>> d >>> G >>> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbc >>> m >>> D >>> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSb >>> N >>> _ >>> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNK >>> V >>> J >>> USyrh >>> >>> 2016-03-23T21:55:11Z DEBUG Starting external process >>> >>> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC' >>> >>> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 >>> >>> 2016-03-23T21:56:51Z DEBUG stdout=Log file: >>> /var/log/pki/pki-ca-spawn.20160323175511.log >>> >>> Loading deployment configuration from /tmp/tmpGQ59ZC. >>> >>> Installing CA into /var/lib/pki/pki-tomcat. >>> >>> Storing deployment configuration into >>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >>> >>> Installation failed. >>> >>> 2016-03-23T21:56:51Z DEBUG >>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >>> InsecureRequestWarning: Unverified HTTPS request is being made. >>> Adding certificate verification is strongly advised. See: >>> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUO >>> y >>> r >>> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsV >>> H >>> k >>> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2g >>> a >>> z >>> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdlj >>> h >>> 0 >>> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >>> >>> InsecureRequestWarning) >>> >>> pkispawn : WARNING ....... unable to validate security domain user/password >>> through REST interface. Interface not available >>> >>> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 >>> Server Error: Internal Server Error >>> >>> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line >>> 1, column 0: >>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >>> PKIException","Code":500,"Message":"Error >>> while updating security domain: java.io.IOException: 2"} >>> >>> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: >>> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' >>> returned non-zero exit status 1 >>> >>> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the >>> following files/directories for more information: >>> >>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log >>> >>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat >>> >>> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 418, in start_creation >>> >>> run_step(full_msg, method) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 408, in run_step >>> >>> method() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 620, in __spawn_instance >>> >>> DogtagInstance.spawn_instance(self, cfg_file) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>> , >>> line 201, in spawn_instance >>> >>> self.handle_setup_error(e) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>> , >>> line 465, in handle_setup_error >>> >>> raise RuntimeError("%s configuration failed." % >>> self.subsystem) >>> >>> RuntimeError: CA configuration failed. >>> >>> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. >>> >>> 2016-03-23T21:56:51Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >>> in execute >>> >>> return_value = self.run() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>> line 311, in run >>> >>> cfgr.run() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 281, in run >>> >>> self.execute() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 303, in execute >>> >>> for nothing in self._executor(): >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 343, in __runner >>> >>> self._handle_exception(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> >>> util.raise_exc_info(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 333, in __runner >>> >>> step() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 87, in run_generator_with_yield_from >>> >>> raise_exc_info(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 65, in run_generator_with_yield_from >>> >>> value = gen.send(prev_value) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 524, in _configure >>> >>> executor.next() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 343, in __runner >>> >>> self._handle_exception(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 421, in _handle_exception >>> >>> self.__parent._handle_exception(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> >>> util.raise_exc_info(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 418, in _handle_exception >>> >>> super(ComponentBase, self)._handle_exception(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 365, in _handle_exception >>> >>> util.raise_exc_info(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>> line 333, in __runner >>> >>> step() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 87, in run_generator_with_yield_from >>> >>> raise_exc_info(exc_info) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>> line 65, in run_generator_with_yield_from >>> >>> value = gen.send(prev_value) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line >>> 63, in _install >>> >>> for nothing in self._installer(self.parent): >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain >>> s >>> t >>> all.py", >>> line 879, in main >>> >>> install(self) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain >>> s >>> t >>> all.py", >>> line 295, in decorated >>> >>> func(installer) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain >>> s >>> t >>> all.py", >>> line 584, in install >>> >>> ca.install(False, config, options) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >>> line 106, in install >>> >>> install_step_0(standalone, replica_config, options) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >>> line 130, in >>> install_step_0 >>> >>> ra_p12=getattr(options, 'ra_p12', None)) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 1543, in install_replica_ca >>> >>> subject_base=config.subject_base) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 486, in configure_instance >>> >>> self.start_creation(runtime=210) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 418, in start_creation >>> >>> run_step(full_msg, method) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 408, in run_step >>> >>> method() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>> line 620, in __spawn_instance >>> >>> DogtagInstance.spawn_instance(self, cfg_file) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>> , >>> line 201, in spawn_instance >>> >>> self.handle_setup_error(e) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>> , >>> line 465, in handle_setup_error >>> >>> raise RuntimeError("%s configuration failed." % >>> self.subsystem) >>> >>> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: >>> RuntimeError: CA configuration failed. >>> >>> 2016-03-23T21:56:51Z ERROR CA configuration failed. >>> >>> /var/log/pki/pki-ca-spawn..log >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f >>> /etc/pki/pki-tomcat/ca/noise >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s >>> /lib/systemd/system/pki-tomcatd at .service >>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat. >>> s >>> e >>> rvice >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 >>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat. >>> s >>> e >>> rvice >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ... configuring >>> 'pki.server.deployment.scriptlets.configuration' >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p >>> /root/.dogtag/pki-tomcat/ca >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 >>> /root/.dogtag/pki-tomcat/ca >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >>> /root/.dogtag/pki-tomcat/ca >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >>> '/root/.dogtag/pki-tomcat/ca/password.conf' >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >>> '/root/.dogtag/pki-tomcat/ca/password.conf' >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >>> /root/.dogtag/pki-tomcat/ca/password.conf >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >>> /root/.dogtag/pki-tomcat/ca/password.conf >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 >>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d >>> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl >>> daemon-reload' >>> >>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start >>> pki-tomcatd at pki-tomcat.service' >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server >>> may still be down >>> >>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception >>> thrown: ('Connection aborted.', error(111, 'Connection refused')) >>> >>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server >>> may still be down >>> >>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception >>> thrown: ('Connection aborted.', error(111, 'Connection refused')) >>> >>> 2016-03-23 17:55:24 pkispawn : DEBUG ........... >> encoding="UTF-8" >>> standalone="no"?>0CA>> > r unning10.2.5-6.el7 >>> >>> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI >>> configuration data. >>> >>> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration >>> data. >>> >>> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java >>> Configuration Servlet: 500 Server Error: Internal Server Error >>> >>> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed >>> (invalid token): line 1, column 0: >>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >>> PKIException","Code":500,"Message":"Error >>> while updating security domain: java.io.IOException: 2"} >>> >>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError >>> >>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not >>> well-formed (invalid token): line 1, column 0 >>> >>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", >>> line 597, in main >>> >>> rv = instance.spawn(deployer) >>> >>> File >>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/c >>> o >>> n >>> figuration.py", >>> line 116, in spawn >>> >>> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) >>> >>> File >>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" >>> , >>> line 3906, in configure_pki_data >>> >>> root = ET.fromstring(e.response.text) >>> >>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, >>> in XML >>> >>> parser.feed(text) >>> >>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, >>> in feed >>> >>> self._raiseerror(v) >>> >>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, >>> in _raiseerror >>> >>> raise err >>> >>> /var/log/pki/pki-tomcat/ca/debug >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >>> ok: store in memory cache >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>> ends >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >>> makeConnection errorIfDown is false >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >>> errorIfDown false >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >>> connection using basic authentication to host >>> pt-idm-vm01.example.com port 389 as cn=Directory Manager >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >>> port 389, secure connection, false, authentication type 1 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >>> connections by 3 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >>> connections 3 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >>> connections 3 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >>> LdapBoundConnFactory::getConn() >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >>> true >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >>> connected true >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >>> 2 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >>> param=preop.internaldb.manager_ldif >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>> file = /usr/share/pki/server/conf/manager.ldif >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP >>> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >>> exception in adding entry >>> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >>> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: >>> error result (20) >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): >>> start >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating >>> LdapBoundConnFactor(ConfigurationUtils) >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: >>> init >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: >>> LdapBoundConnFactory:doCloning true >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>> begins >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>> prompt is internaldb >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>> try getting from memory cache >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>> got password from memory >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>> password found for prompt. >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >>> ok: store in memory cache >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>> ends >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >>> makeConnection errorIfDown is false >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >>> errorIfDown false >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >>> connection using basic authentication to host >>> pt-idm-vm01.example.com port 389 as cn=Directory Manager >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >>> port 389, secure connection, false, authentication type 1 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >>> connections by 3 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >>> connections 3 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >>> connections 3 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >>> LdapBoundConnFactory::getConn() >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >>> true >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >>> connected true >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >>> 2 >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >>> param=preop.internaldb.post_ldif >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>> file = /usr/share/pki/ca/conf/vlv.ldif >>> >>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif >>> >>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >>> file = /usr/share/pki/ca/conf/vlvtasks.ldif >>> >>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif >>> >>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn >>> cn=index1160589769, cn=index, cn=tasks, cn=config >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: >>> SystemConfigService:processCerts(): san_server_cert not found for >>> tag sslserver >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >>> local >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >>> remote (revised) >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: >>> updateConfig() for certTag sslserver >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >>> public key >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >>> private key >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this >>> Cloned CA, always use its Master CA to generate the 'sslserver' >>> certificate to avoid any changes which may have been made to the X500Name directory string encoding order. >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: >>> injectSAN=false >>> >>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil >>> createRemoteCert: content >>> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalA >>> u >>> t >>> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxx >>> x >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true >>> & >>> s >>> essionID=-4495713718673639316 >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil >>> createRemoteCert: status=0 >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: >>> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>> x >>> x >>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: >>> handleCertRequest() begins >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >>> tag=sslserver >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: >>> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >>> created cert request >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate: >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for >>> cert tag 'sslserver' using cert type 'remote' >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process >>> remote...import cert >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: >>> nickname=Server-Cert cert-pki-ca >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert >>> deleted successfully >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): >>> certchains length=2 >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import >>> certificate successfully, certTag=sslserver >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate. >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert >>> Panel/SavePKCS12 Panel === >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing >>> security domain >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): >>> Getting domain.xml from CA... >>> >>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: >>> domainInfo=>> standalone="no"?>IPAptipa1. >>> example.com443443>> S >>> e >>> cureAgentPort>443>> cureAgentPort>u >>> cureAgentPort>t >>> hPort>44380>> hPort>o >>> hPort>n >>> e>FALSEpki-cad >>> e>T >>> e>R >>> UE1>> C >>> S >>> PList>0>> PList>e >>> PList>m >>> Count>00>> Count>e >>> Count>m >>> Count>0 >>> Count>< >>> Count>T >>> PSList>0 >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain >>> master >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >>> updateDomainXML start hostname=ptipa1.example.com port=443 >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >>> failed to update security domain using admin port 443: >>> org.xml.sax.SAXParseException; >>> lineNumber: 1; columnNumber: 50; White spaces are required between >>> publicId and systemId. >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >>> now trying agent port with client auth >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >>> updateDomainXML start hostname=ptipa1.example.com port=443 >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() >>> nickname=subsystemCert cert-pki-ca >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: >>> status=1 >>> >>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating >>> security >>> domain: java.io.IOException: 2 >>> >>> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, >>> authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. >>> >>> /var/log/pki/pki-tomcat/ca/system >>> >>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot >>> build CA chain. Error java.security.cert.CertificateException: >>> Certificate is not a PKCS >>> #11 certificate >>> >>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz >>> instance DirAclAuthz initialization failed and skipped, >>> error=Property internaldb.ldapconn.port missing value >>> >>> *Dennis M Ott* >>> Infrastructure Administrator >>> Infrastructure and Security Operations >>> >>> *McKesson Corporation >>> McKesson Pharmacy Systems and Automation* www.mckesson.com >>> >>>> -- >> Petr Vobornik >> > -- > Petr Vobornik > > -- > Manage your subscription for the Freeipa-users mailing list: > http://cp.mcafee.com/d/5fHCMUe6gUSyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPp > ISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJ > hbcat7Q2uPVv1dnoovaAVgtHzIv-iSBSWv6xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoa > lIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdl > jh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > Go to > http://cp.mcafee.com/d/FZsSd3gArhosLtNZwsUrdEEFELcFLLECQkkQnCkT6kjpISr > lIl-BaMVsSetd78UljIUqehl7tppKDEGe-N0lovgQlujtKaKeKSKYUMDrmjpISrdw0To_Y > BJU03xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN > _VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh for more info on the project > -- Petr Vobornik From mail at kilian-ries.de Fri Apr 15 15:37:49 2016 From: mail at kilian-ries.de (Kilian Ries) Date: Fri, 15 Apr 2016 15:37:49 +0000 Subject: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted In-Reply-To: <5710FFD1.3000604@redhat.com> References: <570E554F.7050109@redhat.com> <570FAD56.5000604@redhat.com> <5710C2E4.5050507@redhat.com> <5944cfadc22244a3b31b545840a9f4d3@kilian-ries.de>, <5710FFD1.3000604@redhat.com> Message-ID: <0d978af203f7411cad40d1c49e6589f1@kilian-ries.de> that did the trick! Running db2index.pl -D cn='Directory Manager' -v -w - -t entryrdn fixed the database. After that i was able to setup my Replication again. Thanks for your help! ________________________________________ Von: Rob Crittenden Gesendet: Freitag, 15. April 2016 16:50 An: Kilian Ries; Ludwig Krispenz Cc: freeipa-users at redhat.com Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted Kilian Ries wrote: > I'm not quite familiar with the db2index.pl script ... what am i doing wrong? > > db2index.pl -n userRoot -D cn=admin -w > ldap_bind: No such object (32) > Failed to search the server for indexes, error (32) > > > db2index.pl -n userRoot -D cn=admin -w -v -t entryrdn > ldap_bind: No such object (32) > Failed to add task entry "cn=db2index_2016_4_15_16_44_19, cn=index, cn=tasks, cn=config" error (32) Use 'cn=Directory Manager' instead of cn=admin rob > > ________________________________________ > Von: Ludwig Krispenz > Gesendet: Freitag, 15. April 2016 12:31 > An: Kilian Ries > Cc: freeipa-users at redhat.com > Betreff: Re: AW: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted > > On 04/15/2016 10:14 AM, Kilian Ries wrote: >> Hi, >> >> on auht01 i see the following error just before installation fails: >> >> >> [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999 >> [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 >> [14/Apr/2016:15:57:09 +0200] - str2entry_fast: entry has no dn >> [14/Apr/2016:15:57:09 +0200] id2entry - str2entry returned NULL for id 252, string="" >> [14/Apr/2016:15:57:09 +0200] - dn2entry_ext: the dn "krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu" was in the entryrdn index, but it did not exist in id2entry of instance userRoot. >> [14/Apr/2016:15:57:09 +0200] entryrdn-index - _entryrdn_insert_key: Same DN (dn: krbprincipalname=ldap/auth02.intern.eu at INTERN.EU,cn=services,cn=accounts,dc=intern,dc=eu) is already in the entryrdn file with different ID 252. Expected ID is 625. >> [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err=9999 Unknown error 9999 >> [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=9999 >> [14/Apr/2016:15:57:19 +0200] - str2entry_fast: entry has no dn >> [14/Apr/2016:15:57:19 +0200] id2entry - str2entry returned NULL for id 252, string="" >> [14/Apr/2016:15:57:21 +0200] - str2entry_fast: entry has no dn > this looks like a database/index corruption. There are traces for the > ldapprincipal for auth02in the database, but teh index and the database > are inconsistent. you can try to reindex teh database and see if this helps: > db2index.pl -D ... -w .. -Z -t entryrdn #only this index > or > db2index.pl -D ... -w .. -Z # full reindex >> >> >> [14/Apr/2016:16:02:01 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://auth02.intern.eu:389/o%3Dipaca) failed. >> >> >> Greets >> Kilian >> >> >> ________________________________________ >> Von: freeipa-users-bounces at redhat.com im Auftrag von Ludwig Krispenz >> Gesendet: Donnerstag, 14. April 2016 16:46 >> An: freeipa-users at redhat.com >> Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted >> >> On 04/14/2016 04:19 PM, Kilian Ries wrote: >>> Hello Rob, >>> >>> thanks for your explanations. I followed your hints and did a complete uninstall and started over with a fresh installation. I ended up with exactly the same error as the first time... >>> >>> I did the following steps: >>> >>> >>> auth01$ ipa-replica-manage del auth02 >>> >>> auth02$ ipa-server-install --uninstall >>> >>> auth01$ ipa-replica-prepare --ip-address 192.168.210.181 auth02.intern.eu >>> >>> auth02$ ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.210.40 /root/replica-info-auth02.intern.eu.gpg >>> >>> >>> Are there other logfiles i can check for more specific errors? >> you should have a look to the DS error logs in /var/log/dirsrv on both >> instances >>> Greets >>> Kilian >>> >>> ________________________________________ >>> Von: Rob Crittenden >>> Gesendet: Mittwoch, 13. April 2016 16:18 >>> An: Kilian Ries; freeipa-users at redhat.com >>> Betreff: Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted >>> >>> Kilian Ries wrote: >>>> Does nobody have an idea whats the problem here? >>> TL;DR you are best off deleting this failed replica install and trying >>> again. >>> >>> Initial replication is done over TLS. When replication is completed both >>> sides of the agreement are converted to using GSSAPI and both ldap >>> principals are needed to do this. Given that replication just completed >>> both principals should be available but rarely one is not (hence the >>> vague-ish error message). >>> >>> In this case the new ldap principal for the new replica wasn't found on >>> the remote master so things blew up. >>> >>> There is no continuing the installation after this type of failure so >>> you'll need to remove the failed install as a master on auth01 >>> (ipa-replica-manage del auth02...) and then run ipa-server-install >>> --uninstall on autho02 and try again. >>> >>> rob >>> >>>> Thanks >>>> >>>> Kilian >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> *Von:* freeipa-users-bounces at redhat.com >>>> im Auftrag von Kilian Ries >>>> >>>> *Gesendet:* Mittwoch, 6. April 2016 10:41 >>>> *An:* freeipa-users at redhat.com >>>> *Betreff:* [Freeipa-users] Error setting up Replication: ldap service >>>> principals is missing. Replication agreement cannot be converted >>>> >>>> Hello, >>>> >>>> >>>> i have an existing FreeIPA installation (4.2.0) on CentOS 7.2 and i'm >>>> trying to add an replication partner. >>>> >>>> >>>> During the installation i got the following error: >>>> >>>> >>>> ### >>>> >>>> Restarting the directory and certificate servers >>>> >>>> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds >>>> >>>> [1/8]: adding sasl mappings to the directory >>>> >>>> [2/8]: configuring KDC >>>> >>>> [3/8]: creating a keytab for the directory >>>> >>>> [4/8]: creating a keytab for the machine >>>> >>>> [5/8]: adding the password extension to the directory >>>> >>>> [6/8]: enable GSSAPI for replication >>>> >>>> [error] RuntimeError: One of the ldap service principals is missing. >>>> Replication agreement cannot be converted. >>>> >>>> Your system may be partly configured. >>>> >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>> >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR One of the >>>> ldap service principals is missing. Replication agreement cannot be >>>> converted. >>>> >>>> ### >>>> >>>> >>>> >>>> The installation Log shows the following: >>>> >>>> >>>> >>>> ### >>>> >>>> 2016-04-06T08:22:34Z INFO Getting ldap service principals for >>>> conversion: (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) and >>>> (krbprincipalname=ldap/auth01.intern.eu at INTERN.EU) >>>> >>>> 2016-04-06T08:22:34Z DEBUG Unable to find entry for >>>> (krbprincipalname=ldap/auth02.intern.eu at INTERN.EU) on auth01.intern.eu:636 >>>> >>>> 2016-04-06T08:22:34Z INFO Setting agreement >>>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >>>> tree,cn=config schedule to 2358-2359 0 to force synch >>>> >>>> 2016-04-06T08:22:35Z INFO Deleting schedule 2358-2359 0 from agreement >>>> cn=meToauth01.intern.eu,cn=replica,cn=dc\=intern\,dc\=customer-virt\,dc\=eu,cn=mapping >>>> tree,cn=config >>>> >>>> 2016-04-06T08:22:36Z INFO Replication Update in progress: FALSE: status: >>>> 0 Replica acquired successfully: Incremental update succeeded: start: 0: >>>> end: 0 >>>> >>>> 2016-04-06T08:22:36Z DEBUG Traceback (most recent call last): >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 418, in start_creation >>>> >>>> run_step(full_msg, method) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 408, in run_step >>>> >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>>> line 438, in __convert_to_gssapi_replication >>>> >>>> r_bindpw=self.dm_password) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 1104, in convert_to_gssapi_replication >>>> >>>> self.gssapi_update_agreements(self.conn, r_conn) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 797, in gssapi_update_agreements >>>> >>>> self.setup_krb_princs_as_replica_binddns(a, b) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 767, in setup_krb_princs_as_replica_binddns >>>> >>>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 751, in get_replica_principal_dns >>>> >>>> raise RuntimeError(error) >>>> >>>> RuntimeError: One of the ldap service principals is missing. Replication >>>> agreement cannot be converted. >>>> >>>> >>>> 2016-04-06T08:22:36Z DEBUG [error] RuntimeError: One of the ldap >>>> service principals is missing. Replication agreement cannot be converted. >>>> >>>> 2016-04-06T08:22:36Z DEBUG File >>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >>>> execute >>>> >>>> return_value = self.run() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>>> line 311, in run >>>> >>>> cfgr.run() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 281, in run >>>> >>>> self.execute() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 303, in execute >>>> >>>> for nothing in self._executor(): >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 343, in __runner >>>> >>>> self._handle_exception(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 333, in __runner >>>> >>>> step() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 87, in run_generator_with_yield_from >>>> >>>> raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 65, in run_generator_with_yield_from >>>> >>>> value = gen.send(prev_value) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 524, in _configure >>>> >>>> executor.next() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 343, in __runner >>>> >>>> self._handle_exception(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 421, in _handle_exception >>>> >>>> self.__parent._handle_exception(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 418, in _handle_exception >>>> >>>> super(ComponentBase, self)._handle_exception(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 333, in __runner >>>> >>>> step() >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 87, in run_generator_with_yield_from >>>> >>>> raise_exc_info(exc_info) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 65, in run_generator_with_yield_from >>>> >>>> value = gen.send(prev_value) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >>>> line 63, in _install >>>> >>>> for nothing in self._installer(self.parent): >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>>> line 879, in main >>>> >>>> install(self) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>>> line 295, in decorated >>>> >>>> func(installer) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>>> line 586, in install >>>> >>>> krb = install_krb(config, setup_pkinit=not options.no_pkinit) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", >>>> line 93, in install_krb >>>> >>>> setup_pkinit, pkcs12_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>>> line 214, in create_replica >>>> >>>> self.start_creation(runtime=30) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 418, in start_creation >>>> >>>> run_step(full_msg, method) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 408, in run_step >>>> >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", >>>> line 438, in __convert_to_gssapi_replication >>>> >>>> r_bindpw=self.dm_password) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 1104, in convert_to_gssapi_replication >>>> >>>> self.gssapi_update_agreements(self.conn, r_conn) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 797, in gssapi_update_agreements >>>> >>>> self.setup_krb_princs_as_replica_binddns(a, b) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 767, in setup_krb_princs_as_replica_binddns >>>> >>>> (a_dn, b_dn) = self.get_replica_principal_dns(a, b, retries=100) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 751, in get_replica_principal_dns >>>> >>>> raise RuntimeError(error) >>>> >>>> >>>> 2016-04-06T08:22:36Z DEBUG The ipa-replica-install command failed, >>>> exception: RuntimeError: One of the ldap service principals is missing. >>>> Replication agreement cannot be converted. >>>> >>>> 2016-04-06T08:22:36Z ERROR One of the ldap service principals is >>>> missing. Replication agreement cannot be converted. >>>> >>>> ### >>>> >>>> >>>> >>>> Can anybody help me? >>>> >>>> >>>> Thanks >>>> >>>> Greets >>>> >>>> Kilian >>>> >>>> >>>> >> -- >> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, >> Commercial register: Amtsgericht Muenchen, HRB 153243, >> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > From pvoborni at redhat.com Fri Apr 15 15:53:59 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 15 Apr 2016 17:53:59 +0200 Subject: [Freeipa-users] 7.x replica install from 6.x master fails In-Reply-To: References: <56FA5C2F.3070200@redhat.com> <570674EC.1060204@redhat.com> <5710F563.1050507@redhat.com> Message-ID: <57110E97.7060802@redhat.com> On 04/15/2016 05:13 PM, Ott, Dennis wrote: > My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have a cert database at: > > /etc/pki/pki-tomcat/alias > > At: > > /var/lib/pki-ca/alias right > > subsystemCert cert-pki-ca has a serial number of 18 (0x12) > > At: > > uid=CA-$HOST-8443,ou=people,o=ipaca > > the certificate has a serial number of 4. > > > What is the best way to fix this? > > If it matters, the master installation is old enough to have had its certs auto-renewed. Yes, certs were renewed but the PKI user entry was not which causes the issue. This has been seen on very old IPA installations. 1) Login into IPA Master (RHEL 6) - as root. 2) Redirect "subsystemCert cert-pki-ca" to a file. # certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca" -a > /tmp/subsystemcert.pem 3) Drop the header/footer and combine this into a single line. # echo && cat /tmp/subsystemcert.pem | sed -rn '/^-----BEGIN CERTIFICATE-----$/{:1;n;/^-----END CERTIFICATE-----$/b2;H;b1};:2;${x;s/\s//g;p}' 4) String generated in step 3 needs to be added under attribute "usercertificate;binary:" below. =================================================================================== # ldapmodify -x -h 127.0.0.1 -p 7389 -D 'cn=Directory Manager' -W << EOF dn: uid=CA-ptipa1.example.com-9443,ou=people,o=ipaca changetype: modify add: usercertificate;binary usercertificate;binary: MIIDyTCCAr..Y4EKCneFA== <-- ADD the full string from step 3. - replace: description description: 2;18;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM EOF =================================================================================== Note: the description field attribute has format: ::: 5) Once the above command is successful restart IPA service # service ipa restart 6) Check if the mapping is now correct. # pki-server ca-user-show CA-ptipa1.example.com-9443 | egrep "User ID|Description" > > Dennis > > > -----Original Message----- > From: Petr Vobornik [mailto:pvoborni at redhat.com] > Sent: Friday, April 15, 2016 10:06 AM > To: Ott, Dennis; Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > On 04/15/2016 03:51 PM, Ott, Dennis wrote: >> Looks like we're out of ideas. >> >> I'll proceed with Plan B. >> > > A possibility is also to check if > > Serial number of > > certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca' > > matches serial number of the cert below (4) and if > > uid=CA-$HOST-8443,ou=people,o=ipaca > > has actually the same cert in userCertificate attribute > > Or maybe to do the same with other PKI users in ou=people,o=ipaca > >> -----Original Message----- >> From: Ott, Dennis >> Sent: Monday, April 11, 2016 12:27 PM >> To: Ott, Dennis; Petr Vobornik; Freeipa-users at redhat.com >> Subject: RE: [Freeipa-users] 7.x replica install from 6.x master fails >> >> As a test, I attempted to do a replica install on a Fedora 23 machine. It fails with the same error. >> >> Dennis >> >> >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ott, Dennis >> Sent: Thursday, April 07, 2016 5:39 PM >> To: Petr Vobornik; Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails >> >> It doesn't look like that is my problem. The output of pki-server ca-group-member-find "Subsystem Group" gives: >> >> >> User ID: CA-ptipa1.example.com-9443 >> Common Name: CA-ptipa1.example.com-9443 >> Surname: CA-ptipa1.example.com-9443 >> Type: agentType >> Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM >> E-mail: >> >> All the certs seem valid: >> >> # getcert list | grep expires >> expires: 2017-07-18 00:55:14 UTC >> expires: 2017-07-18 00:54:14 UTC >> expires: 2017-07-18 00:54:14 UTC >> expires: 2017-07-18 00:54:14 UTC >> expires: 2017-07-18 00:54:14 UTC >> expires: 2017-08-09 00:54:19 UTC >> expires: 2017-08-09 00:54:19 UTC >> expires: 2017-08-09 00:54:21 UTC # >> >> I was wondering if I might be hitting this: >> >> http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpI >> SHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJh >> bctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalI >> l-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh >> 0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> http://cp.mcafee.com/d/5fHCNEg3zqb3BXKfI3D3pJ55d5VBdZZ4SyyCyYOCUOyrdCP >> qJyLQFm7bCNPFEV72GtD3hOaEXHbdQZ5hTS82H3W6yHOrJNlNRSRTD64XqOrdCPpIDeqR4 >> INTQaNQDmA_gU03yNmmjBoHYYhod7bVIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-B >> aMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VM >> uq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> >> It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora (many months ago), but is not yet available for enterprise. >> >> Dennis >> >> >> >> >> -----Original Message----- >> From: Petr Vobornik [mailto:pvoborni at redhat.com] >> Sent: Thursday, April 07, 2016 10:56 AM >> To: Ott, Dennis; Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails >> >> Sorry for the late response. >> >> It looks like a bug >> http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbParz >> a9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdCP >> pesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub6 >> qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDC >> y1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure. >> >> Anyway, >> java.io.IOException: 2 actually means authentication failure. >> >> The authentication problem might be caused by a missing subsystem user >> (bug #1225589) and there's already a tool to restore it. However, >> before running the script, please run this command on the master to >> verify the >> problem: >> >> $ pki-server ca-group-member-find "Subsystem Group" >> >> Ideally it should return a user ID "CA--9443" and the description attribute should contain the subsystem certificate in this format ";;;". >> >> If that's not the case, please run this tool to restore the subsystem user: >> >> $ python /usr/share/pki/scripts/restore-subsystem-user.py >> >> Then run this command again to verify the fix: >> >> $ pki-server ca-group-member-find "Subsystem Group" >> >> If everything works well, please try installing the replica again. >> >> Also verify that all certificates in `getcert list` output are not expired. >> >> >> On 03/31/2016 09:07 PM, Ott, Dennis wrote: >>> Petr, >>> >>> Original 6.x master installed at: >>> >>> ipa-server-2.1.3-9 >>> >>> pki-ca-9.0.3-20 >>> >>> >>> At the time the migration was attempted, the 6.x master had been updated to: >>> >>> ipa-server-3.0.0-47 >>> >>> pki-ca-9.0.3-45 >>> >>> >>> The 7.x replica install has been attempted using a variety of versions. The log excerpts at the beginning of this email were from an installation attempt using: >>> >>> ipa-server-4.2.0-15.0.1 >>> >>> pki-ca-10.2.5-6 >>> >>> >>> It's a standard CA installation. This line is from /var/log/ipaserverinstall.log showing selfsign as False: >>> >>> 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked >>> with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': >>> None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, >>> 'subject': None, 'no_forwarders': False, 'persistent_search': True, >>> 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': >>> True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': >>> False, >>> 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, >>> 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, >>> 'forwarders': None, 'idstart': 900000000, 'external_ca': False, >>> 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, >>> 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': >>> False, 'external_cert_file': None, 'uninstall': False} >>> 2013-09-04T18:41:20Z DEBUG missing options might be asked for >>> interactively later >>> >>> >>> -----Original Message----- >>> From: Petr Vobornik [mailto:pvoborni at redhat.com] >>> Sent: Tuesday, March 29, 2016 6:43 AM >>> To: Ott, Dennis; Freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master >>> fails >>> >>> On 03/24/2016 04:29 PM, Ott, Dennis wrote: >>>> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. >>>> After working through and solving a few issues, my current efforts >>>> fail when setting up the replica CA. >>>> >>>> If I set up a new, pristine master on OS 6.7, I am able to create an >>>> OS 7.x replica without any problem. However, if I try to create a >>>> replica from my two year old test lab instance (production will be >>>> another matter for the future) it fails. The test lab master was >>>> created a couple of years ago on OS 6.3 / IPA 2.x and has been >>>> upgraded to the latest versions in the 6.x chain. It is old enough >>>> to have had all the certificates renewed, but I believe I have worked through all the issues related to that. >>>> >>>> Below is what I believe are the useful portions of the pertinent logs. >>>> I?ve not been able to find anything online that speaks to the errors >>>> I am seeing >>>> >>>> Thanks for your help. >>> >>> Hello Dennis, >>> >>> what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica? >>> >>> What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA? >>> >>> I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less). >>> >>>> >>>> /var/log/ipareplica-install.log >>>> >>>> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). >>>> Estimated time: 3 minutes 30 seconds >>>> >>>> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user >>>> >>>> 2016-03-23T21:55:11Z DEBUG group pkiuser exists >>>> >>>> 2016-03-23T21:55:11Z DEBUG user pkiuser exists >>>> >>>> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds >>>> >>>> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance >>>> >>>> 2016-03-23T21:55:11Z DEBUG Loading StateFile from >>>> '/var/lib/ipa/sysrestore/sysrestore.state' >>>> >>>> 2016-03-23T21:55:11Z DEBUG Saving StateFile to >>>> '/var/lib/ipa/sysrestore/sysrestore.state' >>>> >>>> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC): >>>> >>>> [CA] >>>> >>>> pki_security_domain_name = IPA >>>> >>>> pki_enable_proxy = True >>>> >>>> pki_restart_configured_instance = False >>>> >>>> pki_backup_keys = True >>>> >>>> pki_backup_password = XXXXXXXX >>>> >>>> pki_profiles_in_ldap = True >>>> >>>> pki_client_database_dir = /tmp/tmp-g0CKZ3 >>>> >>>> pki_client_database_password = XXXXXXXX >>>> >>>> pki_client_database_purge = False >>>> >>>> pki_client_pkcs12_password = XXXXXXXX >>>> >>>> pki_admin_name = admin >>>> >>>> pki_admin_uid = admin >>>> >>>> pki_admin_email = root at localhost >>>> >>>> pki_admin_password = XXXXXXXX >>>> >>>> pki_admin_nickname = ipa-ca-agent >>>> >>>> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM >>>> >>>> pki_client_admin_cert_p12 = /root/ca-agent.p12 >>>> >>>> pki_ds_ldap_port = 389 >>>> >>>> pki_ds_password = XXXXXXXX >>>> >>>> pki_ds_base_dn = o=ipaca >>>> >>>> pki_ds_database = ipaca >>>> >>>> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM >>>> >>>> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM >>>> >>>> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM >>>> >>>> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM >>>> >>>> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM >>>> >>>> pki_subsystem_nickname = subsystemCert cert-pki-ca >>>> >>>> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca >>>> >>>> pki_ssl_server_nickname = Server-Cert cert-pki-ca >>>> >>>> pki_audit_signing_nickname = auditSigningCert cert-pki-ca >>>> >>>> pki_ca_signing_nickname = caSigningCert cert-pki-ca >>>> >>>> pki_ca_signing_key_algorithm = SHA256withRSA >>>> >>>> pki_security_domain_hostname = ptipa1.example.com >>>> >>>> pki_security_domain_https_port = 443 >>>> >>>> pki_security_domain_user = admin >>>> >>>> pki_security_domain_password = XXXXXXXX >>>> >>>> pki_clone = True >>>> >>>> pki_clone_pkcs12_path = /tmp/ca.p12 >>>> >>>> pki_clone_pkcs12_password = XXXXXXXX >>>> >>>> pki_clone_replication_security = TLS >>>> >>>> pki_clone_replication_master_port = 7389 >>>> >>>> pki_clone_replication_clone_port = 389 >>>> >>>> pki_clone_replicate_schema = False >>>> >>>> pki_clone_uri = >>>> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISr >>>> d >>>> G >>>> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbc >>>> m >>>> D >>>> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSb >>>> N >>>> _ >>>> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNK >>>> V >>>> J >>>> USyrh >>>> >>>> 2016-03-23T21:55:11Z DEBUG Starting external process >>>> >>>> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC' >>>> >>>> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 >>>> >>>> 2016-03-23T21:56:51Z DEBUG stdout=Log file: >>>> /var/log/pki/pki-ca-spawn.20160323175511.log >>>> >>>> Loading deployment configuration from /tmp/tmpGQ59ZC. >>>> >>>> Installing CA into /var/lib/pki/pki-tomcat. >>>> >>>> Storing deployment configuration into >>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >>>> >>>> Installation failed. >>>> >>>> 2016-03-23T21:56:51Z DEBUG >>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >>>> InsecureRequestWarning: Unverified HTTPS request is being made. >>>> Adding certificate verification is strongly advised. See: >>>> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUO >>>> y >>>> r >>>> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsV >>>> H >>>> k >>>> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2g >>>> a >>>> z >>>> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdlj >>>> h >>>> 0 >>>> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >>>> >>>> InsecureRequestWarning) >>>> >>>> pkispawn : WARNING ....... unable to validate security domain user/password >>>> through REST interface. Interface not available >>>> >>>> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 >>>> Server Error: Internal Server Error >>>> >>>> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line >>>> 1, column 0: >>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >>>> PKIException","Code":500,"Message":"Error >>>> while updating security domain: java.io.IOException: 2"} >>>> >>>> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: >>>> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' >>>> returned non-zero exit status 1 >>>> >>>> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the >>>> following files/directories for more information: >>>> >>>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log >>>> >>>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat >>>> >>>> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 418, in start_creation >>>> >>>> run_step(full_msg, method) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 408, in run_step >>>> >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 620, in __spawn_instance >>>> >>>> DogtagInstance.spawn_instance(self, cfg_file) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>>> , >>>> line 201, in spawn_instance >>>> >>>> self.handle_setup_error(e) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>>> , >>>> line 465, in handle_setup_error >>>> >>>> raise RuntimeError("%s configuration failed." % >>>> self.subsystem) >>>> >>>> RuntimeError: CA configuration failed. >>>> >>>> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. >>>> >>>> 2016-03-23T21:56:51Z DEBUG File >>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >>>> in execute >>>> >>>> return_value = self.run() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>>> line 311, in run >>>> >>>> cfgr.run() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 281, in run >>>> >>>> self.execute() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 303, in execute >>>> >>>> for nothing in self._executor(): >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 343, in __runner >>>> >>>> self._handle_exception(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 333, in __runner >>>> >>>> step() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 87, in run_generator_with_yield_from >>>> >>>> raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 65, in run_generator_with_yield_from >>>> >>>> value = gen.send(prev_value) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 524, in _configure >>>> >>>> executor.next() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 343, in __runner >>>> >>>> self._handle_exception(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 421, in _handle_exception >>>> >>>> self.__parent._handle_exception(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 418, in _handle_exception >>>> >>>> super(ComponentBase, self)._handle_exception(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 333, in __runner >>>> >>>> step() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 87, in run_generator_with_yield_from >>>> >>>> raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 65, in run_generator_with_yield_from >>>> >>>> value = gen.send(prev_value) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line >>>> 63, in _install >>>> >>>> for nothing in self._installer(self.parent): >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain >>>> s >>>> t >>>> all.py", >>>> line 879, in main >>>> >>>> install(self) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain >>>> s >>>> t >>>> all.py", >>>> line 295, in decorated >>>> >>>> func(installer) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain >>>> s >>>> t >>>> all.py", >>>> line 584, in install >>>> >>>> ca.install(False, config, options) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >>>> line 106, in install >>>> >>>> install_step_0(standalone, replica_config, options) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >>>> line 130, in >>>> install_step_0 >>>> >>>> ra_p12=getattr(options, 'ra_p12', None)) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 1543, in install_replica_ca >>>> >>>> subject_base=config.subject_base) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 486, in configure_instance >>>> >>>> self.start_creation(runtime=210) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 418, in start_creation >>>> >>>> run_step(full_msg, method) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 408, in run_step >>>> >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 620, in __spawn_instance >>>> >>>> DogtagInstance.spawn_instance(self, cfg_file) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>>> , >>>> line 201, in spawn_instance >>>> >>>> self.handle_setup_error(e) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>>> , >>>> line 465, in handle_setup_error >>>> >>>> raise RuntimeError("%s configuration failed." % >>>> self.subsystem) >>>> >>>> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: >>>> RuntimeError: CA configuration failed. >>>> >>>> 2016-03-23T21:56:51Z ERROR CA configuration failed. >>>> >>>> /var/log/pki/pki-ca-spawn..log >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f >>>> /etc/pki/pki-tomcat/ca/noise >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s >>>> /lib/systemd/system/pki-tomcatd at .service >>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat. >>>> s >>>> e >>>> rvice >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 >>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat. >>>> s >>>> e >>>> rvice >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ... configuring >>>> 'pki.server.deployment.scriptlets.configuration' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p >>>> /root/.dogtag/pki-tomcat/ca >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 >>>> /root/.dogtag/pki-tomcat/ca >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >>>> /root/.dogtag/pki-tomcat/ca >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >>>> '/root/.dogtag/pki-tomcat/ca/password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >>>> '/root/.dogtag/pki-tomcat/ca/password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >>>> /root/.dogtag/pki-tomcat/ca/password.conf >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >>>> /root/.dogtag/pki-tomcat/ca/password.conf >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 >>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d >>>> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl >>>> daemon-reload' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start >>>> pki-tomcatd at pki-tomcat.service' >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server >>>> may still be down >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception >>>> thrown: ('Connection aborted.', error(111, 'Connection refused')) >>>> >>>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server >>>> may still be down >>>> >>>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception >>>> thrown: ('Connection aborted.', error(111, 'Connection refused')) >>>> >>>> 2016-03-23 17:55:24 pkispawn : DEBUG ........... >>> encoding="UTF-8" >>>> standalone="no"?>0CA>>>> r unning10.2.5-6.el7 >>>> >>>> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI >>>> configuration data. >>>> >>>> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration >>>> data. >>>> >>>> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java >>>> Configuration Servlet: 500 Server Error: Internal Server Error >>>> >>>> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed >>>> (invalid token): line 1, column 0: >>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >>>> PKIException","Code":500,"Message":"Error >>>> while updating security domain: java.io.IOException: 2"} >>>> >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError >>>> >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not >>>> well-formed (invalid token): line 1, column 0 >>>> >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", >>>> line 597, in main >>>> >>>> rv = instance.spawn(deployer) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/c >>>> o >>>> n >>>> figuration.py", >>>> line 116, in spawn >>>> >>>> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" >>>> , >>>> line 3906, in configure_pki_data >>>> >>>> root = ET.fromstring(e.response.text) >>>> >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, >>>> in XML >>>> >>>> parser.feed(text) >>>> >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, >>>> in feed >>>> >>>> self._raiseerror(v) >>>> >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, >>>> in _raiseerror >>>> >>>> raise err >>>> >>>> /var/log/pki/pki-tomcat/ca/debug >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >>>> ok: store in memory cache >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>>> ends >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >>>> makeConnection errorIfDown is false >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >>>> errorIfDown false >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >>>> connection using basic authentication to host >>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >>>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >>>> port 389, secure connection, false, authentication type 1 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >>>> connections by 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >>>> connections 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >>>> connections 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >>>> LdapBoundConnFactory::getConn() >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >>>> true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >>>> connected true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >>>> 2 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >>>> param=preop.internaldb.manager_ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file = /usr/share/pki/server/conf/manager.ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP >>>> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >>>> exception in adding entry >>>> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >>>> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: >>>> error result (20) >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): >>>> start >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating >>>> LdapBoundConnFactor(ConfigurationUtils) >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: >>>> init >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: >>>> LdapBoundConnFactory:doCloning true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>>> begins >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>>> prompt is internaldb >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>>> try getting from memory cache >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>>> got password from memory >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>>> password found for prompt. >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password >>>> ok: store in memory cache >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>>> ends >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >>>> makeConnection errorIfDown is false >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >>>> errorIfDown false >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >>>> connection using basic authentication to host >>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >>>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com >>>> port 389, secure connection, false, authentication type 1 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >>>> connections by 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >>>> connections 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >>>> connections 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >>>> LdapBoundConnFactory::getConn() >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >>>> true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >>>> connected true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now >>>> 2 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >>>> param=preop.internaldb.post_ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file = /usr/share/pki/ca/conf/vlv.ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif >>>> >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file = /usr/share/pki/ca/conf/vlvtasks.ldif >>>> >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif >>>> >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn >>>> cn=index1160589769, cn=index, cn=tasks, cn=config >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: >>>> SystemConfigService:processCerts(): san_server_cert not found for >>>> tag sslserver >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >>>> local >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >>>> remote (revised) >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: >>>> updateConfig() for certTag sslserver >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >>>> public key >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >>>> private key >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this >>>> Cloned CA, always use its Master CA to generate the 'sslserver' >>>> certificate to avoid any changes which may have been made to the X500Name directory string encoding order. >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: >>>> injectSAN=false >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil >>>> createRemoteCert: content >>>> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalA >>>> u >>>> t >>>> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true >>>> & >>>> s >>>> essionID=-4495713718673639316 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil >>>> createRemoteCert: status=0 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: >>>> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: >>>> handleCertRequest() begins >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >>>> tag=sslserver >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: >>>> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >>>> created cert request >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate: >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for >>>> cert tag 'sslserver' using cert type 'remote' >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process >>>> remote...import cert >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: >>>> nickname=Server-Cert cert-pki-ca >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert >>>> deleted successfully >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): >>>> certchains length=2 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import >>>> certificate successfully, certTag=sslserver >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate. >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert >>>> Panel/SavePKCS12 Panel === >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing >>>> security domain >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): >>>> Getting domain.xml from CA... >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: >>>> domainInfo=>>> standalone="no"?>IPAptipa1. >>>> example.com443443>>> S >>>> e >>>> cureAgentPort>443>>> cureAgentPort>u >>>> cureAgentPort>t >>>> hPort>44380>>> hPort>o >>>> hPort>n >>>> e>FALSEpki-cad >>>> e>T >>>> e>R >>>> UE1>>> C >>>> S >>>> PList>0>>> PList>e >>>> PList>m >>>> Count>00>>> Count>e >>>> Count>m >>>> Count>0 >>>> Count>< >>>> Count>T >>>> PSList>0 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain >>>> master >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML start hostname=ptipa1.example.com port=443 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >>>> failed to update security domain using admin port 443: >>>> org.xml.sax.SAXParseException; >>>> lineNumber: 1; columnNumber: 50; White spaces are required between >>>> publicId and systemId. >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >>>> now trying agent port with client auth >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML start hostname=ptipa1.example.com port=443 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() >>>> nickname=subsystemCert cert-pki-ca >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: >>>> status=1 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating >>>> security >>>> domain: java.io.IOException: 2 >>>> >>>> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, >>>> authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. >>>> >>>> /var/log/pki/pki-tomcat/ca/system >>>> >>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot >>>> build CA chain. Error java.security.cert.CertificateException: >>>> Certificate is not a PKCS >>>> #11 certificate >>>> >>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz >>>> instance DirAclAuthz initialization failed and skipped, >>>> error=Property internaldb.ldapconn.port missing value >>>> >>>> *Dennis M Ott* >>>> Infrastructure Administrator >>>> Infrastructure and Security Operations >>>> >>>> *McKesson Corporation >>>> McKesson Pharmacy Systems and Automation* www.mckesson.com >>>> >>>>> -- >>> Petr Vobornik >>> >> -- >> Petr Vobornik >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> http://cp.mcafee.com/d/5fHCMUe6gUSyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPp >> ISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJ >> hbcat7Q2uPVv1dnoovaAVgtHzIv-iSBSWv6xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoa >> lIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdl >> jh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> Go to >> http://cp.mcafee.com/d/FZsSd3gArhosLtNZwsUrdEEFELcFLLECQkkQnCkT6kjpISr >> lIl-BaMVsSetd78UljIUqehl7tppKDEGe-N0lovgQlujtKaKeKSKYUMDrmjpISrdw0To_Y >> BJU03xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN >> _VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh for more info on the project >> > > > -- > Petr Vobornik > -- Petr Vobornik From Dennis.Ott at mckesson.com Fri Apr 15 18:55:14 2016 From: Dennis.Ott at mckesson.com (Ott, Dennis) Date: Fri, 15 Apr 2016 18:55:14 +0000 Subject: [Freeipa-users] 7.x replica install from 6.x master fails In-Reply-To: <57110E97.7060802@redhat.com> References: <56FA5C2F.3070200@redhat.com> <570674EC.1060204@redhat.com> <5710F563.1050507@redhat.com> <57110E97.7060802@redhat.com> Message-ID: This allowed the replica install to complete. Thank you. However, when I try to kinit admin on the replica I get: kinit: Invalid UID in persistent keyring name while getting default ccache After some research I found that by commenting out this line in /etc/krb5.conf default_ccache_name = KEYRING:persistent:%{uid} and restarting IPA, I was able to use kinit. What is the correct way to fix this, or what are the implications of just leaving it commented out? Dennis -----Original Message----- From: Petr Vobornik [mailto:pvoborni at redhat.com] Sent: Friday, April 15, 2016 11:54 AM To: Ott, Dennis; Freeipa-users at redhat.com Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails On 04/15/2016 05:13 PM, Ott, Dennis wrote: > My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have a cert database at: > > /etc/pki/pki-tomcat/alias > > At: > > /var/lib/pki-ca/alias right > > subsystemCert cert-pki-ca has a serial number of 18 (0x12) > > At: > > uid=CA-$HOST-8443,ou=people,o=ipaca > > the certificate has a serial number of 4. > > > What is the best way to fix this? > > If it matters, the master installation is old enough to have had its certs auto-renewed. Yes, certs were renewed but the PKI user entry was not which causes the issue. This has been seen on very old IPA installations. 1) Login into IPA Master (RHEL 6) - as root. 2) Redirect "subsystemCert cert-pki-ca" to a file. # certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca" -a > /tmp/subsystemcert.pem 3) Drop the header/footer and combine this into a single line. # echo && cat /tmp/subsystemcert.pem | sed -rn '/^-----BEGIN CERTIFICATE-----$/{:1;n;/^-----END CERTIFICATE-----$/b2;H;b1};:2;${x;s/\s//g;p}' 4) String generated in step 3 needs to be added under attribute "usercertificate;binary:" below. =================================================================================== # ldapmodify -x -h 127.0.0.1 -p 7389 -D 'cn=Directory Manager' -W << EOF dn: uid=CA-ptipa1.example.com-9443,ou=people,o=ipaca changetype: modify add: usercertificate;binary usercertificate;binary: MIIDyTCCAr..Y4EKCneFA== <-- ADD the full string from step 3. - replace: description description: 2;18;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM EOF =================================================================================== Note: the description field attribute has format: ::: 5) Once the above command is successful restart IPA service # service ipa restart 6) Check if the mapping is now correct. # pki-server ca-user-show CA-ptipa1.example.com-9443 | egrep "User ID|Description" > > Dennis > > > -----Original Message----- > From: Petr Vobornik [mailto:pvoborni at redhat.com] > Sent: Friday, April 15, 2016 10:06 AM > To: Ott, Dennis; Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > On 04/15/2016 03:51 PM, Ott, Dennis wrote: >> Looks like we're out of ideas. >> >> I'll proceed with Plan B. >> > > A possibility is also to check if > > Serial number of > > certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca' > > matches serial number of the cert below (4) and if > > uid=CA-$HOST-8443,ou=people,o=ipaca > > has actually the same cert in userCertificate attribute > > Or maybe to do the same with other PKI users in ou=people,o=ipaca > >> -----Original Message----- >> From: Ott, Dennis >> Sent: Monday, April 11, 2016 12:27 PM >> To: Ott, Dennis; Petr Vobornik; Freeipa-users at redhat.com >> Subject: RE: [Freeipa-users] 7.x replica install from 6.x master >> fails >> >> As a test, I attempted to do a replica install on a Fedora 23 machine. It fails with the same error. >> >> Dennis >> >> >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ott, Dennis >> Sent: Thursday, April 07, 2016 5:39 PM >> To: Petr Vobornik; Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master >> fails >> >> It doesn't look like that is my problem. The output of pki-server ca-group-member-find "Subsystem Group" gives: >> >> >> User ID: CA-ptipa1.example.com-9443 >> Common Name: CA-ptipa1.example.com-9443 >> Surname: CA-ptipa1.example.com-9443 >> Type: agentType >> Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM >> E-mail: >> >> All the certs seem valid: >> >> # getcert list | grep expires >> expires: 2017-07-18 00:55:14 UTC >> expires: 2017-07-18 00:54:14 UTC >> expires: 2017-07-18 00:54:14 UTC >> expires: 2017-07-18 00:54:14 UTC >> expires: 2017-07-18 00:54:14 UTC >> expires: 2017-08-09 00:54:19 UTC >> expires: 2017-08-09 00:54:19 UTC >> expires: 2017-08-09 00:54:21 UTC # >> >> I was wondering if I might be hitting this: >> >> http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPp >> I >> SHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJ >> h >> bctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoal >> I >> l-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdlj >> h >> 0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> http://cp.mcafee.com/d/5fHCNEg3zqb3BXKfI3D3pJ55d5VBdZZ4SyyCyYOCUOyrdC >> P >> qJyLQFm7bCNPFEV72GtD3hOaEXHbdQZ5hTS82H3W6yHOrJNlNRSRTD64XqOrdCPpIDeqR >> 4 >> INTQaNQDmA_gU03yNmmjBoHYYhod7bVIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl- >> B >> aMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0V >> M >> uq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> >> It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora (many months ago), but is not yet available for enterprise. >> >> Dennis >> >> >> >> >> -----Original Message----- >> From: Petr Vobornik [mailto:pvoborni at redhat.com] >> Sent: Thursday, April 07, 2016 10:56 AM >> To: Ott, Dennis; Freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master >> fails >> >> Sorry for the late response. >> >> It looks like a bug >> http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbPar >> z >> a9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdC >> P >> pesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub >> 6 >> qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDD >> C y1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure. >> >> Anyway, >> java.io.IOException: 2 actually means authentication failure. >> >> The authentication problem might be caused by a missing subsystem >> user (bug #1225589) and there's already a tool to restore it. >> However, before running the script, please run this command on the >> master to verify the >> problem: >> >> $ pki-server ca-group-member-find "Subsystem Group" >> >> Ideally it should return a user ID "CA--9443" and the description attribute should contain the subsystem certificate in this format ";;;". >> >> If that's not the case, please run this tool to restore the subsystem user: >> >> $ python /usr/share/pki/scripts/restore-subsystem-user.py >> >> Then run this command again to verify the fix: >> >> $ pki-server ca-group-member-find "Subsystem Group" >> >> If everything works well, please try installing the replica again. >> >> Also verify that all certificates in `getcert list` output are not expired. >> >> >> On 03/31/2016 09:07 PM, Ott, Dennis wrote: >>> Petr, >>> >>> Original 6.x master installed at: >>> >>> ipa-server-2.1.3-9 >>> >>> pki-ca-9.0.3-20 >>> >>> >>> At the time the migration was attempted, the 6.x master had been updated to: >>> >>> ipa-server-3.0.0-47 >>> >>> pki-ca-9.0.3-45 >>> >>> >>> The 7.x replica install has been attempted using a variety of versions. The log excerpts at the beginning of this email were from an installation attempt using: >>> >>> ipa-server-4.2.0-15.0.1 >>> >>> pki-ca-10.2.5-6 >>> >>> >>> It's a standard CA installation. This line is from /var/log/ipaserverinstall.log showing selfsign as False: >>> >>> 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked >>> with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': >>> None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, >>> 'subject': None, 'no_forwarders': False, 'persistent_search': True, >>> 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': >>> True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': >>> False, >>> 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, >>> 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, >>> 'forwarders': None, 'idstart': 900000000, 'external_ca': False, >>> 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, >>> 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': >>> False, 'external_cert_file': None, 'uninstall': False} >>> 2013-09-04T18:41:20Z DEBUG missing options might be asked for >>> interactively later >>> >>> >>> -----Original Message----- >>> From: Petr Vobornik [mailto:pvoborni at redhat.com] >>> Sent: Tuesday, March 29, 2016 6:43 AM >>> To: Ott, Dennis; Freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master >>> fails >>> >>> On 03/24/2016 04:29 PM, Ott, Dennis wrote: >>>> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. >>>> After working through and solving a few issues, my current efforts >>>> fail when setting up the replica CA. >>>> >>>> If I set up a new, pristine master on OS 6.7, I am able to create >>>> an OS 7.x replica without any problem. However, if I try to create >>>> a replica from my two year old test lab instance (production will >>>> be another matter for the future) it fails. The test lab master was >>>> created a couple of years ago on OS 6.3 / IPA 2.x and has been >>>> upgraded to the latest versions in the 6.x chain. It is old enough >>>> to have had all the certificates renewed, but I believe I have worked through all the issues related to that. >>>> >>>> Below is what I believe are the useful portions of the pertinent logs. >>>> I?ve not been able to find anything online that speaks to the >>>> errors I am seeing >>>> >>>> Thanks for your help. >>> >>> Hello Dennis, >>> >>> what are the exact versions of pki-ca and ipa-server on the 6.x master and 7.x replica? >>> >>> What kind of CA installation does the old 6.x master install have? Is standard installation with CA or does it also use external CA? >>> >>> I assume it is not self-sign (very old unsupported type, which could be converted in 7.x as CA-less). >>> >>>> >>>> /var/log/ipareplica-install.log >>>> >>>> 2016-03-23T21:55:11Z DEBUG Configuring certificate server (pki-tomcatd). >>>> Estimated time: 3 minutes 30 seconds >>>> >>>> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user >>>> >>>> 2016-03-23T21:55:11Z DEBUG group pkiuser exists >>>> >>>> 2016-03-23T21:55:11Z DEBUG user pkiuser exists >>>> >>>> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds >>>> >>>> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server instance >>>> >>>> 2016-03-23T21:55:11Z DEBUG Loading StateFile from >>>> '/var/lib/ipa/sysrestore/sysrestore.state' >>>> >>>> 2016-03-23T21:55:11Z DEBUG Saving StateFile to >>>> '/var/lib/ipa/sysrestore/sysrestore.state' >>>> >>>> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpGQ59ZC): >>>> >>>> [CA] >>>> >>>> pki_security_domain_name = IPA >>>> >>>> pki_enable_proxy = True >>>> >>>> pki_restart_configured_instance = False >>>> >>>> pki_backup_keys = True >>>> >>>> pki_backup_password = XXXXXXXX >>>> >>>> pki_profiles_in_ldap = True >>>> >>>> pki_client_database_dir = /tmp/tmp-g0CKZ3 >>>> >>>> pki_client_database_password = XXXXXXXX >>>> >>>> pki_client_database_purge = False >>>> >>>> pki_client_pkcs12_password = XXXXXXXX >>>> >>>> pki_admin_name = admin >>>> >>>> pki_admin_uid = admin >>>> >>>> pki_admin_email = root at localhost >>>> >>>> pki_admin_password = XXXXXXXX >>>> >>>> pki_admin_nickname = ipa-ca-agent >>>> >>>> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM >>>> >>>> pki_client_admin_cert_p12 = /root/ca-agent.p12 >>>> >>>> pki_ds_ldap_port = 389 >>>> >>>> pki_ds_password = XXXXXXXX >>>> >>>> pki_ds_base_dn = o=ipaca >>>> >>>> pki_ds_database = ipaca >>>> >>>> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM >>>> >>>> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM >>>> >>>> pki_ssl_server_subject_dn = >>>> cn=pt-idm-vm01.example.com,O=EXAMPLE.COM >>>> >>>> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM >>>> >>>> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM >>>> >>>> pki_subsystem_nickname = subsystemCert cert-pki-ca >>>> >>>> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca >>>> >>>> pki_ssl_server_nickname = Server-Cert cert-pki-ca >>>> >>>> pki_audit_signing_nickname = auditSigningCert cert-pki-ca >>>> >>>> pki_ca_signing_nickname = caSigningCert cert-pki-ca >>>> >>>> pki_ca_signing_key_algorithm = SHA256withRSA >>>> >>>> pki_security_domain_hostname = ptipa1.example.com >>>> >>>> pki_security_domain_https_port = 443 >>>> >>>> pki_security_domain_user = admin >>>> >>>> pki_security_domain_password = XXXXXXXX >>>> >>>> pki_clone = True >>>> >>>> pki_clone_pkcs12_path = /tmp/ca.p12 >>>> >>>> pki_clone_pkcs12_password = XXXXXXXX >>>> >>>> pki_clone_replication_security = TLS >>>> >>>> pki_clone_replication_master_port = 7389 >>>> >>>> pki_clone_replication_clone_port = 389 >>>> >>>> pki_clone_replicate_schema = False >>>> >>>> pki_clone_uri = >>>> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9IS >>>> r >>>> d >>>> G >>>> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhb >>>> c >>>> m >>>> D >>>> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iS >>>> b >>>> N >>>> _ >>>> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrN >>>> K >>>> V >>>> J >>>> USyrh >>>> >>>> 2016-03-23T21:55:11Z DEBUG Starting external process >>>> >>>> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC' >>>> >>>> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 >>>> >>>> 2016-03-23T21:56:51Z DEBUG stdout=Log file: >>>> /var/log/pki/pki-ca-spawn.20160323175511.log >>>> >>>> Loading deployment configuration from /tmp/tmpGQ59ZC. >>>> >>>> Installing CA into /var/lib/pki/pki-tomcat. >>>> >>>> Storing deployment configuration into >>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. >>>> >>>> Installation failed. >>>> >>>> 2016-03-23T21:56:51Z DEBUG >>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: >>>> InsecureRequestWarning: Unverified HTTPS request is being made. >>>> Adding certificate verification is strongly advised. See: >>>> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCU >>>> O >>>> y >>>> r >>>> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOs >>>> V >>>> H >>>> k >>>> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2 >>>> g >>>> a >>>> z >>>> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdl >>>> j >>>> h >>>> 0 >>>> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >>>> >>>> InsecureRequestWarning) >>>> >>>> pkispawn : WARNING ....... unable to validate security domain user/password >>>> through REST interface. Interface not available >>>> >>>> pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 >>>> Server Error: Internal Server Error >>>> >>>> pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line >>>> 1, column 0: >>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >>>> PKIException","Code":500,"Message":"Error >>>> while updating security domain: java.io.IOException: 2"} >>>> >>>> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: >>>> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' >>>> returned non-zero exit status 1 >>>> >>>> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the >>>> following files/directories for more information: >>>> >>>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log >>>> >>>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat >>>> >>>> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 418, in start_creation >>>> >>>> run_step(full_msg, method) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 408, in run_step >>>> >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 620, in __spawn_instance >>>> >>>> DogtagInstance.spawn_instance(self, cfg_file) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>>> , >>>> line 201, in spawn_instance >>>> >>>> self.handle_setup_error(e) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>>> , >>>> line 465, in handle_setup_error >>>> >>>> raise RuntimeError("%s configuration failed." % >>>> self.subsystem) >>>> >>>> RuntimeError: CA configuration failed. >>>> >>>> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration failed. >>>> >>>> 2016-03-23T21:56:51Z DEBUG File >>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line >>>> 171, in execute >>>> >>>> return_value = self.run() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", >>>> line 311, in run >>>> >>>> cfgr.run() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 281, in run >>>> >>>> self.execute() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 303, in execute >>>> >>>> for nothing in self._executor(): >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 343, in __runner >>>> >>>> self._handle_exception(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 333, in __runner >>>> >>>> step() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 87, in run_generator_with_yield_from >>>> >>>> raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 65, in run_generator_with_yield_from >>>> >>>> value = gen.send(prev_value) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 524, in _configure >>>> >>>> executor.next() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 343, in __runner >>>> >>>> self._handle_exception(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 421, in _handle_exception >>>> >>>> self.__parent._handle_exception(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 418, in _handle_exception >>>> >>>> super(ComponentBase, self)._handle_exception(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 365, in _handle_exception >>>> >>>> util.raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", >>>> line 333, in __runner >>>> >>>> step() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 87, in run_generator_with_yield_from >>>> >>>> raise_exc_info(exc_info) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", >>>> line 65, in run_generator_with_yield_from >>>> >>>> value = gen.send(prev_value) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", >>>> line 63, in _install >>>> >>>> for nothing in self._installer(self.parent): >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicai >>>> n >>>> s >>>> t >>>> all.py", >>>> line 879, in main >>>> >>>> install(self) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicai >>>> n >>>> s >>>> t >>>> all.py", >>>> line 295, in decorated >>>> >>>> func(installer) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicai >>>> n >>>> s >>>> t >>>> all.py", >>>> line 584, in install >>>> >>>> ca.install(False, config, options) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >>>> line 106, in install >>>> >>>> install_step_0(standalone, replica_config, options) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", >>>> line 130, in >>>> install_step_0 >>>> >>>> ra_p12=getattr(options, 'ra_p12', None)) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 1543, in install_replica_ca >>>> >>>> subject_base=config.subject_base) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 486, in configure_instance >>>> >>>> self.start_creation(runtime=210) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 418, in start_creation >>>> >>>> run_step(full_msg, method) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 408, in run_step >>>> >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>> line 620, in __spawn_instance >>>> >>>> DogtagInstance.spawn_instance(self, cfg_file) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>>> , >>>> line 201, in spawn_instance >>>> >>>> self.handle_setup_error(e) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" >>>> , >>>> line 465, in handle_setup_error >>>> >>>> raise RuntimeError("%s configuration failed." % >>>> self.subsystem) >>>> >>>> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, exception: >>>> RuntimeError: CA configuration failed. >>>> >>>> 2016-03-23T21:56:51Z ERROR CA configuration failed. >>>> >>>> /var/log/pki/pki-ca-spawn..log >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f >>>> /etc/pki/pki-tomcat/ca/noise >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s >>>> /lib/systemd/system/pki-tomcatd at .service >>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat. >>>> s >>>> e >>>> rvice >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 >>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat. >>>> s >>>> e >>>> rvice >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ... configuring >>>> 'pki.server.deployment.scriptlets.configuration' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p >>>> /root/.dogtag/pki-tomcat/ca >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 >>>> /root/.dogtag/pki-tomcat/ca >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >>>> /root/.dogtag/pki-tomcat/ca >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >>>> '/root/.dogtag/pki-tomcat/ca/password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >>>> '/root/.dogtag/pki-tomcat/ca/password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >>>> /root/.dogtag/pki-tomcat/ca/password.conf >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 >>>> /root/.dogtag/pki-tomcat/ca/password.conf >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating >>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying >>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 >>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 >>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'certutil -N -d >>>> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl >>>> daemon-reload' >>>> >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing 'systemctl start >>>> pki-tomcatd at pki-tomcat.service' >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - server >>>> may still be down >>>> >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection - exception >>>> thrown: ('Connection aborted.', error(111, 'Connection refused')) >>>> >>>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - server >>>> may still be down >>>> >>>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection - exception >>>> thrown: ('Connection aborted.', error(111, 'Connection refused')) >>>> >>>> 2016-03-23 17:55:24 pkispawn : DEBUG ........... >>> encoding="UTF-8" >>>> standalone="no"?>0CA>>> s >>>>> r unning10.2.5-6.el7 >>>> >>>> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI >>>> configuration data. >>>> >>>> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI configuration >>>> data. >>>> >>>> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java >>>> Configuration Servlet: 500 Server Error: Internal Server Error >>>> >>>> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not well-formed >>>> (invalid token): line 1, column 0: >>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. >>>> PKIException","Code":500,"Message":"Error >>>> while updating security domain: java.io.IOException: 2"} >>>> >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: ParseError >>>> >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not >>>> well-formed (invalid token): line 1, column 0 >>>> >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", >>>> line 597, in main >>>> >>>> rv = instance.spawn(deployer) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/ >>>> c >>>> o >>>> n >>>> figuration.py", >>>> line 116, in spawn >>>> >>>> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" >>>> , >>>> line 3906, in configure_pki_data >>>> >>>> root = ET.fromstring(e.response.text) >>>> >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line >>>> 1300, in XML >>>> >>>> parser.feed(text) >>>> >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line >>>> 1642, in feed >>>> >>>> self._raiseerror(v) >>>> >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line >>>> 1506, in _raiseerror >>>> >>>> raise err >>>> >>>> /var/log/pki/pki-tomcat/ca/debug >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: >>>> password >>>> ok: store in memory cache >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>>> ends >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >>>> makeConnection errorIfDown is false >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >>>> errorIfDown false >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >>>> connection using basic authentication to host >>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >>>> mininum 3 and maximum 15 connections to host >>>> pt-idm-vm01.example.com port 389, secure connection, false, >>>> authentication type 1 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >>>> connections by 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >>>> connections 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >>>> connections 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >>>> LdapBoundConnFactory::getConn() >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >>>> true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >>>> connected true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns >>>> now >>>> 2 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >>>> param=preop.internaldb.manager_ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file = /usr/share/pki/server/conf/manager.ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP >>>> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >>>> exception in adding entry >>>> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: >>>> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: >>>> error result (20) >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): >>>> start >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating >>>> LdapBoundConnFactor(ConfigurationUtils) >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: >>>> init >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: >>>> LdapBoundConnFactory:doCloning true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>>> begins >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>>> prompt is internaldb >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>>> try getting from memory cache >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>>> got password from memory >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: >>>> password found for prompt. >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: >>>> password >>>> ok: store in memory cache >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init >>>> ends >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before >>>> makeConnection errorIfDown is false >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: >>>> errorIfDown false >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP >>>> connection using basic authentication to host >>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with >>>> mininum 3 and maximum 15 connections to host >>>> pt-idm-vm01.example.com port 389, secure connection, false, >>>> authentication type 1 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum >>>> connections by 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available >>>> connections 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of >>>> connections 3 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In >>>> LdapBoundConnFactory::getConn() >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: >>>> true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is >>>> connected true >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns >>>> now >>>> 2 >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: >>>> param=preop.internaldb.post_ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file = /usr/share/pki/ca/conf/vlv.ldif >>>> >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif >>>> >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file = /usr/share/pki/ca/conf/vlvtasks.ldif >>>> >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif >>>> >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn >>>> cn=index1160589769, cn=index, cn=tasks, cn=config >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for 'sslserver' >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: >>>> SystemConfigService:processCerts(): san_server_cert not found for >>>> tag sslserver >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >>>> local >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is >>>> remote (revised) >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: >>>> updateConfig() for certTag sslserver >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >>>> public key >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got >>>> private key >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this >>>> Cloned CA, always use its Master CA to generate the 'sslserver' >>>> certificate to avoid any changes which may have been made to the X500Name directory string encoding order. >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: >>>> injectSAN=false >>>> >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil >>>> createRemoteCert: content >>>> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternal >>>> A >>>> u >>>> t >>>> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxx >>>> x >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=tru >>>> e >>>> & >>>> s >>>> essionID=-4495713718673639316 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil >>>> createRemoteCert: status=0 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil createRemoteCert: >>>> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> x >>>> x >>>> x >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: >>>> handleCertRequest() begins >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >>>> tag=sslserver >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: >>>> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: >>>> created cert request >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' certificate: >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for >>>> cert tag 'sslserver' using cert type 'remote' >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): >>>> process remote...import cert >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: >>>> nickname=Server-Cert cert-pki-ca >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert >>>> deleted successfully >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): >>>> certchains length=2 >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import >>>> certificate successfully, certTag=sslserver >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' certificate. >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert >>>> Panel/SavePKCS12 Panel === >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing >>>> security domain >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): >>>> Getting domain.xml from CA... >>>> >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: >>>> status=0 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: >>>> domainInfo=>>> standalone="no"?>IPAptipa1. >>>> example.com443443< >>>> / >>>> S >>>> e >>>> cureAgentPort>443>>> cureAgentPort>A >>>> cureAgentPort>u >>>> cureAgentPort>t >>>> hPort>44380>>> hPort>l >>>> hPort>o >>>> hPort>n >>>> e>FALSEpki-cad>>> e>> >>>> e>T >>>> e>R >>>> UE1< >>>> O >>>> C >>>> S >>>> PList>0>>> PList>t >>>> PList>e >>>> PList>m >>>> Count>00>>> Count>t >>>> Count>e >>>> Count>m >>>> Count>0>>> Count>> >>>> Count>< >>>> Count>T >>>> PSList>0 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain >>>> master >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML start hostname=ptipa1.example.com port=443 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >>>> failed to update security domain using admin port 443: >>>> org.xml.sax.SAXParseException; >>>> lineNumber: 1; columnNumber: 50; White spaces are required between >>>> publicId and systemId. >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: >>>> now trying agent port with client auth >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase >>>> updateDomainXML start hostname=ptipa1.example.com port=443 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() >>>> nickname=subsystemCert cert-pki-ca >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase updateDomainXML: >>>> status=1 >>>> >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating >>>> security >>>> domain: java.io.IOException: 2 >>>> >>>> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, >>>> authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. >>>> >>>> /var/log/pki/pki-tomcat/ca/system >>>> >>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot >>>> build CA chain. Error java.security.cert.CertificateException: >>>> Certificate is not a PKCS >>>> #11 certificate >>>> >>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz >>>> instance DirAclAuthz initialization failed and skipped, >>>> error=Property internaldb.ldapconn.port missing value >>>> >>>> *Dennis M Ott* >>>> Infrastructure Administrator >>>> Infrastructure and Security Operations >>>> >>>> *McKesson Corporation >>>> McKesson Pharmacy Systems and Automation* www.mckesson.com >>>> >>>>> -- >>> Petr Vobornik >>> >> -- >> Petr Vobornik >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> http://cp.mcafee.com/d/5fHCMUe6gUSyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECP >> p >> ISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PC >> J >> hbcat7Q2uPVv1dnoovaAVgtHzIv-iSBSWv6xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeo >> a >> lIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sd >> l >> jh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh >> Go to >> http://cp.mcafee.com/d/FZsSd3gArhosLtNZwsUrdEEFELcFLLECQkkQnCkT6kjpIS >> r >> lIl-BaMVsSetd78UljIUqehl7tppKDEGe-N0lovgQlujtKaKeKSKYUMDrmjpISrdw0To_ >> Y >> BJU03xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSb >> N >> _VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNK >> VJUSyrh for more info on the project >> > > > -- > Petr Vobornik > -- Petr Vobornik From abrook at bsd.uchicago.edu Fri Apr 15 20:01:06 2016 From: abrook at bsd.uchicago.edu (Brook, Andy [CRI]) Date: Fri, 15 Apr 2016 20:01:06 +0000 Subject: [Freeipa-users] Username attribute in trusted domain Message-ID: <16461940-31FA-402A-B759-A69F290AF68D@bsd.uchicago.edu> We?re trying to setup FreeIPA to be a good provider of UIDs and GIDs for our mostly RHEL systems. Overall, that works great. The issue I?m running into is that we need to have the same consistent UIDs and GIDs for our Isilon system which serves up both CIFS and NFS. Each user of the Isilon needs to have a UID so that the files are owned properly. The Isilon has a way of getting information from both Active Directory and an associated LDAP server. It gets its list of users and groups from AD, a list of users, UIDs, groups and GIDs from LDAP, and combine accounts that are the same. i.e. ADTEST.LOCAL\abrook and abrook from LDAP will the same user. However, FreeIPA will show abrook(as it sees through the Trust relationship with ADTEST.LOCAL) as abrook at adtest.local instead of abrook, so the Isilon will see them as distinct accounts and won?t merge the information in them. I can?t, as far as I can tell right now, tell the Isilon to see users with @adtest.local as the same user without the domain. I can tell the Isilon to look at a different LDAP attribute as its username, but there is no attribute that has only the username. I noticed in the documentation that if I were to do a sync with Active Directory (which isn?t something I want to do), I would get the ntDomainUserID attribute that is the same as the samAccountName. This doesn?t happen with a trust. Is there a way to get that in place with a custom attribute or pull more LDAP attributes from AD? Has anyone else run into a situation like this? If so, were you able to rectify that? If so, how? We have a ticket open with EMC for the Isilon as well, but want to make sure we?re coming at this from all the angles we can. Andy Brook Sr. Systems Administrator | Center for Research Informatics | University of Chicago T: 773-834-0458 | http://cri.uchicago.edu ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From gjn at gjn.priv.at Sun Apr 17 05:23:39 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Sun, 17 Apr 2016 07:23:39 +0200 Subject: [Freeipa-users] Object class violation Message-ID: <3720406.omg8soxZr5@techz> Hello, I like to setup / install a replica for my IPA Server. Now I have this Error Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [1/8]: adding sasl mappings to the directory [2/8]: configuring KDC [3/8]: creating a keytab for the directory [4/8]: creating a keytab for the machine [5/8]: adding the password extension to the directory [6/8]: enable GSSAPI for replication [error] OBJECT_CLASS_VIOLATION: {'desc': 'Object class violation'} Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR {'desc': 'Object class violation'} Have I also to delete the replica on the IPA Server ? Or can I repair the replica ? -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer -------------- next part -------------- A non-text attachment was scrubbed... Name: ipareplica-install.log Type: text/x-log Size: 1705689 bytes Desc: not available URL: From dkupka at redhat.com Mon Apr 18 05:49:25 2016 From: dkupka at redhat.com (David Kupka) Date: Mon, 18 Apr 2016 07:49:25 +0200 Subject: [Freeipa-users] Object class violation In-Reply-To: <3720406.omg8soxZr5@techz> References: <3720406.omg8soxZr5@techz> Message-ID: <57147565.5060902@redhat.com> On 17/04/16 07:23, G?nther J. Niederwimmer wrote: > Hello, > I like to setup / install a replica for my IPA Server. > > Now I have this Error > > Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds > [1/8]: adding sasl mappings to the directory > [2/8]: configuring KDC > [3/8]: creating a keytab for the directory > [4/8]: creating a keytab for the machine > [5/8]: adding the password extension to the directory > [6/8]: enable GSSAPI for replication > [error] OBJECT_CLASS_VIOLATION: {'desc': 'Object class violation'} > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERROR {'desc': 'Object > class violation'} > > Have I also to delete the replica on the IPA Server ? > > Or can I repair the replica ? > > > Hello, the simplest way is to run # ipa-server-install --uninstall -U on replica and # ipa-replica-manage del on master. But I don't understand why did you get the "Object class violation" error. Have you changed the schema on IPA server? Or done any other changes? If not could you please file a ticket (https://fedorahosted.org/freeipa/newticket) and provide reproducer? -- David Kupka From dkupka at redhat.com Mon Apr 18 07:14:27 2016 From: dkupka at redhat.com (David Kupka) Date: Mon, 18 Apr 2016 09:14:27 +0200 Subject: [Freeipa-users] ipa -v ping lies about the cert database In-Reply-To: References: <5710DB60.7070508@redhat.com> Message-ID: <57148953.1070904@redhat.com> On 15/04/16 15:16, Harald Dunkel wrote: > Hi David, > >> Hello Harri, >> >> the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the permissions are set to: >> >> $ ls -dl /etc/ipa/nssdb/ >> drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/ >> >> $ ls -l /etc/ipa/nssdb/ >> total 80 >> -rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db >> -rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db >> -rw-------. 1 root root 40 Apr 15 14:00 pwdfile.txt >> -rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db >> >> Please check the permission on your system. If it's different and you (or system admin) haven't changed it please file a ticket (https://fedorahosted.org/freeipa/newticket). >> > > Sorry, I should have mentioned that the client runs Debian > with freeipa 4.0.5. > > # ls -al /etc/ipa/ > total 24 > drwxr-xr-x 2 root root 4096 Dec 29 08:32 . > drwxr-xr-x 190 root root 12288 Apr 15 12:44 .. > -rw-r--r-- 1 root root 1792 Dec 29 08:32 ca.crt > -rw-r--r-- 1 root root 194 Dec 29 08:32 default.conf > > > No nssdb. AFAICS only the ipa servers in my lan have a > directory /etc/ipa/nssdb (CentOS 7). > > On the clients I can see a cert8.db in /etc/pki/nssdb. > Looking at the time stamp it seems to be related to freeipa. > > # ls -al /etc/pki/nssdb/ > total 76 > drwxr-xr-x 2 root root 4096 Dec 29 08:32 . > drwxr-xr-x 3 root root 4096 Dec 28 16:09 .. > -rw------- 1 root root 65536 Dec 29 08:32 cert8.db > -rw------- 1 root root 16384 Dec 29 08:32 key3.db > -rw------- 1 root root 16384 Dec 29 08:32 secmod.db > > No pwdfile.txt . I would guess the key database has been created > with --empty-password. > > Does this look familiar, or is this misconfigured and weird? > > > Sorry for asking stupid questions, but the setup in my lan is > all I have. I have never had a chance to see another freeipa > installation. Hope you don't mind? > > > Regards > Harri > Hello Harri, actually the version and OS information makes a difference :-) Older version of FreeIPA client was using NSSDB in /etc/pki/nssdb, I don't recall at what version we switched to /etc/ipa/nssdb but it was some time ago. I have reproduced the issue on Debian and after changing the access rights (# chmod ga+r /etc/pki/nssdb/*) it works for me. ipa command needs to access the IPA CA certificate stored there to verify identity of FreeIPA server. I haven't seen this issue on Fedora so I'm adding Timo who is porting FreeIPA on debian. Timo have you met this issue? -- David Kupka From jhrozek at redhat.com Mon Apr 18 10:03:41 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 18 Apr 2016 12:03:41 +0200 Subject: [Freeipa-users] Username attribute in trusted domain In-Reply-To: <16461940-31FA-402A-B759-A69F290AF68D@bsd.uchicago.edu> References: <16461940-31FA-402A-B759-A69F290AF68D@bsd.uchicago.edu> Message-ID: <20160418100341.GJ3050@hendrix.redhat.com> On Fri, Apr 15, 2016 at 08:01:06PM +0000, Brook, Andy [CRI] wrote: > We?re trying to setup FreeIPA to be a good provider of UIDs and GIDs for our mostly RHEL systems. Overall, that works great. The issue I?m running into is that we need to have the same consistent UIDs and GIDs for our Isilon system which serves up both CIFS and NFS. Each user of the Isilon needs to have a UID so that the files are owned properly. The Isilon has a way of getting information from both Active Directory and an associated LDAP server. It gets its list of users and groups from AD, a list of users, UIDs, groups and GIDs from LDAP, and combine accounts that are the same. i.e. ADTEST.LOCAL\abrook and abrook from LDAP will the same user. However, FreeIPA will show abrook(as it sees through the Trust relationship with ADTEST.LOCAL) as abrook at adtest.local instead of abrook, so the Isilon will see them as distinct accounts and won?t merge the information in them. I can?t, as far as I can tell right now, tell the Isilon to see users with @adtest.local as the same user without the domain. I can tell the Isilon to look at a different LDAP attribute as its username, but there is no attribute that has only the username. > > I noticed in the documentation that if I were to do a sync with Active Directory (which isn?t something I want to do), I would get the ntDomainUserID attribute that is the same as the samAccountName. This doesn?t happen with a trust. Is there a way to get that in place with a custom attribute or pull more LDAP attributes from AD? > > Has anyone else run into a situation like this? If so, were you able to rectify that? If so, how? > > We have a ticket open with EMC for the Isilon as well, but want to make sure we?re coming at this from all the angles we can. I'm sorry, but currently overriding the attribute names for AD trusted domains is not possible. We are working to make it possible for the next version, but it's a bit of a stretch goal already, so chances it won't be ready only for the version after the next one. What might perhaps help you is that starting with upstream SSSD 1.14 (upstream 7.3), it should be possible to configure SSSD to only print the shortname and not qualify the users in trusted domains. From mkosek at redhat.com Mon Apr 18 10:20:41 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Apr 2016 12:20:41 +0200 Subject: [Freeipa-users] Adding FreeIPA to an existing infrastructure In-Reply-To: <1460456093.12466.1@smtp.office365.com> References: <1460368928.12466.0@smtp.office365.com> <117018ED-D3BF-4111-ABA6-7108142525BB@uni.lu> <570BA04F.7060709@redhat.com> <1460456093.12466.1@smtp.office365.com> Message-ID: <5714B4F9.1060509@redhat.com> On 04/12/2016 12:14 PM, Remco Kranenburg wrote: > Thanks for all the pointers. I'm tentatively moving forward with a CA-less and > DNS-less IPA server, with Letsencrypt certificates. I think this is also the > setup that is used by the demo at . Is > there some documentation about this setup? I installed this FreeIPA Demo server with Dogtag CA and then used something like this to setup the root cert: ~~~~~~~~~~~~~~~~~~~~~~~~ # do this once before taking snapshot of the VM dnf install letsencrypt -y ipa-cacert-manage install le-root-ca.pem -n le-root-ca -t ,, ipa-certupdate -v ipa-cacert-manage install le-authority-x1.pem -n le-authority-x1 -t C,, ipa-certupdate -v ~~~~~~~~~~~~~~~~~~~~~~~~ and then generated LE certificate: ~~~~~~~~~~~~~~~~~~~~~~~~ # generate CSR certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt -s "CN=$(hostname)" --extSAN "dns:$(hostname)" -a -o /root/httpd-csr.pem openssl req -in /root/httpd-csr.pem -outform der -out /root/httpd-csr.der # httpd process prevents letsencrypt from working, stop it service httpd stop # get a new cert letsencrypt certonly --csr /root/httpd-csr.der --email ... at redhat.com --agree-tos # remove old cert certutil -D -d /etc/httpd/alias/ -n Server-Cert # add the new cert certutil -A -d /etc/httpd/alias/ -n Server-Cert -t ,, -a -i /root/0000_cert.pem # start httpd with the new cert service httpd start ~~~~~~~~~~~~~~~~~~~~~~~~ but you probably do not want this as you are not installing CA piece. > I'm trying to install a Letsencrypt > certificate into FreeIPA, but when I run the installation: > > ipa-server-install --http-cert-file cert.pem --http-cert-file privkey.pem > --dirsrv-cert-file cert.pem --dirsrv-cert-file privkey.pem > > It asks for my "Apache Server private key unlock password", even though the key > from Letsencrypt is not encrypted with a passphrase. When I give a bogus > password, it gives me another error: > > ipa.ipapython.install.cli.install_tool(Server): ERROR The full certificate > chain is not present in cert.pem, privkey.pem > > Letsencrypt provides me with a few files: cert.pem, chain.pem, fullchain.pem, > privkey.pem. Even when I also add chain.pem and fullchain.pem, it gives me the > same error. CCing JanC, he is the man to help with this one. Martin From mkosek at redhat.com Mon Apr 18 10:23:10 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Apr 2016 12:23:10 +0200 Subject: [Freeipa-users] How to set passwords which never expire ? In-Reply-To: References: Message-ID: <5714B58E.5020400@redhat.com> On 04/12/2016 02:10 PM, dbischof at hrz.uni-kassel.de wrote: > Hi, > > On Tue, 12 Apr 2016, bahan w wrote: > >> I am using FreeIPA 3.0 and I would like, for specific accounts, to set >> passwords unexpirables. >> >> I tried to set a pwpolicy for this with the option maxage set to 0, but it >> did not help and the maxage was 0 (password already expired). >> >> Is there a way, with this Ipa version, to set passwords unexpirables ? > > it is possible to create a password policy (tab "Policy" in the web interface) > for a user group of your choice and change the password max lifetime to (e.g.) > 3650 days = 10 years. That's not exactly "never expiring", but it does the > trick for me (I use it for LDAP bind users). Right, this will work as long as the expiration does not go over year 2038: https://fedorahosted.org/freeipa/ticket/2496 This is the proper RFE to make "0" work: https://fedorahosted.org/freeipa/ticket/2795 You can add yourself to CC to receive updates on it, it is now scheduled for the next feature release. Martin From mkosek at redhat.com Mon Apr 18 10:29:53 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 18 Apr 2016 12:29:53 +0200 Subject: [Freeipa-users] howto ldapsearch for disabled/enabled users? In-Reply-To: <7bfc4375-120b-4c29-532e-646069ed38c2@aixigo.de> References: <5710E89B.6030109@redhat.com> <7bfc4375-120b-4c29-532e-646069ed38c2@aixigo.de> Message-ID: <5714B721.7080209@redhat.com> On 04/15/2016 04:06 PM, Harald Dunkel wrote: > Hi David, > > On 04/15/16 15:11, David Kupka wrote: >> >> Hello Harri, >> >> the attribute you're looking for is 'nsaccountlock'. This command should give you uids of all disabled users: >> >> $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test "(nsaccountlock=TRUE)" uid >> > > Thats exactly what I was looking for. For the record: Searching for > "nsaccountlock=FALSE" did not work. I had to use > > ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test '(!(nsaccountlock=TRUE))' uid > > instead. Right, this is because nsaccountlock is not with a user by default, it will be there after the first time the user is administratively disabled and then enabled. From tjaalton at ubuntu.com Mon Apr 18 12:08:25 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Mon, 18 Apr 2016 15:08:25 +0300 Subject: [Freeipa-users] ipa -v ping lies about the cert database In-Reply-To: <57148953.1070904@redhat.com> References: <5710DB60.7070508@redhat.com> <57148953.1070904@redhat.com> Message-ID: <5714CE39.9030704@ubuntu.com> 18.04.2016, 10:14, David Kupka kirjoitti: > On 15/04/16 15:16, Harald Dunkel wrote: >> Hi David, >> >>> Hello Harri, >>> >>> the FreeIPA certificate database is stored in /etc/ipa/nssdb, by >>> default the permissions are set to: >>> >>> $ ls -dl /etc/ipa/nssdb/ >>> drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/ >>> >>> $ ls -l /etc/ipa/nssdb/ >>> total 80 >>> -rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db >>> -rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db >>> -rw-------. 1 root root 40 Apr 15 14:00 pwdfile.txt >>> -rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db >>> >>> Please check the permission on your system. If it's different and you >>> (or system admin) haven't changed it please file a ticket >>> (https://fedorahosted.org/freeipa/newticket). >>> >> >> Sorry, I should have mentioned that the client runs Debian >> with freeipa 4.0.5. >> >> # ls -al /etc/ipa/ >> total 24 >> drwxr-xr-x 2 root root 4096 Dec 29 08:32 . >> drwxr-xr-x 190 root root 12288 Apr 15 12:44 .. >> -rw-r--r-- 1 root root 1792 Dec 29 08:32 ca.crt >> -rw-r--r-- 1 root root 194 Dec 29 08:32 default.conf >> >> >> No nssdb. AFAICS only the ipa servers in my lan have a >> directory /etc/ipa/nssdb (CentOS 7). >> >> On the clients I can see a cert8.db in /etc/pki/nssdb. >> Looking at the time stamp it seems to be related to freeipa. >> >> # ls -al /etc/pki/nssdb/ >> total 76 >> drwxr-xr-x 2 root root 4096 Dec 29 08:32 . >> drwxr-xr-x 3 root root 4096 Dec 28 16:09 .. >> -rw------- 1 root root 65536 Dec 29 08:32 cert8.db >> -rw------- 1 root root 16384 Dec 29 08:32 key3.db >> -rw------- 1 root root 16384 Dec 29 08:32 secmod.db >> >> No pwdfile.txt . I would guess the key database has been created >> with --empty-password. >> >> Does this look familiar, or is this misconfigured and weird? >> >> >> Sorry for asking stupid questions, but the setup in my lan is >> all I have. I have never had a chance to see another freeipa >> installation. Hope you don't mind? >> >> >> Regards >> Harri >> > > Hello Harri, > actually the version and OS information makes a difference :-) > > Older version of FreeIPA client was using NSSDB in /etc/pki/nssdb, I > don't recall at what version we switched to /etc/ipa/nssdb but it was > some time ago. > > I have reproduced the issue on Debian and after changing the access > rights (# chmod ga+r /etc/pki/nssdb/*) it works for me. ipa command > needs to access the IPA CA certificate stored there to verify identity > of FreeIPA server. > > I haven't seen this issue on Fedora so I'm adding Timo who is porting > FreeIPA on debian. Timo have you met this issue? The old package used to create /etc/pki/nssdb on postinst, but with 644 permissions so I'm not sure why they have 600 here. 4.1.4 in experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1 to unstable this week, which should fix this for good. -- t From abrook at bsd.uchicago.edu Mon Apr 18 13:47:04 2016 From: abrook at bsd.uchicago.edu (Brook, Andy [CRI]) Date: Mon, 18 Apr 2016 13:47:04 +0000 Subject: [Freeipa-users] Username attribute in trusted domain In-Reply-To: <20160418100341.GJ3050@hendrix.redhat.com> References: <16461940-31FA-402A-B759-A69F290AF68D@bsd.uchicago.edu> <20160418100341.GJ3050@hendrix.redhat.com> Message-ID: <0432C6AD-92A9-482F-8410-A9D67950DF7B@bsd.uchicago.edu> On 4/18/16, 5:03 AM, "freeipa-users-bounces at redhat.com on behalf of Jakub Hrozek" wrote: >On Fri, Apr 15, 2016 at 08:01:06PM +0000, Brook, Andy [CRI] wrote: >> We?re trying to setup FreeIPA to be a good provider of UIDs and GIDs for our mostly RHEL systems. Overall, that works great. The issue I?m running into is that we need to have the same consistent UIDs and GIDs for our Isilon system which serves up both CIFS and NFS. Each user of the Isilon needs to have a UID so that the files are owned properly. The Isilon has a way of getting information from both Active Directory and an associated LDAP server. It gets its list of users and groups from AD, a list of users, UIDs, groups and GIDs from LDAP, and combine accounts that are the same. i.e. ADTEST.LOCAL\abrook and abrook from LDAP will the same user. However, FreeIPA will show abrook(as it sees through the Trust relationship with ADTEST.LOCAL) as abrook at adtest.local instead of abrook, so the Isilon will see them as distinct accounts and won?t merge the information in them. I can?t, as far as I can tell right now, tell the Isilon to see users with @adtest.local as the same user without the domain. I can tell the Isilon to look at a different LDAP attribute as its username, but there is no attribute that has only the username. >> >> I noticed in the documentation that if I were to do a sync with Active Directory (which isn?t something I want to do), I would get the ntDomainUserID attribute that is the same as the samAccountName. This doesn?t happen with a trust. Is there a way to get that in place with a custom attribute or pull more LDAP attributes from AD? >> >> Has anyone else run into a situation like this? If so, were you able to rectify that? If so, how? >> >> We have a ticket open with EMC for the Isilon as well, but want to make sure we?re coming at this from all the angles we can. > >I'm sorry, but currently overriding the attribute names for AD trusted >domains is not possible. We are working to make it possible for the next >version, but it's a bit of a stretch goal already, so chances it won't >be ready only for the version after the next one. > >What might perhaps help you is that starting with upstream SSSD 1.14 >(upstream 7.3), it should be possible to configure SSSD to only print >the shortname and not qualify the users in trusted domains. > Thank you. In your suggestion, are you talking about SSSD on the IPA Servers? My understanding of how SSSD on the IPA servers interacts with the servers that talk to them is pretty limited. If I upgrade SSSD on these servers, I might be able to get LDAP to not print the qualifying domain during ldapsearch? I?m not really asking about overriding attribute names, but rather adding a new attribute that only has the shortname. Is there a way to do that may through a custom NIS mapping or something like that? Maybe a dynamic schema extension? I?ve tried reading through extending the schema, but am currently confused as to how to go about it. Andy Brook Sr. Systems Administrator | Center for Research Informatics | University of Chicago T: 773-834-0458 | http://cri.uchicago.edu ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From jhrozek at redhat.com Mon Apr 18 15:06:18 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 18 Apr 2016 17:06:18 +0200 Subject: [Freeipa-users] Username attribute in trusted domain In-Reply-To: <0432C6AD-92A9-482F-8410-A9D67950DF7B@bsd.uchicago.edu> References: <16461940-31FA-402A-B759-A69F290AF68D@bsd.uchicago.edu> <20160418100341.GJ3050@hendrix.redhat.com> <0432C6AD-92A9-482F-8410-A9D67950DF7B@bsd.uchicago.edu> Message-ID: <20160418150618.GP3050@hendrix.redhat.com> On Mon, Apr 18, 2016 at 01:47:04PM +0000, Brook, Andy [CRI] wrote: > > On 4/18/16, 5:03 AM, "freeipa-users-bounces at redhat.com on behalf of Jakub Hrozek" wrote: > > >On Fri, Apr 15, 2016 at 08:01:06PM +0000, Brook, Andy [CRI] wrote: > >> We?re trying to setup FreeIPA to be a good provider of UIDs and GIDs for our mostly RHEL systems. Overall, that works great. The issue I?m running into is that we need to have the same consistent UIDs and GIDs for our Isilon system which serves up both CIFS and NFS. Each user of the Isilon needs to have a UID so that the files are owned properly. The Isilon has a way of getting information from both Active Directory and an associated LDAP server. It gets its list of users and groups from AD, a list of users, UIDs, groups and GIDs from LDAP, and combine accounts that are the same. i.e. ADTEST.LOCAL\abrook and abrook from LDAP will the same user. However, FreeIPA will show abrook(as it sees through the Trust relationship with ADTEST.LOCAL) as abrook at adtest.local instead of abrook, so the Isilon will see them as distinct accounts and won?t merge the information in them. I can?t, as far as I can tell right now, tell the Isilon to see users with @adtest.local as the same user without the domain. I can tell the Isilon to look at a different LDAP attribute as its username, but there is no attribute that has only the username. > >> > >> I noticed in the documentation that if I were to do a sync with Active Directory (which isn?t something I want to do), I would get the ntDomainUserID attribute that is the same as the samAccountName. This doesn?t happen with a trust. Is there a way to get that in place with a custom attribute or pull more LDAP attributes from AD? > >> > >> Has anyone else run into a situation like this? If so, were you able to rectify that? If so, how? > >> > >> We have a ticket open with EMC for the Isilon as well, but want to make sure we?re coming at this from all the angles we can. > > > >I'm sorry, but currently overriding the attribute names for AD trusted > >domains is not possible. We are working to make it possible for the next > >version, but it's a bit of a stretch goal already, so chances it won't > >be ready only for the version after the next one. > > > >What might perhaps help you is that starting with upstream SSSD 1.14 > >(upstream 7.3), it should be possible to configure SSSD to only print > >the shortname and not qualify the users in trusted domains. > > > > Thank you. In your suggestion, are you talking about SSSD on the IPA > Servers? My understanding of how SSSD on the IPA servers interacts with > the servers that talk to them is pretty limited. If I upgrade SSSD on > these servers, I might be able to get LDAP to not print the qualifying > domain during ldapsearch? Depends on how you want to query the information, whether with "getent passwd $user" or ldapsearch. SSSD itself doesn't provide any data to ldapsearch, but provides NSS, PAM and D-Bus interfaces. And you'd have to upgrade SSSD on both clients and servers. > > I?m not really asking about overriding attribute names, but rather > adding a new attribute that only has the shortname. Is there a way to > do that may through a custom NIS mapping or something like that? Maybe > a dynamic schema extension? I?ve tried reading through extending the > schema, but am currently confused as to how to go about it. It sounds like the new attribute would be added on the AD side, but at the moment, SSSD's attribute map for the trusted domains is hardcoded. The only way would be to query the attribute through our d-bus API. From gnotrica at candeal.com Mon Apr 18 15:08:28 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Mon, 18 Apr 2016 15:08:28 +0000 Subject: [Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication required - User can't access any centos server Message-ID: <0984AB34E553F54B8705D776686863E70ABF2B5F@cd-exchange01.CD-PRD.candeal.ca> Hi guys, >From the ipa server, I am having issue with the single user. Everyone else is fine, just this one single user and no help anywhere online. Please help! Thank you Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.20.10.40: NEEDED_PREAUTH: bcosmos at IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, Additional pre-authentication required Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): closing down fd 12 Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.20.10.40: PREAUTH_FAILED: bcosmos at IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, Decrypt integrity check failed Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): closing down fd 12 Apr 15 15:43:49 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.20.10.40: NEEDED_PREAUTH: bcosmos at IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, Additional pre-authentication required Apr 15 15:43:49 ipa.domain.com krb5kdc[2568](info): closing down fd 12 Apr 15 15:43:55 ipa.domain.com krb5kdc[2565](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed Apr 15 15:43:55 ipa.domain.com krb5kdc[2565](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.20.10.40: PREAUTH_FAILED: bcosmos at IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, Decrypt integrity check failed Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 11810 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 11586 bytes Desc: image002.jpg URL: From huston at astro.princeton.edu Mon Apr 18 16:54:48 2016 From: huston at astro.princeton.edu (Steve Huston) Date: Mon, 18 Apr 2016 12:54:48 -0400 Subject: [Freeipa-users] Account/password expirations Message-ID: Following instructions in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html sort-of works to get this done, but I wonder if there's a better way to do it. My goal is twofold: when users are created, they will be required to have a krbPrincipalExpiration, and they should be denied login if that date has passed; and users should be prompted to change their password if krbPasswordExpiration has passed. It would be beneficial to have warnings printed for at least password expiration, but ideally account expiration, as well. These should be checked and output if the user is using public key authentication as well as passwords and GSSAPI. If I set 'access_provider = ldap' in sssd.conf, it seems to work (also setting ldap_access_order to pwd_expire_policy_renew, and a filter which I've yet to determine, otherwise all logins are rejected anyway). My understanding from https://fedorahosted.org/sssd/ticket/1227 is that HBAC will then fail to work. Will other things, such as disabling the account, also fail? What about password lockouts? Is there a better way to do this, for example one that keeps access_provider set to ipa and consults IPA directly? Of course doesn't help that I need to deal with this across multiple OSs (CentOS 5 using LDAP explicitly, 6 and 7 using sssd) -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' From rcritten at redhat.com Mon Apr 18 18:24:33 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Apr 2016 14:24:33 -0400 Subject: [Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication required - User can't access any centos server In-Reply-To: <0984AB34E553F54B8705D776686863E70ABF2B5F@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70ABF2B5F@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <57152661.7090900@redhat.com> Gady Notrica wrote: > Hi guys, > > From the ipa server, I am having issue with the single user. Everyone > else is fine, just this one single user and no help anywhere online. > > Please help! Decrypt integrity check failed almost always means bad password. rob > > Thank you > > Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes {18 > 17 16 23 25 26}) 172.20.10.40: *NEEDED_PREAUTH*: bcosmos at IPA.DOMAIN.COM > for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, *Additional pre-authentication > required* > > Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): closing down fd 12 > > Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): preauth > (encrypted_timestamp) verify failure: *Decrypt integrity check failed* > > Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): AS_REQ (6 etypes {18 > 17 16 23 25 26}) 172.20.10.40: *PREAUTH_FAILED*: bcosmos at IPA.DOMAIN.COM > for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, Decrypt integrity check failed > > Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): closing down fd 12 > > Apr 15 15:43:49 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes {18 > 17 16 23 25 26}) 172.20.10.40: *NEEDED_PREAUTH*: bcosmos at IPA.DOMAIN.COM > for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, *Additional pre-authentication > required* > > Apr 15 15:43:49 ipa.domain.com krb5kdc[2568](info): closing down fd 12 > > Apr 15 15:43:55 ipa.domain.com krb5kdc[2565](info): preauth > (encrypted_timestamp) verify failure: *Decrypt integrity check failed* > > Apr 15 15:43:55 ipa.domain.com krb5kdc[2565](info): AS_REQ (6 etypes {18 > 17 16 23 25 26}) 172.20.10.40: *PREAUTH_FAILED*: bcosmos at IPA.DOMAIN.COM > for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, Decrypt integrity check failed > > Gady Notrica| IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. > 416.818.4797 | gnotrica at candeal.com > > CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | > www.candeal.com | Follow us:Description: > Description: cid:image003.jpg at 01CBD419.622CDF90 > *Description: Description: Description: > cid:image002.jpg at 01CBD419.622CDF90* > > > > From gnotrica at candeal.com Mon Apr 18 18:26:50 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Mon, 18 Apr 2016 18:26:50 +0000 Subject: [Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication required - User can't access any centos server In-Reply-To: <57152661.7090900@redhat.com> References: <0984AB34E553F54B8705D776686863E70ABF2B5F@cd-exchange01.CD-PRD.candeal.ca> <57152661.7090900@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70ABF4138@cd-exchange01.CD-PRD.candeal.ca> Hi Rob, Thanks for the reply. I did reset the user password multiple times to a simple password, still having same issue. Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 18, 2016 2:25 PM To: Gady Notrica; freeipa-users at redhat.com Subject: Re: [Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication required - User can't access any centos server Gady Notrica wrote: > Hi guys, > > From the ipa server, I am having issue with the single user. Everyone > else is fine, just this one single user and no help anywhere online. > > Please help! Decrypt integrity check failed almost always means bad password. rob > > Thank you > > Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes > {18 > 17 16 23 25 26}) 172.20.10.40: *NEEDED_PREAUTH*: > bcosmos at IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, > *Additional pre-authentication > required* > > Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): closing down fd 12 > > Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): preauth > (encrypted_timestamp) verify failure: *Decrypt integrity check failed* > > Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): AS_REQ (6 etypes > {18 > 17 16 23 25 26}) 172.20.10.40: *PREAUTH_FAILED*: > bcosmos at IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, > Decrypt integrity check failed > > Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): closing down fd 12 > > Apr 15 15:43:49 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes > {18 > 17 16 23 25 26}) 172.20.10.40: *NEEDED_PREAUTH*: > bcosmos at IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, > *Additional pre-authentication > required* > > Apr 15 15:43:49 ipa.domain.com krb5kdc[2568](info): closing down fd 12 > > Apr 15 15:43:55 ipa.domain.com krb5kdc[2565](info): preauth > (encrypted_timestamp) verify failure: *Decrypt integrity check failed* > > Apr 15 15:43:55 ipa.domain.com krb5kdc[2565](info): AS_REQ (6 etypes > {18 > 17 16 23 25 26}) 172.20.10.40: *PREAUTH_FAILED*: > bcosmos at IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, > Decrypt integrity check failed > > > > From sbose at redhat.com Mon Apr 18 18:31:55 2016 From: sbose at redhat.com (Sumit Bose) Date: Mon, 18 Apr 2016 20:31:55 +0200 Subject: [Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication required - User can't access any centos server In-Reply-To: <0984AB34E553F54B8705D776686863E70ABF2B5F@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70ABF2B5F@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <20160418183155.GD14060@p.redhat.com> On Mon, Apr 18, 2016 at 03:08:28PM +0000, Gady Notrica wrote: > Hi guys, > > >From the ipa server, I am having issue with the single user. Everyone else is fine, just this one single user and no help anywhere online. > > Please help! > > Thank you > > Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.20.10.40: NEEDED_PREAUTH: bcosmos at IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, Additional pre-authentication required NEEDED_PREAUTH is expected > Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): closing down fd 12 > Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed This indicates a wrong password. HTH bye, Sumit > Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.20.10.40: PREAUTH_FAILED: bcosmos at IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, Decrypt integrity check failed > Apr 15 15:43:41 ipa.domain.com krb5kdc[2565](info): closing down fd 12 > Apr 15 15:43:49 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.20.10.40: NEEDED_PREAUTH: bcosmos at IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, Additional pre-authentication required > Apr 15 15:43:49 ipa.domain.com krb5kdc[2568](info): closing down fd 12 > Apr 15 15:43:55 ipa.domain.com krb5kdc[2565](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed > Apr 15 15:43:55 ipa.domain.com krb5kdc[2565](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.20.10.40: PREAUTH_FAILED: bcosmos at IPA.DOMAIN.COM for krbtgt/IPA.DOMAIN.COM at IPA.DOMAIN.COM, Decrypt integrity check failed > > Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com > CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From jcholast at redhat.com Tue Apr 19 05:34:34 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 19 Apr 2016 07:34:34 +0200 Subject: [Freeipa-users] Adding FreeIPA to an existing infrastructure In-Reply-To: <5714B4F9.1060509@redhat.com> References: <1460368928.12466.0@smtp.office365.com> <117018ED-D3BF-4111-ABA6-7108142525BB@uni.lu> <570BA04F.7060709@redhat.com> <1460456093.12466.1@smtp.office365.com> <5714B4F9.1060509@redhat.com> Message-ID: <5715C36A.6020803@redhat.com> On 18.4.2016 12:20, Martin Kosek wrote: > On 04/12/2016 12:14 PM, Remco Kranenburg wrote: >> Thanks for all the pointers. I'm tentatively moving forward with a CA-less and >> DNS-less IPA server, with Letsencrypt certificates. I think this is also the >> setup that is used by the demo at . Is >> there some documentation about this setup? > > I installed this FreeIPA Demo server with Dogtag CA and then used something > like this to setup the root cert: > > ~~~~~~~~~~~~~~~~~~~~~~~~ > # do this once before taking snapshot of the VM > dnf install letsencrypt -y > > ipa-cacert-manage install le-root-ca.pem -n le-root-ca -t ,, > ipa-certupdate -v > > ipa-cacert-manage install le-authority-x1.pem -n le-authority-x1 -t C,, > ipa-certupdate -v > ~~~~~~~~~~~~~~~~~~~~~~~~ > > and then generated LE certificate: > > ~~~~~~~~~~~~~~~~~~~~~~~~ > # generate CSR > certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt > -s "CN=$(hostname)" --extSAN "dns:$(hostname)" -a -o /root/httpd-csr.pem > openssl req -in /root/httpd-csr.pem -outform der -out /root/httpd-csr.der > > # httpd process prevents letsencrypt from working, stop it > service httpd stop > > # get a new cert > letsencrypt certonly --csr /root/httpd-csr.der --email ... at redhat.com --agree-tos > > # remove old cert > certutil -D -d /etc/httpd/alias/ -n Server-Cert > # add the new cert > certutil -A -d /etc/httpd/alias/ -n Server-Cert -t ,, -a -i /root/0000_cert.pem > > # start httpd with the new cert > service httpd start > ~~~~~~~~~~~~~~~~~~~~~~~~ > > but you probably do not want this as you are not installing CA piece. > >> I'm trying to install a Letsencrypt >> certificate into FreeIPA, but when I run the installation: >> >> ipa-server-install --http-cert-file cert.pem --http-cert-file privkey.pem >> --dirsrv-cert-file cert.pem --dirsrv-cert-file privkey.pem >> >> It asks for my "Apache Server private key unlock password", even though the key >> from Letsencrypt is not encrypted with a passphrase. Try using empty passphrase: --http-pin= --dirsrv-pin= > When I give a bogus >> password, it gives me another error: >> >> ipa.ipapython.install.cli.install_tool(Server): ERROR The full certificate >> chain is not present in cert.pem, privkey.pem >> >> Letsencrypt provides me with a few files: cert.pem, chain.pem, fullchain.pem, >> privkey.pem. Even when I also add chain.pem and fullchain.pem, it gives me the >> same error. The error is legit, you have to specify the full CA certificate chain using --ca-cert-file. > > CCing JanC, he is the man to help with this one. > > Martin > -- Jan Cholasta From jcholast at redhat.com Tue Apr 19 05:41:56 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 19 Apr 2016 07:41:56 +0200 Subject: [Freeipa-users] change CA subject or "friendly name"? In-Reply-To: <20160411230832.GC18277@dhcp-40-8.bne.redhat.com> References: <20160411230832.GC18277@dhcp-40-8.bne.redhat.com> Message-ID: <5715C524.8060902@redhat.com> Hi, On 12.4.2016 01:08, Fraser Tweedale wrote: > On Mon, Apr 11, 2016 at 11:43:17AM -0400, Anthony Clark wrote: >> Hello All, >> >> I'm in the process of deploying FreeIPA 4 in a development environment. >> One of my testers has imported the ca.pem file into Windows, and indicates >> that it displays as: >> >> Issued to: Certificate Authority >> Issued by: Certificate Authority >> Friendly Name: >> >> This will unfortunately cause confusion among certain end users, so I was >> wondering if there's a way to change those attributes? >> >> Ideally without reinstalling everything, but thankfully we're still early >> in the process so it's OK if do blow everything away. >> >> Do I need to generate a new CA outside of FreeIPA and then use >> ipa-cacert-manage to "renew" the base CA? >> >> Thanks, >> >> Anthony Clark > > Hi Anthony, > > After a brief investigation it appears that ``Friendly Name'' is a > property that can be set in a Windows certificate store, and is not > part of, or derived from, the certificate itself. > > Here are a couple of TechNet articles that might help: > > - https://technet.microsoft.com/en-us/library/cc740218%28v=ws.10%29.aspx > - https://blogs.technet.microsoft.com/pki/2008/12/12/defining-the-friendly-name-certificate-property/ As for "Issued to" and "Issued by", I guess these are derived from the subject and issuer name fields of the certificate, which currently can't be changed for our CA certificate. We have a ticket to fix this for quite some time: . -- Jan Cholasta From mitchell at hpe.com Tue Apr 19 13:35:48 2016 From: mitchell at hpe.com (Mitchell, Stuart) Date: Tue, 19 Apr 2016 13:35:48 +0000 Subject: [Freeipa-users] Web Interface issues on Free-IPA 3.0.0-47/ LDAP Sync issues Message-ID: <7507D573C21D3A46AA06EA4DE78DA80D07113A@G4W3295.americas.hpqcorp.net> Hello, We are having issues with the web interface on our free-ipa servers. When we try and login to the GUI is reports that the session has timed out. We have checked the date and time is synced with NTP. We have restarted the IPA services and same issues occur. We have 4 Free-IPA servers all configured as masters, all 4 show the same web gui login issues. ?3 of the servers replicate the database from the primary Free-IPA server which connects to the AD domain using winsync. We cannot upgrade to a newer version of Free-IPA and looking at previous mailing list entries version 4 has the same issues crop up. I have followed the steps that were suggested for version 4 and nothing is resolving the login issues to the WebGUI. We can administer the users and hosts from the command line without issues. We also are seeing issues on one of the IPA servers that will not sync with the primary master server. When we try to force a sync we get an error "Update Failed! Status : [ -1 . LDAP server is not contactable", when we see expect to see "Update Successful". This appears after multiple ?"Update in progress" ?messages are shown ??( the command we are using is "ipa-replica-manage re-initialize -from " ). When we have the services running on the failing server it stops users being able to login into clients that authenticate from ?that failing Free-IPA server. Once we stop the IPA services on the failing server the issues clear up. If we use the "ipa user-status " command we can see failed login attempts on the server we cannot re-initialize. These servers have been running for at least 6 months without any issues, so network ports between them are all open. Regards Stuart From pvoborni at redhat.com Tue Apr 19 14:25:34 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 19 Apr 2016 16:25:34 +0200 Subject: [Freeipa-users] Web Interface issues on Free-IPA 3.0.0-47/ LDAP Sync issues In-Reply-To: <7507D573C21D3A46AA06EA4DE78DA80D07113A@G4W3295.americas.hpqcorp.net> References: <7507D573C21D3A46AA06EA4DE78DA80D07113A@G4W3295.americas.hpqcorp.net> Message-ID: <57163FDE.1060907@redhat.com> On 04/19/2016 03:35 PM, Mitchell, Stuart wrote: > Hello, > > We are having issues with the web interface on our free-ipa servers. When we try and login to the GUI is reports that the session has timed out. We have checked the date and time is synced with NTP. We have restarted the IPA services and same issues occur. We have 4 Free-IPA servers all configured as masters, all 4 show the same web gui login issues. 3 of the servers replicate the database from the primary Free-IPA server which connects to the AD domain using winsync. We cannot upgrade to a newer version of Free-IPA and looking at previous mailing list entries version 4 has the same issues crop up. I have followed the steps that were suggested for version 4 and nothing is resolving the login issues to the WebGUI. We can administer the users and hosts from the command line without issues. > > We also are seeing issues on one of the IPA servers that will not sync with the primary master server. When we try to force a sync we get an error "Update Failed! Status : [ -1 . LDAP server is not contactable", when we see expect to see "Update Successful". > This appears after multiple "Update in progress" messages are shown ( the command we are using is "ipa-replica-manage re-initialize -from " ). When we have the services running on the failing server it stops users being able to login into clients that authenticate from that failing Free-IPA server. Once we stop the IPA services on the failing server the issues clear up. > If we use the "ipa user-status " command we can see failed login attempts on the server we cannot re-initialize. > > These servers have been running for at least 6 months without any issues, so network ports between them are all open. > > > Regards > > Stuart > "session has timed out." usually means that there is an issue with authentications. In recent(fedora, upstream) IPA versions the message was improved so that it distinguishes reasons better. I would try to login to ipa with a new "private"/"incognito" window of a browser to try to login without any existing cookies. If login attempt succeeds then it might indicate a bug which was fixed upstream recently. If it doesn't help, then enable debug level on a server https://www.freeipa.org/page/Troubleshooting#Administration_Framework and examine/send sanitized snippet of /var/log/httpd/error_log which is relevant to the authentication attempt. -- Petr Vobornik From mitchell at hpe.com Tue Apr 19 14:56:21 2016 From: mitchell at hpe.com (Mitchell, Stuart) Date: Tue, 19 Apr 2016 14:56:21 +0000 Subject: [Freeipa-users] Web Interface issues on Free-IPA 3.0.0-47/ LDAP Sync issues In-Reply-To: <57163FDE.1060907@redhat.com> References: <7507D573C21D3A46AA06EA4DE78DA80D07113A@G4W3295.americas.hpqcorp.net> <57163FDE.1060907@redhat.com> Message-ID: <7507D573C21D3A46AA06EA4DE78DA80D071183@G4W3295.americas.hpqcorp.net> > -----Original Message----- > From: Petr Vobornik [mailto:pvoborni at redhat.com] > Sent: 19 April 2016 15:26 > To: Mitchell, Stuart ; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Web Interface issues on Free-IPA 3.0.0-47/ LDAP > Sync issues > > On 04/19/2016 03:35 PM, Mitchell, Stuart wrote: > > Hello, > > > > We are having issues with the web interface on our free-ipa servers. When > we try and login to the GUI is reports that the session has timed out. We > have checked the date and time is synced with NTP. We have restarted the > IPA services and same issues occur. We have 4 Free-IPA servers all > configured as masters, all 4 show the same web gui login issues. 3 of the > servers replicate the database from the primary Free-IPA server which > connects to the AD domain using winsync. We cannot upgrade to a newer > version of Free-IPA and looking at previous mailing list entries version 4 has > the same issues crop up. I have followed the steps that were suggested for > version 4 and nothing is resolving the login issues to the WebGUI. We can > administer the users and hosts from the command line without issues. > > > > We also are seeing issues on one of the IPA servers that will not sync with > the primary master server. When we try to force a sync we get an error > "Update Failed! Status : [ -1 . LDAP server is not contactable", when we see > expect to see "Update Successful". > > This appears after multiple "Update in progress" messages are shown ( > the command we are using is "ipa-replica-manage re-initialize -from master>" ). When we have the services running on the failing server it stops > users being able to login into clients that authenticate from that failing Free- > IPA server. Once we stop the IPA services on the failing server the issues > clear up. > > If we use the "ipa user-status " command we can see failed > login attempts on the server we cannot re-initialize. > > > > These servers have been running for at least 6 months without any issues, > so network ports between them are all open. > > > > > > Regards > > > > Stuart > > > > "session has timed out." usually means that there is an issue with > authentications. In recent(fedora, upstream) IPA versions the message was > improved so that it distinguishes reasons better. > > I would try to login to ipa with a new "private"/"incognito" window of a > browser to try to login without any existing cookies. > > If login attempt succeeds then it might indicate a bug which was fixed > upstream recently. > > If it doesn't help, then enable debug level on a server > https://www.freeipa.org/page/Troubleshooting#Administration_Framewor > k > and examine/send sanitized snippet of /var/log/httpd/error_log which is > relevant to the authentication attempt. > -- > Petr Vobornik Thanks Petr, Going incognito has resolved the session errors with logging into the webgui. Regards Stuart From jhrozek at redhat.com Tue Apr 19 15:57:04 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 19 Apr 2016 17:57:04 +0200 Subject: [Freeipa-users] Account/password expirations In-Reply-To: References: Message-ID: <20160419155704.GC14903@hendrix> On Mon, Apr 18, 2016 at 12:54:48PM -0400, Steve Huston wrote: > Following instructions in > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html > sort-of works to get this done, but I wonder if there's a better way > to do it. My goal is twofold: when users are created, they will be > required to have a krbPrincipalExpiration, and they should be denied > login if that date has passed; and users should be prompted to change > their password if krbPasswordExpiration has passed. It would be > beneficial to have warnings printed for at least password expiration, > but ideally account expiration, as well. These should be checked and > output if the user is using public key authentication as well as > passwords and GSSAPI. > > If I set 'access_provider = ldap' in sssd.conf, it seems to work (also > setting ldap_access_order to pwd_expire_policy_renew, and a filter > which I've yet to determine, otherwise all logins are rejected > anyway). My understanding from > https://fedorahosted.org/sssd/ticket/1227 is that HBAC will then fail > to work. Will other things, such as disabling the account, also fail? > What about password lockouts? > > Is there a better way to do this, for example one that keeps > access_provider set to ipa and consults IPA directly? Of course > doesn't help that I need to deal with this across multiple OSs (CentOS > 5 using LDAP explicitly, 6 and 7 using sssd) Did you test that this actually fails with id_provider=ipa? I would assume the IPA KDC would kick you out and prompt for a new password.. From csaba at jighi.com Tue Apr 19 15:49:31 2016 From: csaba at jighi.com (Csaba Patyi) Date: Tue, 19 Apr 2016 17:49:31 +0200 Subject: [Freeipa-users] How to modify / add FreeIPA user table columns on WebUI Message-ID: Hi Everybody, We are started using FreeIPA (VERSION: 4.2.0, API_VERSION: 2.156 ). Is there any "easy" way to add extra fields to the Users view on the WebUI? I only want to add extra fields which are already existing in the per user detailed view. (and remove a few which is not really important to show us). Also if it not on the "feature request list". It would be nice to enable admins to configure different WebUI views for different users based on group membership. :) Regards, Csaba Patyi Virus-free. www.avast.com <#DDB4FAA8-2DD7-40BB-A1B8-4E2AA1F9FDF2> -------------- next part -------------- An HTML attachment was scrubbed... URL: From marc.boorshtein at tremolosecurity.com Tue Apr 19 16:35:26 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Tue, 19 Apr 2016 12:35:26 -0400 Subject: [Freeipa-users] SSH remote host disconnecting Message-ID: I have FreeIPA client and server both running on CentOS 7, latest patches. Whats odd is that everything was working great until I added a new user and now none of my FreeIPA users can login via SSH. After authenticating they get "Connection closed by IP". This happens regardless of if its the ipa client or server. Login to the console with ipa users fails as well. Local root works fine though. I don't see anything in messages or sssd.log. Any thoughts as to where to look? Thanks Marc Boorshtein CTO Tremolo Security marc.boorshtein at tremolosecurity.com Twitter - @mlbiam / @tremolosecurity From rcritten at redhat.com Tue Apr 19 16:46:25 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 Apr 2016 12:46:25 -0400 Subject: [Freeipa-users] SSH remote host disconnecting In-Reply-To: References: Message-ID: <571660E1.1000504@redhat.com> Marc Boorshtein wrote: > I have FreeIPA client and server both running on CentOS 7, latest > patches. Whats odd is that everything was working great until I added > a new user and now none of my FreeIPA users can login via SSH. After > authenticating they get "Connection closed by IP". This happens > regardless of if its the ipa client or server. Login to the console > with ipa users fails as well. Local root works fine though. I don't > see anything in messages or sssd.log. Any thoughts as to where to > look? If you crank up the SSSD logging it may tell you what is going on. I'd also take a look at HBAC. Was the allow_all rule recently disabled? rob From pvoborni at redhat.com Tue Apr 19 16:52:48 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 19 Apr 2016 18:52:48 +0200 Subject: [Freeipa-users] How to modify / add FreeIPA user table columns on WebUI In-Reply-To: References: Message-ID: <57166260.2030207@redhat.com> On 04/19/2016 05:49 PM, Csaba Patyi wrote: > Hi Everybody, > > We are started using FreeIPA (VERSION: 4.2.0, API_VERSION: 2.156 ). Is there any > "easy" way to add extra fields to the Users view on the WebUI? > > I only want to add extra fields which are already existing in the per user > detailed view. (and remove a few which is not really important to show us). Hello, check "Extending the Web UI" part of http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf There is also example: https://pvoborni.fedorapeople.org/plugins/usermod/usermod.js > > Also if it not on the "feature request list". It would be nice to enable admins > to configure different WebUI views for different users based on group membership. :) It is not. Could you file an RFE ticket with your use cases? https://fedorahosted.org/freeipa/newticket > > > Regards, > > Csaba Patyi HTH -- Petr Vobornik From marc.boorshtein at tremolosecurity.com Tue Apr 19 17:32:38 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Tue, 19 Apr 2016 13:32:38 -0400 Subject: [Freeipa-users] SSH remote host disconnecting In-Reply-To: <571660E1.1000504@redhat.com> References: <571660E1.1000504@redhat.com> Message-ID: > I'd also take a look at HBAC. Was the allow_all rule recently disabled? > winner winner chicken dinner! I must have deleted it while trying something. Thanks Marc From rmj at ast.cam.ac.uk Wed Apr 20 12:51:45 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Wed, 20 Apr 2016 13:51:45 +0100 Subject: [Freeipa-users] Warning about session memcached servers from ipa-replica-manage Message-ID: <57177B61.10409@ast.cam.ac.uk> Hi I'm getting the following warning on RHEL7 ipa servers (ipa-server-4.2.0-15.el7_2.6.1.x86_64). $ ipa-replica-manage list ipa: WARNING: session memcached servers not running aaa.xxx.yyy: master bbb.xxx.yyy: master Can someone advise please on what the session memcached servers are for and how to get them running, assuming they are worth having. Thanks. Roderick Johnstone From rcritten at redhat.com Wed Apr 20 13:03:15 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Apr 2016 09:03:15 -0400 Subject: [Freeipa-users] Warning about session memcached servers from ipa-replica-manage In-Reply-To: <57177B61.10409@ast.cam.ac.uk> References: <57177B61.10409@ast.cam.ac.uk> Message-ID: <57177E13.3090104@redhat.com> Roderick Johnstone wrote: > Hi > > I'm getting the following warning on RHEL7 ipa servers > (ipa-server-4.2.0-15.el7_2.6.1.x86_64). > > $ ipa-replica-manage list > ipa: WARNING: session memcached servers not running > aaa.xxx.yyy: master > bbb.xxx.yyy: master > > Can someone advise please on what the session memcached servers are for > and how to get them running, assuming they are worth having. I think this can be ignored. In order to see if there are servers running the code needs to read /var/run/ipa_memcached and lack read permissions. The warning is not particularly helpful. rob From t.ruiten at rdmedia.com Wed Apr 20 15:23:27 2016 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Wed, 20 Apr 2016 17:23:27 +0200 Subject: [Freeipa-users] FreeIPA and PWM Message-ID: Hello, I'm trying to set up a self-service page for a new IPA domain and I'm trying to use PWM for that. When I try to bind to FreeIPA from within PWM, with the configured "LDAP Proxy User", I get the following error: error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636': unable to create connection: unable to bind to ldaps:// polonium.ipa.rdmedia.com:636 as cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason: [LDAP: error code 48 - Inappropriate Authentication] In /var/log/krb5kdc.log I see: Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33: NEEDED_PREAUTH: host/ protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for krbtgt/ IPA.RDMEDIA.COM at IPA.RDMEDIA.COM, Additional pre-authentication required Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down fd 12 Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149, etypes {rep=18 tkt=18 ses=18}, host/ protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for krbtgt/ IPA.RDMEDIA.COM at IPA.RDMEDIA.COM Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down fd 12 Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149, etypes {rep=18 tkt=18 ses=18}, host/ protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for ldap/ polonium.ipa.rdmedia.com at IPA.RDMEDIA.COM Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down fd 12 What is going on? What can I do to debug this more? -- Tiemen Ruiten Systems Engineer R&D Media -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Apr 20 15:39:35 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 20 Apr 2016 18:39:35 +0300 Subject: [Freeipa-users] FreeIPA and PWM In-Reply-To: References: Message-ID: <20160420153935.GP24892@redhat.com> On Wed, 20 Apr 2016, Tiemen Ruiten wrote: >Hello, > >I'm trying to set up a self-service page for a new IPA domain and I'm >trying to use PWM for that. > >When I try to bind to FreeIPA from within PWM, with the configured "LDAP >Proxy User", I get the following error: > >error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636': >unable to create connection: unable to bind to ldaps:// >polonium.ipa.rdmedia.com:636 as >cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason: >[LDAP: error code 48 - Inappropriate Authentication] You are trying to bind as a group, not as a user. Group has no passwords. You need to have a user object or just a sysaccount to bind to LDAP. See http://www.freeipa.org/page/HowTo/LDAP#System_Accounts for sysaccounts. > >In /var/log/krb5kdc.log I see: > >Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6 >etypes {18 17 16 23 25 26}) 192.168.50.33: NEEDED_PREAUTH: host/ >protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for krbtgt/ >IPA.RDMEDIA.COM at IPA.RDMEDIA.COM, Additional pre-authentication required >Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down >fd 12 >Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6 >etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149, >etypes {rep=18 tkt=18 ses=18}, host/ >protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for krbtgt/ >IPA.RDMEDIA.COM at IPA.RDMEDIA.COM >Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down >fd 12 >Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): TGS_REQ (6 >etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149, >etypes {rep=18 tkt=18 ses=18}, host/ >protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for ldap/ >polonium.ipa.rdmedia.com at IPA.RDMEDIA.COM >Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down >fd 12 Kerberos is completely unrelated here. > >What is going on? What can I do to debug this more? > > >-- >Tiemen Ruiten >Systems Engineer >R&D Media >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From Daryl.Fonseca-Holt at umanitoba.ca Wed Apr 20 15:48:27 2016 From: Daryl.Fonseca-Holt at umanitoba.ca (Daryl Fonseca-Holt) Date: Wed, 20 Apr 2016 10:48:27 -0500 Subject: [Freeipa-users] ipa ERROR on user-add after RHEL 7 yum update Message-ID: <5717A4CB.1000506@umanitoba.ca> An HTML attachment was scrubbed... URL: -------------- next part -------------- # # BEGIN COPYRIGHT BLOCK # Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. # Copyright (C) 2005 Red Hat, Inc. # All rights reserved. # # License: GPL (version 3 or any later version). # See LICENSE for details. # END COPYRIGHT BLOCK # # # Schema from RFC 2307 # "An Approach for Using LDAP as a Network Information Service" # dn: cn=schema attributeTypes: ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.12 NAME 'memberUid' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.24 NAME 'bootFile' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2307' ) attributeTypes: ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Standard LDAP objectclass' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Standard LDAP objectclass' SUP top AUXILIARY MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY ( description ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber ) MAY ( description ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( cn $ oncRpcNumber ) MAY ( description ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Standard LDAP objectclass' SUP top AUXILIARY MUST ( ipHostNumber $ cn ) MAY ( manager $ description $ l $ o $ ou $ owner $ seeAlso $ serialNumber ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( ipNetworkNumber $ cn ) MAY ( ipNetmaskNumber $ manager $ l $ description ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) MAY ( description ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'Standard LDAP objectclass' SUP top AUXILIARY MUST cn MAY ( macAddress $ description $ l $ o $ ou $ owner $ seeAlso $ serialNumber ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'Standard LDAP objectclass' SUP top AUXILIARY MUST cn MAY ( bootFile $ bootParameter $ description $ l $ o $ ou $ owner $ seeAlso $ serialNumber ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.13 NAME 'nisMap' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( nisMapName ) MAY ( description ) X-ORIGIN 'RFC 2307' ) -------------- next part -------------- dn: cn=schema aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema modifiersName: cn=server,cn=plugins,cn=config modifyTimestamp: 20160414164216Z objectClasses: ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass X-ORIGIN ( 'RFC 4512' 'user defined' ) ) objectClasses: ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectNam e X-ORIGIN ( 'RFC 4512' 'user defined' ) ) objectClasses: ( 2.5.20.1 NAME 'subschema' AUXILIARY MAY ( dITStructureRules $ nameForms $ dITContentRules $ objectClasses $ attributeTypes $ matchingRules $ matchingRuleUse ) X-ORIGIN ( 'RFC 4512' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' SUP top AUXILIARY X-ORIGIN ( 'RFC 4512' 'user defined' ) ) objectClasses: ( 2.5.6.11 NAME 'applicationProcess' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ description ) X-ORIGIN ( 'RFC 4519' 'user defined' ) ) objectClasses: ( 2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c MAY ( search Guide $ description ) X-ORIGIN ( 'RFC 4519' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'Standard LDAP obje ctclass' SUP top AUXILIARY MUST dc X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) objectClasses: ( 2.5.6.14 NAME 'device' SUP top STRUCTURAL MUST cn MAY ( seria lNumber $ seeAlso $ owner $ ou $ o $ l $ description ) X-ORIGIN ( 'RFC 4519' 'user defined' ) ) objectClasses: ( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST cn MAY ( member $ businessCategory $ seeAlso $ owner $ ou $ o $ description ) X-ORIGIN ( 'RFC 4519' 'user defined' ) ) objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' SUP top STRUCTURAL MUST cn MAY ( uniqueMember $ businessCategory $ seeAlso $ owner $ ou $ o $ descripti on ) X-ORIGIN ( 'RFC 4519' 'user defined' ) ) objectClasses: ( 2.5.6.3 NAME 'locality' SUP top STRUCTURAL MAY ( street $ see Also $ searchGuide $ st $ l $ description ) X-ORIGIN ( 'RFC 4519' 'user defin ed' ) ) objectClasses: ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL MUST o MAY ( u serPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ regist eredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationalISDNNumber $ facsi mileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ p hysicalDeliveryOfficeName $ st $ l $ description ) X-ORIGIN ( 'RFC 4519' 'use r defined' ) ) objectClasses: ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) X-ORIGIN ( 'RFC 4 519' 'user defined' ) ) objectClasses: ( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferred DeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ internationalISDNN umber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ post alAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) X-ORIGIN ( 'RFC 4519' 'user defined' ) ) objectClasses: ( 2.5.6.8 NAME 'organizationalRole' SUP top STRUCTURAL MUST cn MAY ( x121Address $ registeredAddress $ destinationIndicator $ preferredDeliv eryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ inter nationalISDNNumber $ facsimileTelephoneNumber $ seeAlso $ roleOccupant $ stre et $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ description ) X-ORIGIN ( 'RFC 4519' 'user defined' ) ) objectClasses: ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou MAY ( businessCategory $ description $ destinationIndicator $ facsimileTeleph oneNumber $ internationalISDNNumber $ l $ physicalDeliveryOfficeName $ postal Address $ postalCode $ postOfficeBox $ preferredDeliveryMethod $ registeredAd dress $ searchGuide $ seeAlso $ st $ street $ telephoneNumber $ teletexTermin alIdentifier $ telexNumber $ userPassword $ x121Address ) X-ORIGIN ( 'RFC 451 9' 'user defined' ) ) objectClasses: ( 2.5.6.10 NAME 'residentialPerson' SUP person STRUCTURAL MUST l MAY ( businessCategory $ x121Address $ registeredAddress $ destinationIndic ator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ in ternationalISDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ p ostalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l ) X-ORIGIN ( 'RFC 4519' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' SUP top AUXILIARY MUST uid X-O RIGIN ( 'RFC 4519' 'user defined' ) ) objectClasses: ( 2.16.840.1.113719.2.142.6.1.1 NAME 'ldapSubEntry' DESC 'LDAP Subentry class, version 1' SUP top STRUCTURAL MAY cn X-ORIGIN ( 'LDAP Subentr y Internet Draft' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.40 NAME 'directoryServerFeature' DESC ' Netscape defined objectclass' SUP top STRUCTURAL MAY ( oid $ cn $ multiLineDe scription ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.41 NAME 'nsslapdPlugin' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST ( cn $ nsslapd-pluginPath $ nssl apd-pluginInitfunc $ nsslapd-pluginType $ nsslapd-pluginId $ nsslapd-pluginVe rsion $ nsslapd-pluginVendor $ nsslapd-pluginDescription $ nsslapd-pluginEnab led ) MAY ( nsslapd-pluginConfigArea $ nsslapd-plugin-depends-on-type ) X-ORI GIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.44 NAME 'nsIndex' DESC 'Netscape define d objectclass' SUP top STRUCTURAL MUST ( cn $ nsSystemIndex ) MAY ( descripti on $ nsIndexType $ nsMatchingRule $ nsIndexIDListScanLimit ) X-ORIGIN ( 'Nets cape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.109 NAME 'nsBackendInstance' DESC 'Nets cape defined objectclass' SUP top STRUCTURAL MUST cn X-ORIGIN ( 'Netscape Dir ectory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.110 NAME 'nsMappingTree' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn X-ORIGIN ( 'Netscape Directo ry Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.104 NAME 'nsContainer' DESC 'Netscape d efined objectclass' SUP top STRUCTURAL MUST cn X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.108 NAME 'nsDS5Replica' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST ( nsDS5ReplicaRoot $ nsDS5Replic aId ) MAY ( cn $ nsds5ReplicaPreciseTombstonePurging $ nsds5ReplicaCleanRUV $ nsds5ReplicaAbortCleanRUV $ nsDS5ReplicaType $ nsDS5ReplicaBindDN $ nsState $ nsDS5ReplicaName $ nsDS5Flags $ nsDS5Task $ nsDS5ReplicaReferral $ nsDS5Rep licaAutoReferral $ nsds5ReplicaPurgeDelay $ nsds5ReplicaTombstonePurgeInterva l $ nsds5ReplicaChangeCount $ nsds5ReplicaLegacyConsumer $ nsds5ReplicaProtoc olTimeout $ nsds5ReplicaBackoffMin $ nsds5ReplicaBackoffMax ) X-ORIGIN ( 'Net scape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.113 NAME 'nsTombstone' DESC 'Netscape d efined objectclass' SUP top STRUCTURAL MAY ( nstombstonecsn $ nsParentUniqueI d $ nscpEntryDN ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DE SC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn MAY ( nsds5Repli caCleanRUVNotified $ nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransp ortInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMeth od $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttribu teListTotal $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ descrip tion $ nsds50ruv $ nsruvReplicaLastModified $ nsds5replicaTimeout $ nsds5repl icaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpda teStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5 replicaLastInitEnd $ nsds5ReplicaEnabled $ nsds5replicaLastInitStart $ nsds5r eplicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolT imeout $ nsds5ReplicaFlowControlWindow $ nsds5ReplicaFlowControlPause $ nsDS5 ReplicaWaitForAsyncResults ) X-ORIGIN ( 'Netscape Directory Server' 'user def ined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MAY cn X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST ( cn $ nsSaslMapRegexString $ n sSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY nsSaslMapPriority X-OR IGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrga nization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netsca pe defined objectclass' SUP top STRUCTURAL MUST cn MAY ( nsCertfile $ nsKeyfi le $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionT imeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphe rs $ nsSSLSupportedCiphers $ allowWeakCipher ) X-ORIGIN ( 'Netscape' 'user de fined' ) ) objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netsca pe defined objectclass' SUP top STRUCTURAL MUST cn MAY ( nsSSLToken $ nsSSLPe rsonalitySSL $ nsSSLActivation ) X-ORIGIN ( 'Netscape' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Net scape defined objectclass' SUP top STRUCTURAL MUST cn MAY ( rootdn-open-time $ rootdn-close-time $ rootdn-days-allowed $ rootdn-allow-host $ rootdn-deny-h ost $ rootdn-allow-ip $ rootdn-deny-ip ) X-ORIGIN ( 'Netscape' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscap e defined objectclass' SUP top STRUCTURAL MAY ( cn $ schemaUpdateObjectclassA ccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaU pdateAttributeReject ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.31 NAME 'groupOfCertificates' DESC 'Net scape defined objectclass' SUP top STRUCTURAL MUST cn MAY ( memberCertificate Description $ businessCategory $ description $ o $ ou $ owner $ seeAlso ) X-O RIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.33 NAME 'groupOfURLs' DESC 'Netscape de fined objectclass' SUP top STRUCTURAL MUST cn MAY ( memberURL $ businessCateg ory $ description $ o $ ou $ owner $ seeAlso ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.35 NAME 'LDAPServer' DESC 'Netscape def ined objectclass' SUP top STRUCTURAL MUST cn MAY ( description $ l $ ou $ see Also $ generation $ changeLogMaximumAge $ changeLogMaximumSize ) X-ORIGIN ( ' Netscape Directory Server' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.250.3.18 NAME 'cacheObject' DESC 'object that con tains the TTL (time to live) attribute type' SUP top STRUCTURAL MAY ttl X-ORI GIN ( 'LDAP Caching Internet Draft' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.10 NAME 'netscapeServer' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn MAY ( description $ serverRo ot $ serverProductName $ serverVersionNumber $ installationTimeStamp $ admini stratorContactInfo $ userPassword $ adminUrl $ serverHostName ) X-ORIGIN ( 'N etscape Administration Services' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.7 NAME 'nsLicenseUser' DESC 'Netscape d efined objectclass' SUP top STRUCTURAL MAY ( nsLicensedFor $ nsLicenseStartTi me $ nsLicenseEndTime ) X-ORIGIN ( 'Netscape Administration Services' 'user d efined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.1 NAME 'changeLogEntry' DESC 'LDAP chan gelog objectclass' SUP top STRUCTURAL MUST ( targetDn $ changeTime $ changeNu mber $ changeType ) MAY ( changes $ newRdn $ deleteOldRdn $ newSuperior ) X-O RIGIN ( 'Changelog Internet Draft' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'LDAP referrals objectclass' SUP top STRUCTURAL MAY ref X-ORIGIN ( 'LDAPv3 referrals Internet Draft' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.12 NAME 'passwordObject' DESC 'Netscape defined password policy objectclass' SUP top STRUCTURAL MAY ( pwdpolicysuben try $ passwordExpirationTime $ passwordExpWarned $ passwordRetryCount $ retry CountResetTime $ accountUnlockTime $ passwordHistory $ passwordAllowChangeTim e $ passwordGraceUserTime ) X-ORIGIN ( 'Netscape Directory Server' 'user defi ned' ) ) objectClasses: ( 2.16.840.1.113730.3.2.13 NAME 'passwordPolicy' DESC 'Netscape defined password policy objectclass' SUP top STRUCTURAL MAY ( passwordMaxAge $ passwordExp $ passwordMinLength $ passwordKeepHistory $ passwordInHistory $ passwordChange $ passwordWarning $ passwordLockout $ passwordMaxFailure $ p asswordResetDuration $ passwordUnlock $ passwordLockoutDuration $ passwordChe ckSyntax $ passwordMustChange $ passwordStorageScheme $ passwordMinAge $ pass wordResetFailureCount $ passwordGraceLimit $ passwordMinDigits $ passwordMinA lphas $ passwordMinUppers $ passwordMinLowers $ passwordMinSpecials $ passwor dMin8bit $ passwordMaxRepeats $ passwordMinCategories $ passwordMinTokenLengt h $ passwordTrackUpdateTime $ passwordAdminDN ) X-ORIGIN ( 'Netscape Director y Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.30 NAME 'glue' DESC 'Netscape defined o bjectclass' SUP top STRUCTURAL X-ORIGIN ( 'Netscape Directory Server' 'user d efined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.32 NAME 'netscapeMachineData' DESC 'Net scape defined objectclass' SUP top STRUCTURAL X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.38 NAME 'vlvSearch' DESC 'Netscape defi ned objectclass' SUP top STRUCTURAL MUST ( cn $ vlvBase $ vlvScope $ vlvFilte r ) MAY multiLineDescription X-ORIGIN ( 'Netscape Directory Server' 'user def ined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.42 NAME 'vlvIndex' DESC 'Netscape defin ed objectclass' SUP top STRUCTURAL MUST ( cn $ vlvSort ) MAY ( vlvEnabled $ v lvUses ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.84 NAME 'cosDefinition' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MAY ( costargettree $ costemplatedn $ cosspecifier $ cosAttribute $ aci $ cn $ uid ) X-ORIGIN ( 'Netscape Director y Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.93 NAME 'nsRoleDefinition' DESC 'Netsca pe defined objectclass' SUP ldapSubEntry STRUCTURAL MAY ( description $ nsRol eScopeDN ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.94 NAME 'nsSimpleRoleDefinition' DESC ' Netscape defined objectclass' SUP nsRoleDefinition STRUCTURAL X-ORIGIN ( 'Net scape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.95 NAME 'nsComplexRoleDefinition' DESC 'Netscape defined objectclass' SUP nsRoleDefinition STRUCTURAL X-ORIGIN ( 'Ne tscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.96 NAME 'nsManagedRoleDefinition' DESC 'Netscape defined objectclass' SUP nsSimpleRoleDefinition STRUCTURAL X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.97 NAME 'nsFilteredRoleDefinition' DESC 'Netscape defined objectclass' SUP nsComplexRoleDefinition STRUCTURAL MUST n sRoleFilter X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.98 NAME 'nsNestedRoleDefinition' DESC ' Netscape defined objectclass' SUP nsComplexRoleDefinition STRUCTURAL MUST nsR oleDN X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.99 NAME 'cosSuperDefinition' DESC 'Nets cape defined objectclass' SUP ldapSubEntry STRUCTURAL MUST cosAttribute MAY d escription X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.100 NAME 'cosClassicDefinition' DESC 'N etscape defined objectclass' SUP cosSuperDefinition STRUCTURAL MAY ( costempl atedn $ cosspecifier ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.101 NAME 'cosPointerDefinition' DESC 'N etscape defined objectclass' SUP cosSuperDefinition STRUCTURAL MAY costemplat edn X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.102 NAME 'cosIndirectDefinition' DESC ' Netscape defined objectclass' SUP cosSuperDefinition STRUCTURAL MAY cosIndire ctSpecifier X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.503 NAME 'nsDSWindowsReplicationAgreeme nt' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn MAY ( nsDS 5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBin dDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ n sDS5ReplicatedAttributeList $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaR efresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5replicaTim eout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds 5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateIn Progress $ nsds5replicaLastInitEnd $ nsds5replicaLastInitStart $ nsds5replica LastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5r eplicaSessionPauseTime $ nsds7WindowsReplicaSubtree $ nsds7DirectoryReplicaSu btree $ nsds7NewWinUserSyncEnabled $ nsds7NewWinGroupSyncEnabled $ nsds7Windo wsDomain $ nsds7DirsyncCookie $ winSyncInterval $ oneWaySync $ winSyncMoveAct ion $ nsds5ReplicaEnabled $ winSyncDirectoryFilter $ winSyncWindowsFilter $ w inSyncSubtreePair ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.128 NAME 'costemplate' DESC 'Netscape d efined objectclass' SUP top STRUCTURAL MAY ( cn $ cosPriority ) X-ORIGIN ( 'N etscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.304 NAME 'nsView' DESC 'Netscape define d objectclass' SUP top AUXILIARY MAY ( nsViewFilter $ description ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.316 NAME 'nsAttributeEncryption' DESC ' Netscape defined objectclass' SUP top STRUCTURAL MUST ( cn $ nsEncryptionAlgo rithm ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.5.6.21 NAME 'pkiUser' DESC 'X.509 PKI User' SUP top AUXILIA RY MAY userCertificate X-ORIGIN ( 'RFC 4523' 'user defined' ) ) objectClasses: ( 2.5.6.22 NAME 'pkiCA' DESC 'X.509 PKI Certificate Authority' SUP top AUXILIARY MAY ( cACertificate $ certificateRevocationList $ authority RevocationList $ crossCertificatePair ) X-ORIGIN ( 'RFC 4523' 'user defined' ) ) objectClasses: ( 2.5.6.19 NAME 'cRLDistributionPoint' DESC 'X.509 CRL distribu tion point' SUP top STRUCTURAL MUST cn MAY ( certificateRevocationList $ auth orityRevocationList $ deltaRevocationList ) X-ORIGIN ( 'RFC 4523' 'user defin ed' ) ) objectClasses: ( 2.5.6.23 NAME 'deltaCRL' DESC 'X.509 delta CRL' SUP top AUXIL IARY MAY deltaRevocationList X-ORIGIN ( 'RFC 4523' 'user defined' ) ) objectClasses: ( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'X.521 strong a uthentication user' SUP top AUXILIARY MUST userCertificate X-ORIGIN ( 'RFC 45 23' 'user defined' ) ) objectClasses: ( 2.5.6.18 NAME 'userSecurityInformation' DESC 'X.521 user secu rity information' SUP top AUXILIARY MAY supportedAlgorithms X-ORIGIN ( 'RFC 4 523' 'user defined' ) ) objectClasses: ( 2.5.6.16 NAME 'certificationAuthority' DESC 'X.509 certificat e authority' SUP top AUXILIARY MUST ( authorityRevocationList $ certificateRe vocationList $ cACertificate ) MAY crossCertificatePair X-ORIGIN ( 'RFC 4523' 'user defined' ) ) objectClasses: ( 2.5.6.16.2 NAME 'certificationAuthority-V2' DESC 'X.509 certi ficate authority, version 2' SUP certificationAuthority AUXILIARY MAY deltaRe vocationList X-ORIGIN ( 'RFC 4523' 'user defined' ) ) objectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL M UST uid MAY ( description $ seeAlso $ l $ o $ ou $ host ) X-ORIGIN ( 'RFC 452 4' 'user defined' ) ) objectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUCTURAL MUST documentIdentifier MAY ( cn $ description $ seeAlso $ l $ o $ ou $ docum entTitle $ documentVersion $ documentAuthor $ documentLocation $ documentPubl isher ) X-ORIGIN ( 'RFC 4524' 'user defined' ) ) objectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top STRUC TURAL MUST cn MAY ( description $ l $ o $ ou $ seeAlso $ telephoneNumber ) X- ORIGIN ( 'RFC 4524' 'user defined' ) ) objectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST dc MAY ( associatedName $ businessCatego ry $ description $ destinationIndicator $ facsimileTelephoneNumber $ internat ionalISDNNumber $ l $ o $ physicalDeliveryOfficeName $ postOfficeBox $ postal Address $ postalCode $ preferredDeliveryMethod $ registeredAddress $ searchGu ide $ seeAlso $ st $ street $ telephoneNumber $ teletexTerminalIdentifier $ t elexNumber $ userPassword $ x121Address ) X-ORIGIN ( 'IPA v4.2.0' 'user defin ed' ) ) objectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' SUP top AUXILIARY MUST associatedDomain X-ORIGIN ( 'RFC 4524' 'user defined' ) ) objectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country STRUCTURAL MUST co X-ORIGIN ( 'RFC 4524' 'user defined' ) ) objectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' DESC 'Pilot objectclass' SUP domain STRUCTURAL MAY ( cn $ sn ) X-ORIGIN ( 'IPA v4.2.0' ' user defined' ) ) objectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURAL MUST cn MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) X-ORIGIN ( ' RFC 4524' 'user defined' ) ) objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' SUP to p AUXILIARY MUST userPassword X-ORIGIN ( 'RFC 4524' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP organization alPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentN umber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mob ile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x5 00UniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) X-ORIGIN ( 'RFC 2798' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.322 NAME 'autoMemberDefinition' DESC 'A uto Membership Config Definition Entry' SUP top STRUCTURAL MUST ( cn $ autoMe mberScope $ autoMemberFilter $ autoMemberGroupingAttr ) MAY ( autoMemberDefau ltGroup $ autoMemberDisabled ) X-ORIGIN ( '389 Directory Server' 'user define d' ) ) objectClasses: ( 2.16.840.1.113730.3.2.323 NAME 'autoMemberRegexRule' DESC 'Au to Membership Regex Rule Entry' SUP top STRUCTURAL MUST ( cn $ autoMemberTarg etGroup ) MAY ( autoMemberExclusiveRegex $ autoMemberInclusiveRegex $ descrip tion ) X-ORIGIN ( '389 Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.324 NAME 'dnaPluginConfig' DESC 'DNA pl ugin configuration' SUP top AUXILIARY MAY ( dnaType $ dnaPrefix $ dnaNextValu e $ dnaMaxValue $ dnaInterval $ dnaMagicRegen $ dnaFilter $ dnaScope $ dnaExc ludeScope $ dnaSharedCfgDN $ dnaThreshold $ dnaNextRange $ dnaRangeRequestTim eout $ dnaRemoteBindDN $ dnaRemoteBindCred $ cn ) X-ORIGIN ( '389 Directory S erver' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.325 NAME 'dnaSharedConfig' DESC 'DNA Sh ared Configuration' SUP top AUXILIARY MAY ( dnaHostname $ dnaPortNum $ dnaSec urePortNum $ dnaRemoteBindMethod $ dnaRemoteConnProtocol $ dnaRemainingValues ) X-ORIGIN ( '389 Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.319 NAME 'mepManagedEntry' DESC 'Manage d Entries Managed Entry' SUP top AUXILIARY MAY mepManagedBy X-ORIGIN ( '389 D irectory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.320 NAME 'mepOriginEntry' DESC 'Managed Entries Origin Entry' SUP top AUXILIARY MAY mepManagedEntry X-ORIGIN ( '389 Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.321 NAME 'mepTemplateEntry' DESC 'Manag ed Entries Template Entry' SUP top AUXILIARY MAY ( cn $ mepStaticAttr $ mepMa ppedAttr $ mepRDNAttr ) X-ORIGIN ( '389 Directory Server' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Standard LDAP objec tclass' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirec tory ) MAY ( userPassword $ loginShell $ gecos $ description ) X-ORIGIN ( 'RF C 2307' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Standard LDAP obje ctclass' SUP top AUXILIARY MUST uid MAY ( userPassword $ shadowLastChange $ s hadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadow Flag $ description ) X-ORIGIN ( 'RFC 2307' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Standard LDAP objectc lass' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberU id $ description ) X-ORIGIN ( 'RFC 2307' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Standard LDAP objectcl ass' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY d escription X-ORIGIN ( 'RFC 2307' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Standard LDAP objectc lass' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber ) MAY description X-ORI GIN ( 'RFC 2307' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Standard LDAP objectclass ' SUP top STRUCTURAL MUST ( cn $ oncRpcNumber ) MAY description X-ORIGIN ( 'R FC 2307' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Standard LDAP objectclass ' SUP top AUXILIARY MUST ( ipHostNumber $ cn ) MAY ( manager $ description $ l $ o $ ou $ owner $ seeAlso $ serialNumber ) X-ORIGIN ( 'RFC 2307' 'user def ined' ) ) objectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Standard LDAP objectcl ass' SUP top STRUCTURAL MUST ( ipNetworkNumber $ cn ) MAY ( ipNetmaskNumber $ manager $ l $ description ) X-ORIGIN ( 'RFC 2307' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Standard LDAP object class' SUP top STRUCTURAL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) X-ORIGIN ( 'RFC 2307' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'Standard LDAP objectc lass' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) MAY descripti on X-ORIGIN ( 'RFC 2307' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'Standard LDAP obj ectclass' SUP top AUXILIARY MUST cn MAY ( macAddress $ description $ l $ o $ ou $ owner $ seeAlso $ serialNumber ) X-ORIGIN ( 'RFC 2307' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'Standard LDAP ob jectclass' SUP top AUXILIARY MUST cn MAY ( bootFile $ bootParameter $ descrip tion $ l $ o $ ou $ owner $ seeAlso $ serialNumber ) X-ORIGIN ( 'RFC 2307' 'u ser defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.13 NAME 'nisMap' DESC 'Standard LDAP objectclas s' SUP top STRUCTURAL MUST nisMapName MAY description X-ORIGIN ( 'RFC 2307' ' user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' DESC 'nisKeyObject' SUP top STRUCTURAL MUST ( cn $ nisPublickey $ nisSecretkey ) MAY ( uidNumber $ de scription ) X-ORIGIN 'user defined' ) objectClasses: ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject' DESC 'nisDomainObje ct' SUP top AUXILIARY MUST nisDomain X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC 'Netscape Messa ging Server 4.x defined objectclass' SUP top AUXILIARY MAY ( cn $ mail $ mail AlternateAddress $ mailHost $ mailRoutingAddress $ mgrpAddHeader $ mgrpAllowe dBroadcaster $ mgrpAllowedDomain $ mgrpApprovePassword $ mgrpBroadcasterPolic y $ mgrpDeliverTo $ mgrpErrorsTo $ mgrpModerator $ mgrpMsgMaxSize $ mgrpMsgRe jectAction $ mgrpMsgRejectText $ mgrpNoDuplicateChecks $ mgrpRemoveHeader $ m grpRFC822MailMember $ owner ) X-ORIGIN ( 'Netscape Messaging Server 4.x' 'use r defined' ) ) objectClasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' DESC 'nisNetId' SUP top STRUCTURAL MUST cn MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) X -ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.5 NAME 'DUAConfigProfile' DESC 'Abstra ction of a base configuration for a DUA' SUP top STRUCTURAL MUST cn MAY ( def aultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ dereferenceAliases $ serviceSearchDescriptor $ serviceCred entialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ p rofileTTL ) X-ORIGIN ( 'RFC4876' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.129 NAME 'inetDomain' DESC 'Auxiliary c lass for virtual domain nodes' SUP top AUXILIARY MAY ( inetDomainBaseDN $ ine tDomainStatus ) X-ORIGIN ( 'Netscape subscriber interoperability' 'user defin ed' ) ) objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC 'Auxiliary cla ss which must be present in an entry for delivery of subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $ inetUserHttpURL $ userPassword $ memberOf ) X-ORIGIN ( 'Netscape subscriber interoperability' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.1466.101.120.141 NAME 'NetscapeLinkedOrganization ' AUXILIARY MAY parentOrganization X-ORIGIN ( 'Netscape' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.1466.101.120.142 NAME 'NetscapePreferences' AUXIL IARY MAY ( preferredLanguage $ preferredLocale $ preferredTimeZone ) X-ORIGIN ( 'Netscape' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.134 NAME 'inetSubscriber' SUP top AUXIL IARY MAY ( inetSubscriberAccountId $ inetSubscriberChallenge $ inetSubscriber Response ) X-ORIGIN ( 'Netscape subscriber interoperability' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.112 NAME 'inetAdmin' DESC 'Marker for a n administrative group or user' SUP top AUXILIARY MAY ( aci $ memberOf $ admi nRole ) X-ORIGIN ( 'Netscape Delegated Administrator' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.42.2.27.4.2.1 NAME 'javaContainer' DESC 'Containe r for a Java object' SUP top STRUCTURAL MUST cn X-ORIGIN ( 'RFC 2713' 'user d efined' ) ) objectClasses: ( 1.3.6.1.4.1.42.2.27.4.2.4 NAME 'javaObject' DESC 'Java object representation' SUP top ABSTRACT MUST javaClassName MAY ( javaClassNames $ j avaCodebase $ javaDoc $ description ) X-ORIGIN ( 'RFC 2713' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.42.2.27.4.2.5 NAME 'javaSerializedObject' DESC 'J ava serialized object' SUP javaObject AUXILIARY MUST javaSerializedData X-ORI GIN ( 'RFC 2713' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.42.2.27.4.2.7 NAME 'javaNamingReference' DESC 'JN DI reference' SUP javaObject AUXILIARY MAY ( javaReferenceAddress $ javaFacto ry ) X-ORIGIN ( 'RFC 2713' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.42.2.27.4.2.8 NAME 'javaMarshalledObject' DESC 'J ava marshalled object' SUP javaObject AUXILIARY MUST javaSerializedData X-ORI GIN ( 'RFC 2713' 'user defined' ) ) objectClasses: ( 0.9.2342.19200300.100.4.3 NAME 'pilotObject' DESC 'Standard L DAP objectclass' SUP top STRUCTURAL MAY ( audio $ ditRedirect $ info $ jpegPh oto $ lastModifiedBy $ lastModifiedTime $ manager $ photo $ uniqueIdentifier ) X-ORIGIN ( 'RFC 1274' 'user defined' ) ) objectClasses: ( nsAdminDomain-oid NAME 'nsAdminDomain' DESC 'Netscape defined objectclass' SUP organizationalUnit STRUCTURAL MAY nsAdminDomainName X-ORIGI N ( 'Netscape' 'user defined' ) ) objectClasses: ( nsHost-oid NAME 'nsHost' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn MAY ( serverHostName $ description $ l $ nsHostLoc ation $ nsHardwarePlatform $ nsOsVersion ) X-ORIGIN ( 'Netscape' 'user define d' ) ) objectClasses: ( nsAdminGroup-oid NAME 'nsAdminGroup' DESC 'Netscape defined o bjectclass' SUP top STRUCTURAL MUST cn MAY ( nsAdminGroupName $ description $ nsConfigRoot $ nsAdminSIEDN ) X-ORIGIN ( 'Netscape' 'user defined' ) ) objectClasses: ( nsApplication-oid NAME 'nsApplication' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn MAY ( nsVendor $ description $ nsPro ductName $ nsNickName $ nsProductVersion $ nsBuildNumber $ nsRevisionNumber $ nsSerialNumber $ nsInstalledLocation $ installationTimeStamp $ nsExpirationD ate $ nsBuildSecurity $ nsLdapSchemaVersion $ nsServerMigrationClassname $ ns ServerCreationClassname ) X-ORIGIN ( 'Netscape' 'user defined' ) ) objectClasses: ( nsResourceRef-oid NAME 'nsResourceRef' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn MAY seeAlso X-ORIGIN ( 'Netscape' 'u ser defined' ) ) objectClasses: ( nsTask-oid NAME 'nsTask' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn MAY ( nsTaskLabel $ nsHelpRef $ nsExecRef $ nsLogS uppress ) X-ORIGIN ( 'Netscape' 'user defined' ) ) objectClasses: ( nsTaskGroup-oid NAME 'nsTaskGroup' DESC 'Netscape defined obj ectclass' SUP top STRUCTURAL MUST cn MAY nsTaskLabel X-ORIGIN ( 'Netscape' 'u ser defined' ) ) objectClasses: ( nsAdminObject-oid NAME 'nsAdminObject' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn MAY ( nsJarfilename $ nsClassname ) X-ORIGIN ( 'Netscape' 'user defined' ) ) objectClasses: ( nsConfig-oid NAME 'nsConfig' DESC 'Netscape defined objectcla ss' SUP top STRUCTURAL MUST cn MAY ( description $ nsServerPort $ nsServerAdd ress $ nsSuiteSpotUser $ nsErrorLog $ nsPidLog $ nsAccessLog $ nsDefaultAccep tLanguage $ nsServerSecurity ) X-ORIGIN ( 'Netscape' 'user defined' ) ) objectClasses: ( nsDirectoryInfo-oid NAME 'nsDirectoryInfo' DESC 'Netscape def ined objectclass' SUP top STRUCTURAL MUST cn MAY ( nsBindDN $ nsBindPassword $ nsDirectoryURL $ nsDirectoryFailoverList $ nsDirectoryInfoRef ) X-ORIGIN ( 'Netscape' 'user defined' ) ) objectClasses: ( nsAdminServer-oid NAME 'nsAdminServer' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST ( cn $ nsServerID ) MAY description X-O RIGIN ( 'Netscape Administration Services' 'user defined' ) ) objectClasses: ( nsAdminConfig-oid NAME 'nsAdminConfig' DESC 'Netscape defined objectclass' SUP nsConfig STRUCTURAL MAY ( nsAdminCgiWaitPid $ nsAdminUsers $ nsAdminAccessHosts $ nsAdminAccessAddresses $ nsAdminOneACLDir $ nsAdminEna bleDSGW $ nsAdminEnableEnduser $ nsAdminCacheLifetime ) X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) objectClasses: ( nsAdminResourceEditorExtension-oid NAME 'nsAdminResourceEdito rExtension' DESC 'Netscape defined objectclass' SUP nsAdminObject STRUCTURAL MAY ( nsAdminAccountInfo $ nsDeleteclassname ) X-ORIGIN ( 'Netscape Administr ation Services' 'user defined' ) ) objectClasses: ( nsAdminGlobalParameters-oid NAME 'nsAdminGlobalParameters' DE SC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn MAY ( nsAdminEnd UserHTMLIndex $ nsNickName ) X-ORIGIN ( 'Netscape Administration Services' 'u ser defined' ) ) objectClasses: ( nsGlobalParameters-oid NAME 'nsGlobalParameters' DESC 'Netsca pe defined objectclass' SUP top STRUCTURAL MUST cn MAY ( nsUniqueAttribute $ nsUserIDFormat $ nsUserRDNComponent $ nsGroupRDNComponent $ nsWellKnownJarfil es $ nsNYR ) X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) objectClasses: ( nsDefaultObjectClasses-oid NAME 'nsDefaultObjectClasses' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST cn MAY nsDefaultObjec tClass X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) objectClasses: ( nsAdminConsoleUser-oid NAME 'nsAdminConsoleUser' DESC 'Netsca pe defined objectclass' SUP top STRUCTURAL MUST cn MAY nsPreference X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) objectClasses: ( nsCustomView-oid NAME 'nsCustomView' DESC 'Netscape defined o bjectclass' SUP nsAdminObject STRUCTURAL MAY nsDisplayName X-ORIGIN ( 'Netsca pe Administration Services' 'user defined' ) ) objectClasses: ( nsTopologyCustomView-oid NAME 'nsTopologyCustomView' DESC 'Ne tscape defined objectclass' SUP nsCustomView STRUCTURAL MAY nsViewConfigurati on X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) objectClasses: ( nsTopologyPlugin-oid NAME 'nsTopologyPlugin' DESC 'Netscape d efined objectclass' SUP nsAdminObject STRUCTURAL X-ORIGIN ( 'Netscape Adminis tration Services' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.18 NAME 'netscapeCertificateServer' DES C 'Netscape defined objectclass' SUP top STRUCTURAL X-ORIGIN ( 'Netscape Cert ificate Management System' 'user defined' ) ) objectClasses: ( nsCertificateServer-oid NAME 'nsCertificateServer' DESC 'Nets cape defined objectclass' SUP top STRUCTURAL MUST nsServerID MAY ( serverHost Name $ nsServerPort $ nsCertConfig ) X-ORIGIN ( 'Netscape Certificate Managem ent System' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.23 NAME 'netscapeDirectoryServer' DESC 'Netscape defined objectclass' SUP top STRUCTURAL X-ORIGIN ( 'Netscape Direct ory Server' 'user defined' ) ) objectClasses: ( nsDirectoryServer-oid NAME 'nsDirectoryServer' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST nsServerID MAY ( serverHostName $ nsServerPort $ nsSecureServerPort $ nsBindPassword $ nsBindDN $ nsBaseDN ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.8 NAME 'ntUser' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST ntUserDomainId MAY ( description $ l $ o u $ seeAlso $ ntUserPriv $ ntUserHomeDir $ ntUserComment $ ntUserFlags $ ntUs erScriptPath $ ntUserAuthFlags $ ntUserUsrComment $ ntUserParms $ ntUserWorks tations $ ntUserLastLogon $ ntUserLastLogoff $ ntUserAcctExpires $ ntUserMaxS torage $ ntUserUnitsPerWeek $ ntUserLogonHours $ ntUserBadPwCount $ ntUserNum Logons $ ntUserLogonServer $ ntUserCountryCode $ ntUserCodePage $ ntUserUniqu eId $ ntUserPrimaryGroupId $ ntUserProfile $ ntUserHomeDirDrive $ ntUserPassw ordExpired $ ntUserCreateNewAccount $ ntUserDeleteAccount $ ntUniqueId ) X-OR IGIN ( 'Netscape NT Synchronization' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.9 NAME 'ntGroup' DESC 'Netscape defined objectclass' SUP top STRUCTURAL MUST ntUserDomainId MAY ( description $ l $ ou $ seeAlso $ ntGroupId $ ntGroupAttributes $ ntGroupCreateNewGroup $ ntGrou pDeleteGroup $ ntGroupType $ ntUniqueId $ mail ) X-ORIGIN ( 'Netscape NT Sync hronization' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.82 NAME 'nsChangelog4Config' DESC 'Nets cape defined objectclass' SUP top STRUCTURAL MAY cn X-ORIGIN ( 'Netscape Dire ctory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.114 NAME 'nsConsumer4Config' DESC 'Nets cape defined objectclass' SUP top STRUCTURAL MAY cn X-ORIGIN ( 'Netscape Dire ctory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.36 NAME 'LDAPReplica' DESC 'Netscape de fined objectclass' SUP top STRUCTURAL MUST cn MAY ( description $ l $ ou $ se eAlso $ replicaRoot $ replicaHost $ replicaPort $ replicaBindDn $ replicaCred entials $ replicaBindMethod $ replicaUseSSL $ replicaUpdateSchedule $ replica UpdateReplayed $ replicaUpdateFailedAt $ replicaBeginOrc $ replicaNickName $ replicaEntryFilter $ replicatedattributelist $ replicaCFUpdated $ replicaAban donedChanges $ replicaLastRelevantChange ) X-ORIGIN ( 'Netscape Directory Ser ver' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.11 NAME 'cirReplicaSource' DESC 'Netsca pe defined objectclass' SUP top STRUCTURAL MUST cn MAY ( cirReplicaRoot $ cir Host $ cirPort $ cirBindDn $ cirUsePersistentSearch $ cirUseSsl $ cirBindCred entials $ cirLastUpdateApplied $ cirUpdateSchedule $ cirSyncInterval $ cirUpd ateFailedat $ cirBeginORC $ replicaNickName $ replicaEntryFilter $ replicated attributelist ) X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.3 NAME 'mailRecipient' DESC 'Netscape M essaging Server 4.x defined objectclass' SUP top AUXILIARY MAY ( cn $ mail $ mailAlternateAddress $ mailHost $ mailRoutingAddress $ mailAccessDomain $ mai lAutoReplyMode $ mailAutoReplyText $ mailDeliveryOption $ mailForwardingAddre ss $ mailMessageStore $ mailProgramDeliveryInfo $ mailQuota $ multiLineDescri ption $ uid $ userPassword ) X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) objectClasses: ( 2.16.840.113730.3.2.37 NAME 'nsMessagingServerUser' DESC 'Net scape Messaging Server 4.x defined objectclass' SUP top AUXILIARY MAY ( cn $ mailAccessDomain $ mailAutoReplyMode $ mailAutoReplyText $ mailDeliveryOption $ mailForwardingAddress $ mailMessageStore $ mailProgramDeliveryInfo $ mailQ uota $ nsmsgDisallowAccess $ nsmsgNumMsgQuota $ nswmExtendedUserPrefs $ vacat ionstartdate $ vacationenddate ) X-ORIGIN ( 'Netscape Messaging Server 4.x' ' user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.5 NAME 'groupOfMailEnhancedUniqueNames' DESC 'Netscape Messaging Server 4.x defined objectclass' SUP top AUXILIARY M UST cn MAY ( businessCategory $ description $ mailEnhancedUniqueMember $ o $ ou $ owner $ seeAlso ) X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defin ed' ) ) objectClasses: ( 2.16.840.1.113730.3.2.24 NAME 'netscapeMailServer' DESC 'Nets cape Messaging Server 4.x defined objectclass' SUP top AUXILIARY X-ORIGIN ( ' Netscape Messaging Server 4.x' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.45 NAME 'nsValueItem' DESC 'Netscape de fined objectclass' SUP top STRUCTURAL MUST cn MAY ( nsValueCIS $ nsValueCES $ nsValueTel $ nsValueInt $ nsValueBin $ nsValueDN $ nsValueType $ nsValueSynt ax $ nsValueDescription $ nsValueHelpURL $ nsValueFlags $ nsValueDefault ) X- ORIGIN ( 'Netscape servers - value item' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.29 NAME 'netscapeWebServer' DESC 'Netsc ape defined objectclass' SUP top STRUCTURAL MUST ( cn $ nsServerID ) MAY ( de scription $ nsServerPort ) X-ORIGIN ( 'Netscape Web Server' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.154 NAME 'netscapeReversiblePasswordObj ect' DESC 'object that contains an netscapeReversiblePassword' AUXILIARY MAY netscapeReversiblePassword X-ORIGIN ( 'Netscape Web Server' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.11.1.3.2.2.1 NAME 'accountPolicy' DESC 'Account p olicy entry' SUP top AUXILIARY MAY accountInactivityLimit X-ORIGIN ( 'Account Policy Plugin' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount information ' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY descrip tion X-ORIGIN ( 'RFC 2307bis' 'user defined' ) ) objectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' DESC 'Automount Map info rmation' SUP top STRUCTURAL MUST automountMapName MAY description X-ORIGIN ( 'RFC 2307bis' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST fqdn MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf $ userClass $ i paAssignedIDView ) X-ORIGIN ( 'IPA v2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectc lass' AUXILIARY MUST ipaUniqueID X-ORIGIN ( 'IPA v2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.14 NAME 'ipaEntitlement' DESC 'IPA En titlement object' AUXILIARY MUST ipaEntitlementId MAY ( userPKCS12 $ userCert ificate ) X-ORIGIN ( 'IPA v2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Per mission objectclass' AUXILIARY MAY ipaPermissionType X-ORIGIN ( 'IPA v2' 'use r defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy $ ipaKrbAuthzData ) X-ORIG IN ( 'IPA v2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN ( 'IPA v 2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN ( 'IPA v2' 'user defi ned' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.5 NAME 'ipaHostGroup' DESC 'IPA host group object class' SUP nestedGroup STRUCTURAL X-ORIGIN ( 'IPA v2' 'user defi ned' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.6 NAME 'ipaAssociation' ABSTRACT MUST ( ipaUniqueID $ cn ) MAY ( memberUser $ userCategory $ memberHost $ hostCate gory $ ipaEnabledFlag $ description ) X-ORIGIN ( 'IPA v2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.7 NAME 'ipaHBACRule' SUP ipaAssociati on STRUCTURAL MUST accessRuleType MAY ( sourceHost $ sourceHostCategory $ ser viceCategory $ memberService $ externalHost $ accessTime ) X-ORIGIN ( 'IPA v2 ' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.8 NAME 'ipaNISNetgroup' DESC 'IPA ver sion of NIS netgroup' SUP ipaAssociation STRUCTURAL MAY ( externalHost $ nisD omainName $ member $ memberOf ) X-ORIGIN ( 'IPA v2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.9 NAME 'ipaCAaccess' STRUCTURAL MAY ( member $ hostCApolicy ) X-ORIGIN ( 'IPA v2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.10 NAME 'ipaHBACService' STRUCTURAL M UST cn MAY ( description $ memberOf ) X-ORIGIN ( 'IPA v2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup' DESC 'I PA HBAC service group object class' SUP groupOfNames STRUCTURAL X-ORIGIN ( 'I PA v2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top ST RUCTURAL MUST cn MAY ( ipaExternalMember $ memberOf $ description $ owner ) X -ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXI LIARY MUST ipaNTSecurityIdentifier MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNT ProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUX ILIARY MUST ipaNTSecurityIdentifier X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AU XILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MA Y ipaNTFallbackPrimaryGroup X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' DESC 'Tr usted Domain Object' SUP top STRUCTURAL MUST cn MAY ( ipaNTTrustType $ ipaNTT rustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ip aNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNT TrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes $ ipaNTSIDBlacklistIncoming $ ipaNTSIDBlacklistOutgoing ) X-ORIGIN 'user defi ned' ) objectClasses: ( 2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top A UXILIARY MUST cn MAY memberPrincipal X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP gr oupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) X -ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaA ssociation STRUCTURAL MUST ipaSELinuxUser MAY ( accessTime $ seeAlso ) X-ORIG IN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.11 NAME 'ipaSshGroupOfPubKeys' ABSTR ACT MAY ipaSshPubKey X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.12 NAME 'ipaSshUser' SUP ipaSshGroup OfPubKeys AUXILIARY X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.13 NAME 'ipaSshHost' SUP ipaSshGroup OfPubKeys AUXILIARY X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.14 NAME 'ipaIDobject' SUP top AUXILI ARY MAY ( uidNumber $ gidNumber $ ipaNTSecurityIdentifier ) X-ORIGIN ( 'IPA v 3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn $ ipaBaseID $ ipaIDRangeSize $ ipaRangeType ) X-ORIGIN ( 'IPA v3' 'user d efined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaID range STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SU P ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' DESC 'Class for authentication methods definition' SUP top AUXILIARY MAY ipaUserAu thType X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST uid MAY userClass X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPerm BindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAt tr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget $ ipaPermTargetTo $ ipaPermTargetFrom ) X-ORIGIN ( 'IPA v4.0' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' DESC 'Class to apply access controls to arbitrary operations' SUP top AUXILIARY MA Y ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN ( 'IPA v4.0' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'W rapped public keys' SUP top AUXILIARY MUST ipaPublicKey X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC ' Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'W rapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ipaSecret KeyRef X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST cn MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey $ owner $ member ) X-ORIGIN ( 'IPA v4.2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'I PA vault container' SUP top STRUCTURAL MUST cn MAY ( description $ owner ) X- ORIGIN ( 'IPA v4.2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top ST RUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN ( 'IP A v4.2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociati on STRUCTURAL MAY ( ipaCaCategory $ ipaCertProfileCategory $ serviceCategory $ ipaMemberCa $ ipaMemberCertProfile $ memberService ) X-ORIGIN ( 'IPA v4.2.0 ' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.5923.1.1.2 NAME 'eduPerson' AUXILIARY MAY ( eduPe rsonAffiliation $ eduPersonNickName $ eduPersonOrgDN $ eduPersonOrgUnitDN $ e duPersonPrimaryAffiliation $ eduPersonPrincipalName $ eduPersonEntitlement $ eduPersonPrimaryOrgUnitDN $ eduPersonScopedAffiliation ) X-ORIGIN ( 'http://m iddleware.internet2.edu/eduperson/' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $ ipaGroupSearchFields $ ipaSearchTimeLimit $ ipaSearchR ecordsLimit $ ipaCustomFields $ ipaHomesRootDir $ ipaDefaultLoginShell $ ipaD efaultPrimaryGroup $ ipaMaxUsernameLength $ ipaPwdExpAdvNotify $ ipaUserObjec tClasses $ ipaGroupObjectClasses $ ipaDefaultEmailDomain $ ipaMigrationEnable d $ ipaCertificateSubjectBase $ ipaSELinuxUserMapDefault $ ipaSELinuxUserMapO rder $ ipaKrbAuthzData ) X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113730.3.8.4.13 NAME 'ipaConfigObject' DESC 'gener ic config object for IPA' AUXILIARY MAY ipaConfigString X-ORIGIN ( 'IPA v2' ' user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpda te $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERe cord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord $ UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord $ DHCIDRecord $ HIPRecord $ SPFRecord ) X-ORIGI N 'user defined' ) objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' S UP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAmini mum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllow SyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PA RAMRecord ) X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS g lobal config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ i dnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) X-ORIGIN 'user def ined' ) objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIA RY MUST idnsName MAY managedBy X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forwar d Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idn sForwarders $ idnsForwardPolicy ) X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ idnsSecAlgori thm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ idnsSecKeyInactive $ idn sSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-OR IGIN ( 'IPA v4.1' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.17.2.1 NAME 'ipk11Object' DESC 'Object' SUP top STRUCTURAL MUST ipk11UniqueId X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.17.2.2 NAME 'ipk11StorageObject' DESC ' Storage object' SUP top ABSTRACT MAY ( ipk11Private $ ipk11Modifiable $ ipk11 Label $ ipk11Copyable $ ipk11Destroyable ) X-ORIGIN ( 'IPA v4.1' 'user define d' ) ) objectClasses: ( 2.16.840.1.113730.3.8.17.2.5 NAME 'ipk11Key' DESC 'Key' SUP i pk11StorageObject ABSTRACT MAY ( ipk11KeyType $ ipk11Id $ ipk11StartDate $ ip k11EndDate $ ipk11Derive $ ipk11Local $ ipk11KeyGenMechanism $ ipk11AllowedMe chanisms ) X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.17.2.6 NAME 'ipk11PublicKey' DESC 'Publ ic key' SUP ipk11Key AUXILIARY MAY ( ipk11Subject $ ipk11Encrypt $ ipk11Verif y $ ipk11VerifyRecover $ ipk11Wrap $ ipk11Trusted $ ipk11WrapTemplate $ ipk11 Distrusted $ ipk11PublicKeyInfo ) X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.17.2.7 NAME 'ipk11PrivateKey' DESC 'Pri vate key' SUP ipk11Key AUXILIARY MAY ( ipk11Subject $ ipk11Sensitive $ ipk11D ecrypt $ ipk11Sign $ ipk11SignRecover $ ipk11Unwrap $ ipk11Extractable $ ipk1 1AlwaysSensitive $ ipk11NeverExtractable $ ipk11WrapWithTrusted $ ipk11Unwrap Template $ ipk11AlwaysAuthenticate $ ipk11PublicKeyInfo ) X-ORIGIN ( 'IPA v4. 1' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.17.2.8 NAME 'ipk11SecretKey' DESC 'Secr et key' SUP ipk11Key AUXILIARY MAY ( ipk11Sensitive $ ipk11Encrypt $ ipk11Dec rypt $ ipk11Sign $ ipk11Verify $ ipk11Wrap $ ipk11Unwrap $ ipk11Extractable $ ipk11AlwaysSensitive $ ipk11NeverExtractable $ ipk11CheckValue $ ipk11WrapWi thTrusted $ ipk11Trusted $ ipk11WrapTemplate $ ipk11UnwrapTemplate ) X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) objectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top STR UCTURAL MUST cn X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP to p STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchSc ope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ kr bTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbP rincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) X-ORIGIN 'use r defined' ) objectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP top ABSTR ACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) X-ORIGIN 'user defined ' ) objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP krbSer vice STRUCTURAL X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP krbSer vice STRUCTURAL X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIAR Y MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginF ailedCount $ krbExtraData $ krbLastAdminUnlock ) X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP top STR UCTURAL MUST krbPrincipalName MAY krbObjectReferences X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP krbSe rvice STRUCTURAL X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top ST RUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ k rbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountI nterval $ krbPwdLockoutDuration ) X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' AUXI LIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) X-ORIGIN 'user defined' ) objectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top STRUCTURAL MUST cn X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.13769.9.1 NAME 'mozillaAbPersonAlpha' SUP top AUX ILIARY MUST cn MAY ( c $ description $ displayName $ facsimileTelephoneNumber $ givenName $ homePhone $ l $ mail $ mobile $ mozillaCustom1 $ mozillaCustom 2 $ mozillaCustom3 $ mozillaCustom4 $ mozillaHomeCountryName $ mozillaHomeLoc alityName $ mozillaHomePostalCode $ mozillaHomeState $ mozillaHomeStreet $ mo zillaHomeStreet2 $ mozillaHomeUrl $ mozillaNickname $ mozillaSecondEmail $ mo zillaUseHtmlMail $ mozillaWorkStreet2 $ mozillaWorkUrl $ nsAIMid $ o $ ou $ p ager $ postalCode $ postOfficeBox $ sn $ st $ street $ telephoneNumber $ titl e ) X-ORIGIN ( 'Mozilla Address Book' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' DESC ' Auxiliary object class for adding authorizedService attribute' SUP top AUXILI ARY MAY authorizedService X-ORIGIN ( 'NSS LDAP schema' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC 'Auxiliary obj ect class for adding host attribute' SUP top AUXILIARY MAY host X-ORIGIN ( 'N SS LDAP schema' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.2.318 NAME 'pamConfig' DESC 'PAM plugin c onfiguration' SUP top AUXILIARY MAY ( cn $ pamMissingSuffix $ pamExcludeSuffi x $ pamIncludeSuffix $ pamIDAttr $ pamIDMapMethod $ pamFallback $ pamSecure $ pamService $ pamFilter ) X-ORIGIN ( 'Red Hat Directory Server' 'user defined ' ) ) objectClasses: ( 2.16.840.1.113730.3.2.326 NAME 'dynamicGroup' DESC 'Group con taining internal dynamically-generated members' SUP posixGroup AUXILIARY MAY dsOnlyMemberUid X-ORIGIN ( 'Red Hat Directory Server' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.6981.11.2.3 NAME 'PureFTPdUser' DESC 'PureFTPd us er with optional quota, throttling and ratio' STRUCTURAL MAY ( FTPStatus $ FT PQuotaFiles $ FTPQuotaMBytes $ FTPUploadRatio $ FTPDownloadRatio $ FTPUploadB andwidth $ FTPDownloadBandwidth $ FTPuid $ FTPgid ) X-ORIGIN ( 'Pure-FTPd' 'u ser defined' ) ) objectClasses: ( 1.2.840.113556.1.5.87 NAME 'calEntry' DESC 'RFC2739: Calendar Entry' SUP top AUXILIARY MAY ( calCalURI $ calFBURL $ calOtherCalURIs $ calO therFBURLs $ calCAPURI $ calOtherCAPURIs ) X-ORIGIN ( 'rfc2739' 'user defined ' ) ) objectClasses: ( 1.3.18.0.2.6.258 NAME 'printerAbstract' DESC 'Printer related information.' SUP top ABSTRACT MAY ( printer-name $ printer-natural-language -configured $ printer-location $ printer-info $ printer-more-info $ printer-m ake-and-model $ printer-multiple-document-jobs-supported $ printer-charset-co nfigured $ printer-charset-supported $ printer-generated-natural-language-sup ported $ printer-document-format-supported $ printer-color-supported $ printe r-compression-supported $ printer-pages-per-minute $ printer-pages-per-minute -color $ printer-finishings-supported $ printer-number-up-supported $ printer -sides-supported $ printer-media-supported $ printer-media-local-supported $ printer-resolution-supported $ printer-print-quality-supported $ printer-job- priority-supported $ printer-copies-supported $ printer-job-k-octets-supporte d $ printer-current-operator $ printer-service-person $ printer-delivery-orie ntation-supported $ printer-stacking-order-supported $ printer-output-feature s-supported ) X-ORIGIN ( 'rfc3712' 'user defined' ) ) objectClasses: ( 1.3.18.0.2.6.255 NAME 'printerService' DESC 'Printer informat ion.' SUP printerAbstract STRUCTURAL MAY ( printer-uri $ printer-xri-supporte d ) X-ORIGIN ( 'rfc3712' 'user defined' ) ) objectClasses: ( 1.3.18.0.2.6.257 NAME 'printerServiceAuxClass' DESC 'Printer information.' SUP printerAbstract AUXILIARY MAY ( printer-uri $ printer-xri-s upported ) X-ORIGIN ( 'rfc3712' 'user defined' ) ) objectClasses: ( 1.3.18.0.2.6.256 NAME 'printerIPP' DESC 'Internet Printing Pr otocol (IPP) information.' SUP top AUXILIARY MAY ( printer-ipp-versions-suppo rted $ printer-multiple-document-jobs-supported ) X-ORIGIN ( 'rfc3712' 'user defined' ) ) objectClasses: ( 1.3.18.0.2.6.253 NAME 'printerLPR' DESC 'LPR information.' SU P top AUXILIARY MUST printer-name MAY printer-aliases X-ORIGIN ( 'rfc3712' 'u ser defined' ) ) objectClasses: ( 1.3.6.1.4.1.2312.4.3.4.1 NAME 'sabayonProfile' DESC 'sabayon profile' SUP top STRUCTURAL MUST cn MAY ( sabayonProfileURL $ description ) X -ORIGIN ( 'Sabayon' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.2312.4.3.4.2 NAME 'sabayonProfileNameObject' DESC 'contains sabayon profile name' SUP top AUXILIARY MUST sabayonProfileName X- ORIGIN ( 'Sabayon' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.2312.4.3.4.3 NAME 'sabayonProfileURLObject' DESC 'contains sabayon profile' SUP top AUXILIARY MUST cn MAY sabayonProfileURL X- ORIGIN ( 'Sabayon' 'user defined' ) ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Samba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY ( cn $ s ambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ sambaLo goffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $ sambaA cctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBadPasswo rdTime $ sambaPasswordHistory $ sambaLogonHours ) X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'Samba G roup Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGroupType ) MAY ( displayName $ description $ sambaSIDList ) X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC 'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) X-ORIGIN 'user defined ' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba Domain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY ( sam baNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdA ge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange ) X-OR IGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Pool for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumber ) X -ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Mapping f rom a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ gidNumb er ) X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Structural Class for a SID' SUP top STRUCTURAL MUST sambaSID X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba Config uration Section' SUP top AUXILIARY MAY description X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba Share S ection' SUP top STRUCTURAL MUST sambaShareName MAY description X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sambaBool Option $ sambaIntegerOption $ sambaStringOption $ sambaStringListOption $ des cription ) X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' DES C 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaPreviousClear TextPassword X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DESC 'Samba Trusted Domain Object' SUP top STRUCTURAL MUST cn MAY ( sambaTrustType $ sam baTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdentifier $ sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ sambaSupportedEncryptionT ypes ) X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRun As $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAft er $ sudoOrder $ description ) X-ORIGIN ( 'SUDO' 'user defined' ) ) objectClasses: ( 5.3.6.1.1.1.2.0 NAME 'trustAccount' DESC 'Sets trust accounts information' SUP top AUXILIARY MUST trustModel MAY accessTo X-ORIGIN ( 'nss_ ldap/pam_ldap' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrin cipalAux AUXILIARY MUST ( krbPrincipalName $ ipaKrbPrincipalAlias ) X-ORIGIN ( 'IPA v3' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.27 NAME 'ipaCertificate' SUP top STR UCTURAL MUST ( cn $ ipaCertIssuerSerial $ ipaCertSubject $ ipaPublicKey ) MAY ipaConfigString X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.28 NAME 'ipaKeyPolicy' SUP top AUXIL IARY MAY ( ipaKeyTrust $ ipaKeyUsage $ ipaKeyExtUsage ) X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociati on STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUse r $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipa SudoRunAsGroupCategory $ sudoNotBefore $ sudoNotAfter $ sudoOrder $ ipaSudoRu nAsExtUserGroup ) X-ORIGIN ( 'IPA v2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO command' STRUCTURAL MUST ( ipaUniqueID $ sudoCmd ) MAY ( membe rOf $ description ) X-ORIGIN ( 'IPA v2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA obje ct class to store groups of SUDO commands' SUP groupOfNames STRUCTURAL MUST i paUniqueID X-ORIGIN ( 'IPA v2' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.16.2.1 NAME 'ipaToken' DESC 'Abstract t oken class for tokens' SUP top ABSTRACT MUST ipatokenUniqueID MAY ( descripti on $ managedBy $ ipatokenOwner $ ipatokenDisabled $ ipatokenNotBefore $ ipato kenNotAfter $ ipatokenVendor $ ipatokenModel $ ipatokenSerial ) X-ORIGIN ( 'I PA OTP' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP' DESC 'TOTP T oken Type' SUP ipaToken STRUCTURAL MAY ( ipatokenOTPkey $ ipatokenOTPalgorith m $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $ ipatokenTOTPtimeStep $ ipat okenTOTPwatermark ) X-ORIGIN ( 'IPA OTP' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.16.2.3 NAME 'ipatokenRadiusProxyUser' D ESC 'Radius Proxy User' SUP top AUXILIARY MAY ( ipatokenRadiusConfigLink $ ip atokenRadiusUserName ) X-ORIGIN ( 'IPA OTP' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.16.2.4 NAME 'ipatokenRadiusConfiguratio n' DESC 'Proxy Radius Configuration' SUP top STRUCTURAL MUST ( cn $ ipatokenR adiusServer $ ipatokenRadiusSecret ) MAY ( description $ ipatokenRadiusTimeou t $ ipatokenRadiusRetries $ ipatokenUserMapAttribute ) X-ORIGIN ( 'IPA OTP' ' user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.16.2.5 NAME 'ipatokenHOTP' DESC 'HOTP T oken Type' SUP ipaToken STRUCTURAL MUST ( ipatokenOTPkey $ ipatokenOTPalgorit hm $ ipatokenOTPdigits $ ipatokenHOTPcounter ) X-ORIGIN ( 'IPA OTP' 'user def ined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.16.2.6 NAME 'ipatokenOTPConfig' DESC 'O TP Global Configuration' SUP top STRUCTURAL MUST cn MAY ( ipatokenTOTPauthWin dow $ ipatokenTOTPsyncWindow $ ipatokenHOTPauthWindow $ ipatokenHOTPsyncWindo w ) X-ORIGIN ( 'IPA OTP' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.20.1.1 NAME 'ipaReplTopoConf' DESC 'IPA defined objectclass' SUP top STRUCTURAL MUST ipaReplTopoConfRoot MAY ( cn $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttributeLis tTotal ) X-ORIGIN ( 'Free IPA' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.20.1.2 NAME 'ipaReplTopoSegment' DESC ' IPA defined objectclass' SUP top STRUCTURAL MUST ( ipaReplTopoSegmentDirectio n $ ipaReplTopoSegmentLeftNode $ ipaReplTopoSegmentRightNode ) MAY ( cn $ ipa ReplTopoSegmentStatus $ ipaReplTopoSegmentGenerated $ nsDS5ReplicatedAttribut eList $ nsDS5ReplicatedAttributeListTotal $ nsds5BeginReplicaRefresh $ descri ption $ nsds5replicaTimeout $ nsds5ReplicaEnabled $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolTimeout ) X-ORIGIN ( 'Free IPA' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.20.1.3 NAME 'ipaReplTopoManagedAgreemen t' DESC 'marker objectclass for managed replication agreements' SUP top AUXIL IARY MAY ipaReplTopoManagedAgreementState X-ORIGIN ( 'Free IPA' 'user defined ' ) ) objectClasses: ( 2.16.840.1.113730.3.8.20.1.4 NAME 'ipaReplTopoManagedServer' DESC 'part of managed replication topology' SUP top AUXILIARY MAY ipaReplTopo ManagedSuffix X-ORIGIN ( 'Free IPA' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.29 NAME 'ipaIDView' SUP nsContainer STRUCTURAL MAY description X-ORIGIN ( 'IPA v4' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.30 NAME 'ipaOverrideAnchor' SUP top STRUCTURAL MUST ipaAnchorUUID MAY description X-ORIGIN ( 'IPA v4' 'user defin ed' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.31 NAME 'ipaUserOverride' DESC 'Over ride for User Attributes' SUP ipaOverrideAnchor STRUCTURAL MAY ( uid $ uidNum ber $ gidNumber $ homeDirectory $ loginShell $ gecos $ ipaOriginalUid ) X-ORI GIN ( 'IPA v4' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.32 NAME 'ipaGroupOverride' DESC 'Ove rride for Group Attributes' SUP ipaOverrideAnchor STRUCTURAL MAY ( gidNumber $ cn ) X-ORIGIN ( 'IPA v4' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.12.35 NAME 'ipaOverrideTarget' SUP top STRUCTURAL MUST ipaAnchorUUID X-ORIGIN ( 'IPA v4' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.19.1.1 NAME 'ipaDomainLevelConfig' DESC 'Domain Level Configuration' SUP ipaConfigObject AUXILIARY MUST ipaDomainLev el X-ORIGIN ( 'IPA v4' 'user defined' ) ) objectClasses: ( 2.16.840.1.113730.3.8.19.1.2 NAME 'ipaSupportedDomainLevelCon fig' DESC 'Supported Domain Level Configuration' SUP ipaConfigObject AUXILIAR Y MUST ( ipaMinDomainLevel $ ipaMaxDomainLevel ) X-ORIGIN ( 'IPA v4' 'user de fined' ) ) objectClasses: ( 1.3.6.1.4.1.35157.1.1.2 NAME 'umanitobaPerson' DESC 'Custom u manitoba Person elements' AUXILIARY MAY ( umIdmIdtype $ umAcstat $ umSvclass $ isPubliclyViewable $ studentNumber $ gobsrid $ accountState $ umRole $ umGe neric1 $ umGeneric2 $ umNtPwHash $ umArchived ) X-ORIGIN 'user defined' ) objectClasses: ( cmsuser-oid NAME 'cmsuser' DESC 'CMS User' SUP top STRUCTURAL MUST usertype MAY userstate X-ORIGIN 'user defined' ) objectClasses: ( CertACLS-oid NAME 'CertACLS' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY resourceACLS X-ORIGIN 'user defined' ) objectClasses: ( repository-oid NAME 'repository' DESC 'CMS defined class' SUP top STRUCTURAL MUST ou MAY ( serialno $ description $ nextRange $ publishing Status ) X-ORIGIN 'user defined' ) objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class' SUP top S TRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestStat e $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requ estType $ requestFlag $ requestError $ userMessages $ adminMessages ) X-ORIGI N 'user defined' ) objectClasses: ( transaction-oid NAME 'transaction' DESC 'CMS defined class' S UP top STRUCTURAL MUST cn MAY ( transId $ description $ transName $ transStat us $ transOps ) X-ORIGIN 'user defined' ) objectClasses: ( crlIssuingPointRecord-oid NAME 'crlIssuingPointRecord' DESC ' CMS defined class' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModi fy $ crlNumber $ crlSize $ thisUpdate $ nextUpdate $ deltaNumber $ deltaSize $ firstUnsaved $ certificateRevocationList $ deltaRevocationList $ crlCache $ revokedCerts $ unrevokedCerts $ expiredCerts $ cACertificate ) X-ORIGIN 'use r defined' ) objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defi ned class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfM odify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ d uration $ notAfter $ notBefore $ algorithmId $ subjectName $ signingAlgorithm Id $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicK eyData $ issuerName ) X-ORIGIN 'user defined' ) objectClasses: ( userDetails-oid NAME 'userDetails' DESC 'CMS defined class' S UP top STRUCTURAL MUST userDN MAY ( dateOfCreate $ dateOfModify $ password $ p12Expiration ) X-ORIGIN 'user defined' ) objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined class' SUP t op STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfR ecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $ status ) X-ORIGIN 'user defined' ) objectClasses: ( pkiSecurityDomain-oid NAME 'pkiSecurityDomain' DESC 'CMS defi ned class' SUP top STRUCTURAL MUST ( ou $ name ) X-ORIGIN 'user defined' ) objectClasses: ( pkiSecurityGroup-oid NAME 'pkiSecurityGroup' DESC 'CMS define d class' SUP top STRUCTURAL MUST cn X-ORIGIN 'user defined' ) objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ host $ SecurePort $ SubsystemName $ Clone ) M AY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ SecureEEClientAuthPo rt $ UnSecurePort ) X-ORIGIN 'user defined' ) objectClasses: ( pkiRange-oid NAME 'pkiRange' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ beginRange $ endRange $ host $ SecurePort ) X-ORIGIN 'user defined' ) objectClasses: ( securityDomainSessionEntry-oid NAME 'securityDomainSessionEnt ry' DESC 'CMS defined class' SUP top STRUCTURAL MUST ( cn $ host $ uid $ cmsU serGroup $ dateOfCreate ) X-ORIGIN 'user defined' ) objectClasses: ( tokenRecord-oid NAME 'tokenRecord' DESC 'CMS defined class' S UP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ modified $ toke nReason $ tokenUserID $ tokenStatus $ tokenAppletID $ keyInfo $ tokenPolicy $ extensions $ numberOfResets $ numberOfEnrollments $ numberOfRenewals $ numbe rOfRecoveries $ userCertificate $ tokenType ) X-ORIGIN 'user defined' ) objectClasses: ( tokenActivity-oid NAME 'tokenActivity' DESC 'CMS defined clas s' SUP top STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ tokenOp $ t okenIP $ tokenResult $ tokenID $ tokenUserID $ tokenMsg $ extensions $ tokenT ype ) X-ORIGIN 'user defined' ) objectClasses: ( tokenCert-oid NAME 'tokenCert' DESC 'CMS defined class' SUP t op STRUCTURAL MUST cn MAY ( dateOfCreate $ dateOfModify $ userCertificate $ t okenUserID $ tokenID $ tokenIssuer $ tokenOrigin $ tokenSubject $ tokenSerial $ tokenStatus $ tokenType $ tokenKeyType $ tokenNotBefore $ tokenNotAfter $ extensions ) X-ORIGIN 'user defined' ) objectClasses: ( tpsProfileID-oid NAME 'tpsProfileID' DESC 'CMS defined class' SUP top AUXILIARY MAY profileID X-ORIGIN ( 'user-defined' 'user defined' ) ) objectClasses: ( certProfile-oid NAME 'certProfile' DESC 'Certificate profile' SUP top STRUCTURAL MUST cn MAY ( classId $ certProfileConfig ) X-ORIGIN 'use r defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.582 NAME 'nsDS5ReplicaCredentials' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGL E-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who ma y run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SY NTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.51 NAME 'ipaAllowedToPerform' DESC 'DNs allowed to perform an operation' SUP distinguishedName EQUALITY distingu ishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v4.0' 'us er defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2274 NAME 'nsslapd-instancedir' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1139 NAME 'printer-info' DESC 'Descriptive info rmation about this printer.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstr ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'rfc37 12' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.4 NAME 'ipatokenNotAfter' DESC 'T oken expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALIT Y caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2 .0' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY caseIgno reIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.532 NAME 'ntUserCountryCode' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.34 NAME 'ref' DESC 'LDAP referrals att ribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'LDAPv3 referral s Internet Draft' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.52 NAME 'ipk11Verify' DESC 'Key s upports verification where the signature is an appendix to the data' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IP A v4.1' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.2.4 NAME ( 'nsAIMid' 'nscpaimscreenname' ) EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 X-ORIGIN ( 'Mozilla Address Book' 'user defined ' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.204 NAME 'replicaNickName' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( ' Netscape Directory Server' 'user defined' ) ) attributeTypes: ( sslVersionMin-oid NAME 'sslVersionMin' DESC 'Netscape define d attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key, RFC 253 5' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3 .6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.2 NAME 'ipaNTSecurityIdentifier' DE SC 'NT Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substring sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY in tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2243 NAME 'nsslapd-securelistenhost' D ESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI NGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( modified-oid NAME 'modified' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'user defined' ) attributeTypes: ( notBefore-oid NAME 'notBefore' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.6981.11.3.7 NAME 'FTPStatus' DESC 'Account statu s: enabled or disabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.7 SINGLE-VALUE X-ORIGIN ( 'Pure-FTPd' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2108 NAME 'nsPagedLookThroughLimit' DE SC 'Binder-based simple paged search operation look through limit' SYNTAX 1.3 .6.1.4.1.1466.115.121.1.27 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( ' 389' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2091 NAME 'nsslapd-suffix' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( ' Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.24 NAME 'ipaEntitlementId' DESC 'Ent itlement Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrder ingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALU E X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( nsUserRDNComponent-oid NAME 'nsUserRDNComponent' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( ' Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1117 NAME 'printer-media-local-supported' DESC 'Site-specific names of media supported by this printer.' EQUALITY caseIgnore Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X -ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.5.4.51 NAME 'houseIdentifier' EQUALITY caseIgnoreMatch SU BSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2301 NAME 'nsslapd-plugin-logging' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822mailbox' ) E QUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1 .4.1.1466.115.121.1.26 X-ORIGIN ( 'RFC 4524' 'user defined' ) X-DEPRECATED 'r fc822mailbox' ) attributeTypes: ( 2.16.840.1.113730.3.1.607 NAME 'nsDS5Flags' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-OR IGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsTaskLabel-oid NAME 'nsTaskLabel' DESC 'Netscape defined at tribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'use r defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NSEC, RFC 3 755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2068 NAME 'pamExcludeSuffix' DESC 'Suf fixes to exclude from PAM authentication' SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 2 X-ORIGIN ( 'Red Hat Directory Server' 'user defined' ) ) attributeTypes: ( nsBindDN-oid NAME 'nsBindDN' DESC 'Netscape defined attribut e type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Netscape' 'user defi ned' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2157 NAME 'dnaRemoteBindCred' DESC 'Re mote bind credentials' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-OR IGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( requestError-oid NAME 'requestError' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( Clone-oid NAME 'Clone' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( tokenMsg-oid NAME 'tokenMsg' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.11.44 NAME 'ipaPermExcludedAttr' DESC 'IPA permission explicitly excluded attribute' EQUALITY caseIgnoreMatch ORDER ING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( ' IPA v4.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2261 NAME 'nsslapd-attribute-name-exce ptions' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.18 NAME 'postOfficeBox' EQUALITY caseIgnoreMatch SUBS TR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.527 NAME 'ntUserLastLogoff' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.102 NAME ( 'passwordChange' 'pwdAllowU serChange' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1. 3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Serve r' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.250.1.2 NAME 'multiLineDescription' DESC 'Pilot attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Internet Whi te Pages Pilot' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' DESC 'Standard LDAP att ribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'RF C 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.21 NAME 'mailQuota' DESC 'Netscape Mes saging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-O RIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 1.2.840.113556.1.4.482 NAME 'calOtherCalURIs' DESC 'RFC2739: multi-value URI for snapshots of other calendars' EQUALITY caseIgnoreIA5Matc h SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X- ORIGIN ( 'rfc2739' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2238 NAME 'nsslapd-security' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( ownerName-oid NAME 'ownerName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( numberOfResets-oid NAME 'numberOfResets' DESC 'CMS defined a ttribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' DESC 'nisNetI dHost' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIG IN ( 'RFC2307bis' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.35157.1.1.1.5 NAME 'umRole' DESC 'Role' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.4.1.6 NAME 'javaClassName' DESC 'Fully q ualified name of distinguished Java class or interface' EQUALITY caseExactMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'RFC 2713' 'u ser defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.240 NAME 'replicatedattributelist' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-OR IGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2175 NAME 'nsslapd-accesslog-logrotati onsync-enabled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.146 6.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defi ned' ) ) attributeTypes: ( nsRevisionNumber-oid NAME 'nsRevisionNumber' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Nets cape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.11 NAME 'externalHost' DESC 'Multiva lue string attribute that allows storing host names.' EQUALITY caseIgnoreMatc h ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1. 3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.62 NAME 'ipaAnchorUUID' DESC 'Uniqu e Anchor Identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2207 NAME 'nsslapd-rootdn' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximu m time an agent or service allows for a search to complete' EQUALITY integerM atch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL E-VALUE X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( nsHelpRef-oid NAME 'nsHelpRef' DESC 'Netscape defined attrib ute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user de fined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.9 NAME 'ipaMaxUsernameLength' EQUAL ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.43 NAME 'ntUserDeleteAccount' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.61 NAME 'ipk11Sensitive' DESC 'Ke y is sensitive' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SIN GLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.217 NAME 'replicaCFUpdated' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.6 NAME 'targetDn' DESC 'Changelog attr ibute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Changelog Intern et Draft' 'user defined' ) ) attributeTypes: ( transId-oid NAME 'transId' DESC 'CMS defined attribute' SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon H ours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE -VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.25 NAME 'internationalISDNNumber' EQUALITY numericStr ingMatch SUBSTR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.36 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.998 NAME ( 'passwordGraceUserTime' 'pw dGraceUserTime' ) DESC 'Netscape defined password policy attribute type' SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE USAGE directoryOperation X-ORIG IN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.7.3 NAME 'cmdCategory' DESC 'Additiona l classification for commands' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMa tch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-O RIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUAL ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' DESC 'host infor mation, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defin ed' ) ) attributeTypes: ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'RFC 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2225 NAME 'nsslapd-workingdir' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-V ALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.11 NAME 'documentIdentifier' EQUALI TY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.15 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.781 NAME 'mgrpAddHeader' DESC 'Netscap e Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.2 6 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.65 NAME 'ntUserLogonServer' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2295 NAME 'nsslapd-allowed-sasl-mechan isms' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2162 NAME 'winSyncDirectoryFilter' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of tim e interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERI NG generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.59 NAME 'ipaKeyUsage' DESC 'Allowed key usage' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-O RIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DESC 'Fully qualified name of the domain with which a trust exists' EQUALITY caseIgnoreM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defin ed' ) ) attributeTypes: ( 1.3.18.0.2.4.1121 NAME 'printer-resolution-supported' DESC ' List of resolutions supported for printing documents by this printer.' EQUALI TY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.15 X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.12 NAME 'ipatokenTOTPtimeStep' DE SC 'TOTP time-step' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.2 7 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( tokenKeyType-oid NAME 'tokenKeyType' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.5.14 NAME 'idnsForwardPolicy' DESC 'fo rward policy: only or first' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5 SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2139 NAME 'winSyncMoveAction' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( dateOfArchival-oid NAME 'dateOfArchival' DESC 'CMS defined a ttribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( nsExpirationDate-oid NAME 'nsExpirationDate' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Nets cape' 'user defined' ) ) attributeTypes: ( unrevokedCerts-oid NAME 'unrevokedCerts' DESC 'CMS defined a ttribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.1 NAME 'eduPersonAffiliation' DESC 'A ffiliation' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'http://middlewar e.internet2.edu/eduperson/' 'user defined' ) ) attributeTypes: ( nsVendor-oid NAME 'nsVendor' DESC 'Netscape defined attribut e type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defi ned' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.87 NAME 'cirUpdateSchedule' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( thisUpdate-oid NAME 'thisUpdate' DESC 'CMS defined attribute ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.253 NAME 'nsValueSyntax' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Ne tscape servers - value item' 'user defined' ) ) attributeTypes: ( 2.5.4.32 NAME 'owner' SUP distinguishedName EQUALITY distin guishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'RFC 4519' ' user defined' ) ) attributeTypes: ( nsLdapSchemaVersion-oid NAME 'nsLdapSchemaVersion' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALIT Y octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'IPA v4.2. 0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2100 NAME 'autoMemberInclusiveRegex' D ESC 'Auto Membership inclusive regex rule' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Object class mappings used, required, or supported by an agent or service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2089 NAME 'mepMappedAttr' DESC 'Manage d Entries mapped attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( ' 389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2212 NAME 'nsslapd-useroc' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.20.2.6 NAME 'ipaReplTopoSegmentGenerat ed' DESC 'IPA defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X- ORIGIN ( 'FreeIPA' 'user defined' ) ) attributeTypes: ( tokenResult-oid NAME 'tokenResult' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2282 NAME 'nsslapd-rundir' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.3.3 NAME 'mozillaHomeLocalityName' SUP na me EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4 .1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Mozilla Address Book' 'user def ined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC 'Discon nect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY intege rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2 .0' 'user defined' ) ) attributeTypes: ( 2.5.4.10 NAME ( 'o' 'organizationname' ) SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.15 X-ORIGIN ( 'RFC 4519' 'user defined' ) X-DEPRECATED 'organizationnam e' ) attributeTypes: ( 2.16.840.1.113730.3.1.2259 NAME 'nsslapd-return-exact-case' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S INGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsAdminAccessAddresses-oid NAME 'nsAdminAccessAddresses' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-OR IGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( nsAdminUsers-oid NAME 'nsAdminUsers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Adm inistration Services' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.45 NAME 'organizationalStatus' EQUA LITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466 .115.121.1.15 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' DESC 'Standard LDAP att ribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'RF C 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.19 NAME 'mailMessageStore' DESC 'Netsc ape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .26 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2126 NAME 'dnaHostname' DESC 'DNA host name of replica to get new range of values' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .15 SINGLE-VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.221 NAME 'passwordStorageScheme' DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2230 NAME 'nsslapd-ldapiautobind' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2196 NAME 'nsslapd-accesslog-logexpira tiontime' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115. 121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.576 NAME 'nsRoleFilter' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X- ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 5.3.6.1.1.1.1.0 NAME 'trustModel' DESC 'Access scheme' EQUAL ITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1 .1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'nss_ldap/pam_ldap' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.70 NAME 'serverRoot' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsca pe Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.248 NAME 'nsValueDN' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Netsca pe servers - value item' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.1466.101.120.41 NAME 'parentOrganization' EQUAL ITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.8 NAME 'hostCategory' DESC 'Addition al classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrde ringMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) imper sonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1 .26 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( nsAdminEnableDSGW-oid NAME 'nsAdminEnableDSGW' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Ne tscape Administration Services' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1132 NAME 'printer-multiple-document-jobs-suppo rted' DESC 'Indicates whether or not this printer supports more than one docu ment per job.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SING LE-VALUE X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.21 NAME 'ipatokenHOTPcounter' DES C 'HOTP counter' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 S INGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued ' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2' 'user d efined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNS KEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR ca seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.2.1 NAME ( 'mozillaNickname' 'xmozillanick name' ) SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Mozilla Address Book' 'user d efined' ) ) attributeTypes: ( notAfter-oid NAME 'notAfter' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.5.18.2 NAME 'modifyTimestamp' EQUALITY generalizedTimeMat ch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN ( 'RFC 4 512' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.92 NAME ( 'passwordExpWarned' 'pwdExpi rationWarned' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUALITY in tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.5 NAME 'ipaNTHash' DESC 'NT Hash of user password' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN ( 'IPA v3' 'user de fined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2246 NAME 'nsslapd-maxdescriptors' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.23 NAME 'ipaNTTrustedDomainSID' DES C 'NT Trusted Domain Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseIgno reIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIG IN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.11 NAME 'ipaUserObjectClasses' SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQ UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGI N ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2113 NAME 'internalModifiersName' DESC 'plugin dn' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFI CATION USAGE directoryOperation X-ORIGIN ( '389 Directory Server' 'user defin ed' ) ) attributeTypes: ( issueInfo-oid NAME 'issueInfo' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.20 NAME 'ipk11PublicKeyInfo' DESC 'DER-encoding of SubjectPublicKeyInfo of associated public key' EQUALITY oct etStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'IPA v4.1' 'use r defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2094 NAME 'nsslapd-parent-suffix' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORI GIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.692 NAME 'inetUserStatus' DESC '"activ e", "inactive", or "deleted" status of a user' SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape subscriber interoperability' 'user d efined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1110 NAME 'printer-job-priority-supported' DESC 'Indicates the number of job priority levels supported by this printer.' EQU ALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.27 SINGLE-VALUE X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2183 NAME 'nsslapd-audit-logrotationsy ncmin' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.789 NAME 'mgrpNoDuplicateChecks' DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defin ed' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2304 NAME 'nsslapd-dynamic-plugins' DE SC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN GLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.602 NAME 'entrydn' DESC 'internal serv er defined attribute type' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1 .1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.1098 NAME 'nsds5replicaSessionPauseTim e' DESC 'Netscape defined attribute type' EQUALITY integerMatch SYNTAX 1.3.6. 1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' ' user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2073 NAME 'pamSecure' DESC 'Require se cure (TLS/SSL) connection for PAM auth' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S INGLE-VALUE X-ORIGIN ( 'Red Hat Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2264 NAME 'nsslapd-max-filter-nest-lev el' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1129 NAME 'printer-color-supported' DESC 'Indic ates whether this printer is capable of any type of color printing at all, in cluding highlight color.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.7 SINGLE-VALUE X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.5.21.2 NAME 'dITContentRules' EQUALITY objectIdentifierFi rstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE directoryOperati on X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher' EQUALIT Y caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.15 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.522 NAME 'ntUserComment' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X -ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( nsmsgDisallowAccess-oid NAME 'nsmsgDisallowAccess' DESC 'Net scape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.26 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.24 NAME 'mailRoutingAddress' DESC 'Net scape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 1.2.840.113556.1.4.485 NAME 'calOtherCalAdrURIs' DESC 'RFC27 39: multi-value URI to other request destinations' EQUALITY caseIgnoreIA5Matc h SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X- ORIGIN ( 'rfc2739' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.42 NAME 'ipk11Derive' DESC 'Key s upports key derivation' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2131 NAME 'pamFilter' DESC 'Filter to match entries that should use PAM authentication' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 SINGLE-VALUE X-ORIGIN ( 'Red Hat Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.234 NAME 'nsSNMPLocation' DESC 'Netsca pe defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'N etscape Directory Server' 'user defined' ) ) attributeTypes: ( tokenIssuer-oid NAME 'tokenIssuer' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' DESC 'Naming Aut hority Pointer, RFC 2915' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Sub stringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'us er defined' ) ) attributeTypes: ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion' SYN TAX 1.3.6.1.4.1.1466.115.121.1.27 USAGE dSAOperation X-ORIGIN ( 'RFC 4512' 'u ser defined' ) ) attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.9 NAME 'eduPersonScopedAffiliation' D ESC 'Scoped Affiliation' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'htt p://middleware.internet2.edu/eduperson/' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.16 NAME 'ipaNTTrustAuthIncoming' DE SC 'Authentication information for the incoming portion of a trust' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( requestFlag-oid NAME 'requestFlag' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( nsHostLocation-oid NAME 'nsHostLocation' DESC 'Netscape defi ned attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape ' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2178 NAME 'nsslapd-accesslog-logrotati onsynchour' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.15 NAME 'ipk11Destroyable' DESC ' Can be destroyed by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.146 6.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.590 NAME 'nsDS5ReplicaName' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2081 NAME ( 'passwordMaxRepeats' 'pwdM axRepeats' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1. 3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Serve r' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.14 NAME 'accessTime' DESC 'Access ti me' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.687 NAME 'nsds5replicaChangesSentSince Startup' DESC 'Netscape defined attribute type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN ( 'N etscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1107 NAME 'printer-xri-supported' DESC 'The uno rdered list of XRI (extended resource identifiers) supported by this printer. ' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4. 1.1466.115.121.1.15 X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.35157.1.1.1.12 NAME 'umArchived' DESC 'home dir archive flag' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTA X 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.46 NAME 'ntGroupDeleteGroup' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.4 NAME 'ipaSearchRecordsLimit' EQUA LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.9 NAME 'newRdn' DESC 'Changelog attrib ute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Changelog Internet Draft' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2147 NAME 'rootdn-allow-host' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( autoRenew-oid NAME 'autoRenew' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 .27 SINGLE-VALUE X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2251 NAME 'nsslapd-accesscontrol' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.28 NAME 'preferredDeliveryMethod' SYNTAX 1.3.6.1.4.1. 1466.115.121.1.14 SINGLE-VALUE X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer' SYNTAX 1.3.6.1. 4.1.1466.115.121.1.26 USAGE dSAOperation X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.11 NAME 'newSuperior' DESC 'Changelog attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Changelog In ternet Draft' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.229 NAME 'nsslapd-pluginVendor' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( clientId-oid NAME 'clientId' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord' DESC 'for AFS Da ta Base location, RFC 1183' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5S ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' ' user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Home dire ctory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2228 NAME 'nsslapd-ldapifilepath' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' DESC 'Standard LDAP att ribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'RF C 2307' 'user defined' ) ) attributeTypes: ( 2.5.4.47 NAME 'enhancedSearchGuide' SYNTAX 1.3.6.1.4.1.1466 .115.121.1.21 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.7 NAME 'idnsSOAretry' DESC 'SOA retr y value' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defin ed' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.68 NAME 'ntUserPasswordExpired' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-V ALUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2298 NAME 'nsslapd-enable-turbo-mode' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S INGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.585 NAME 'nsDS5ReplicatedAttributeList ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2165 NAME 'schemaUpdateObjectclassAcce pt' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.52 NAME 'ipaProtectedOperation' DES C 'Operation to be protected' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.146 6.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2277 NAME 'nsslapd-tmpdir' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.7 NAME 'ipatokenSerial' DESC 'OTP Token Serial number' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' D ESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466 .115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.1002 NAME 'nsds7NewWinUserSyncEnabled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.23 NAME 'lastModifiedTime' DESC 'old variant of modifyTimestamp' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 1274' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.535 NAME 'ntUserHomeDirDrive' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.110 NAME 'ntGroupId' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X-ORIG IN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.33 NAME 'mgrpModerator' DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.51 NAME 'ipk11Encrypt' DESC 'Key supports encryption' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.207 NAME 'vlvBase' DESC 'Netscape defi ned attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsServerMigrationClassname-oid NAME 'nsServerMigrationClassn ame' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( nsSSLPersonalitySSL-oid NAME 'nsSSLPersonalitySSL' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC 'A str ing option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S INGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( crlExtensions-oid NAME 'crlExtensions' DESC 'CMS defined att ribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.16 NAME 'dereferenceAliases' DESC 'Sp ecifies if a service or agent either requires, supports, or uses dereferencin g of aliases.' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SING LE-VALUE X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.6981.11.3.4 NAME 'FTPDownloadRatio' DESC 'Ratio (compared with FTPRatioUp) for downloaded files' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Pure-FTPd' 'user defi ned' ) ) attributeTypes: ( 1.3.6.1.1.4 NAME 'vendorName' EQUALITY 1.3.6.1.4.1.1466.109 .114.1 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation X-ORIGIN ( 'RFC 3045' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.18 NAME 'ipk11StartDate' DESC 'Va lidity start date' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrde ringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v 4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.801 NAME 'mgrpRemoveHeader' DESC 'Nets cape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.27 NAME 'ipaSELinuxUserMapOrder' DES C 'Available SELinux user context ordering' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Des tination location to move an entry IPA permission ACI' EQUALITY distinguished NameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'IPA v 4.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2215 NAME 'nsslapd-allow-unauthenticat ed-binds' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115. 121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1118 NAME 'printer-copies-supported' DESC 'The maximum number of copies of a document that may be printed as a single job on this printer.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1. 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( tokenOp-oid NAME 'tokenOp' DESC 'CMS defined attribute' SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.55 NAME 'aci' DESC 'Netscape defined a ccess control information attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Server' 'user defin ed' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.6 NAME 'roomNumber' EQUALITY caseIg noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2285 NAME 'nsslapd-hash-filters' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE -VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.7 NAME ( 'l' 'locality' 'localityname' ) SUP name EQU ALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.146 6.115.121.1.15 X-ORIGIN ( 'RFC 4519' 'user defined' ) X-DEPRECATED 'locality localityname' ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' DESC 'SSH Key Fi ngerprint, draft-ietf-secsh-dns-05.txt' EQUALITY caseIgnoreIA5Match SUBSTR ca seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'I PA v4.2.0' 'user defined' ) ) attributeTypes: ( nsSSL3SessionTimeout-oid NAME 'nsSSL3SessionTimeout' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( dataType-oid NAME 'dataType' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2152 NAME 'nsds5ReplicaProtocolTimeout ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' E QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' DESC 'Lo ckout duration in minutes (default: 30, -1 => forever)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'u ser defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.49 NAME 'ipaPermTarget' DESC 'IPA p ermission target' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.105 NAME ( 'passwordLockout' 'pwdLockO ut' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4 .1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'use r defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' DESC 'Standard LDAP at tribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'R FC 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2129 NAME 'dnaNextRange' DESC 'DNA ran ge of values to get from replica' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE -VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( nsSSL3-oid NAME 'nsSSL3' DESC 'Netscape defined attribute ty pe' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC 'Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1 .4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2199 NAME 'nsslapd-accesslog-logexpira tiontimeunit' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466. 115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user define d' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.571 NAME 'nsSizeLimit' DESC 'Binder-ba sed search operation size limit (entries)' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 27 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Serve r' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' DESC 'nisNet IdGroup' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-OR IGIN ( 'RFC2307bis' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.77 NAME 'changeTime' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsca pe Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.35157.1.1.1.2 NAME 'studentNumber' DESC 'Umanito ba student number' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.243 NAME 'nsValueCIS' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsc ape servers - value item' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.18.2.3 NAME 'ipaVaultPublicKey' DESC ' IPA vault public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.40 X-ORIGIN ( 'IPA v4.2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2170 NAME 'nsslapd-accesslog-level' DE SC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SIN GLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of admi nistrator who performed manual enrollment of the host' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( publicKeyFormat-oid NAME 'publicKeyFormat' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2202 NAME 'nsslapd-accesslog-logging-e nabled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( classId-oid NAME 'classId' DESC 'Certificate profile class I D' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'I dentifies the types of authentication methods either used, required, or provi ded by a service or peer' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstring sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.21.1.4 NAME 'ipaCaCategory' DESC 'Addi tional classification for CAs' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOr deringMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15 X-ORIGIN ( 'IPA v4.2' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'RFC 2307bis' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.64 NAME 'ipk11SignRecover' DESC ' Key supports signatures where data can be recovered from the signature' EQUAL ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALIT Y distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( publishingStatus-oid NAME 'publishingStatus' DESC 'CMS defin ed attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( nsCertConfig-oid NAME 'nsCertConfig' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Cer tificate Management System' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.1 NAME 'carLicense' DESC 'vehicle lice nse or registration plate' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrin gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 2798' 'user defi ned' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.99 NAME ( 'passwordMinLength' 'pwdMinL ength' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6. 1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' ' user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.8 NAME 'ipaNTHomeDirectory' DESC 'U ser Home Directory Path' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrdering Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S INGLE-VALUE X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2249 NAME 'nsslapd-idletimeout' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE- VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.20 NAME 'telephoneNumber' EQUALITY telephoneNumberMat ch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.7.6 NAME 'ipaSudoRunAs' DESC 'Referenc e to a user or group that the commands can be run as.' SUP memberUser EQUALIT Y distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2116 NAME 'dnaPrefix' DESC 'DNA string prefix for dna value' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-OR IGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2220 NAME 'nsslapd-minssf-exclude-root dse' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' DESC 'Standard LDAP attribu te type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'RFC 23 07' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2186 NAME 'nsslapd-auditlog-logrotatio ntime' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.12 NAME 'documentTitle' EQUALITY ca seIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.15 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.60 NAME 'ntUserAuthFlags' DESC 'Netsca pe defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X -ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( DomainManager-oid NAME 'DomainManager' SYNTAX 1.3.6.1.4.1.1 466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2290 NAME 'nsslapd-disk-monitoring-thr eshold' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2076 NAME ( 'passwordMinAlphas' 'pwdMi nAlphas' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3. 6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.49 NAME 'DHCIDRecord' DESC 'Dynamic Ho st Configuration Protocol (DHCP) Information, RFC 4701' EQUALITY caseIgnoreIA 5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReferenc e' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SING LE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.406 NAME 'nsSynchUserIDFormat' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC 'NetBIOS n ame of a domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1122 NAME 'printer-media-supported' DESC 'The s tandard names/types/sizes (and optional color suffixes) of the media supporte d by this printer.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.5.21.5 NAME 'attributeTypes' EQUALITY objectIdentifierFir stComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE directoryOperatio n X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.11 NAME 'ipatokenTOTPclockOffset' DESC 'TOTP clock offset' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( nsAdminEnableEnduser-oid NAME 'nsAdminEnableEnduser' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' DESC 'Standard LDAP attri bute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 2307' 'user d efined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.17 NAME 'idnsPersistentSearch' DESC 'allow persistent searches' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2134 NAME 'nsds5ReplicaStripAttrs' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.4 NAME 'eduPersonOrgUnitDN' DESC 'Org anizational Unit DN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'http:// middleware.internet2.edu/eduperson/' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.544 NAME 'nsParentUniqueId' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.82 NAME 'cirBindDn' DESC 'Netscape def ined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Netscap e Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.13 NAME 'ipaNTTrustDirection' DESC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' DESC 'a JPEG ima ge' SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 X-ORIGIN ( 'RFC 2798' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.4.1.13 NAME 'javaClassNames' DESC 'Fully qualified Java class or interface name' EQUALITY caseExactMatch SYNTAX 1.3.6 .1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 2713' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2103 NAME 'autoMemberDisabled' DESC 'A uto Membership disabled attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.809 NAME 'nsds5replicaLastInitStatus' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S INGLE-VALUE NO-USER-MODIFICATION X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2084 NAME 'nsSymmetricKey' DESC 'A sym metric key - currently used by attribute encryption' SYNTAX 1.3.6.1.4.1.1466. 115.121.1.40 SINGLE-VALUE X-ORIGIN ( 'attribute encryption' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.682 NAME 'nsds5ReplicaPurgeDelay' DESC 'Netscape defined attribute type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1 466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user de fined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.39 NAME 'homePostalAddress' EQUALIT Y caseIgnoreListMatch SUBSTR caseIgnoreListSubstringsMatch SYNTAX 1.3.6.1.4.1 .1466.115.121.1.41 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.1.1.1.12 NAME 'nisDomain' DESC 'NIS domain' SYNT AX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'RFC2307bis' 'user defined' ) ) attributeTypes: ( requestInfo-oid NAME 'requestInfo' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.20.2.1 NAME 'ipaReplTopoConfRoot' DESC 'IPA defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'FreeIPA' 'user defined' ) ) attributeTypes: ( keySize-oid NAME 'keySize' DESC 'CMS defined attribute' SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( nsTLS1-oid NAME 'nsTLS1' DESC 'Netscape defined attribute ty pe' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2063 NAME 'nsEncryptionAlgorithm' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.3.4 NAME 'mozillaHomeState' SUP name EQUA LITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466 .115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Mozilla Address Book' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.31 NAME 'ipaSshPubKey' DESC 'SSH pu blic key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-OR IGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2254 NAME 'nsslapd-pwpolicy-local' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.13 NAME 'description' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'R FC 4519' 'user defined' ) ) attributeTypes: ( keyState-oid NAME 'keyState' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( tokenPolicy-oid NAME 'tokenPolicy' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.14 NAME 'mailAutoReplyMode' DESC 'Nets cape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2121 NAME 'dnaScope' DESC 'DNA base DN for finding entries' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORI GIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.224 NAME 'nsslapd-pluginPath' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.2.1.2 NAME 'acctPolicySubentry' DESC 'Acc ount policy pointer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( 'Account Policy Plugin' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Timestam p of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 S INGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2233 NAME 'nsslapd-ldapiuidnumbertype' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2191 NAME 'nsslapd-errorlog-logmaxdisk space' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.579 NAME 'nsDS5ReplicaPort' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.2 NAME 'idnsZoneActive' DESC 'define if the zone is considered in use' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1 466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( proofOfArchival-oid NAME 'proofOfArchival' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) attributeTypes: ( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUALITY c aseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.610 NAME 'nsAccountLock' DESC 'Operati onal attribute for Account Inactivation' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Server' 'user define d' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.707 NAME 'vacationstartdate' DESC 'Net scape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.580 NAME 'nsDS5ReplicaTransportInfo' D ESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI NGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2168 NAME 'schemaUpdateAttributeReject ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( metaInfo-oid NAME 'metaInfo' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.26 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset' DESC 'P OSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( dateOfRevocation-oid NAME 'dateOfRevocation' DESC 'CMS defin ed attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.18.0.2.4.1137 NAME 'printer-generated-natural-language-s upported' DESC 'Natural language(s) supported for this directory entry.' EQUA LITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466 .115.121.1.15 X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.24 NAME 'ipatokenTOTPsyncWindow' DESC 'TOTP Sync Window (maximum synchronization variance in seconds)' EQUALIT Y integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( ' IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.1005 NAME 'nsds7DirsyncCookie' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VA LUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.530 NAME 'ntUserLogonHours' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.24 NAME 'lastModifiedBy' DESC 'old v ariant of modifiersName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'RFC 1274' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.36 NAME 'nsLicensedFor' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Net scape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.22 NAME 'idnsSecKeyInactive' DESC 'D NSSEC key (planned) inactivation time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VAL UE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.2.2 NAME ( 'mozillaSecondEmail' 'xmozillas econdemail' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'Mozilla Addre ss Book' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.202 NAME 'replicaCredentials' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.3023 NAME 'nsViewFilter' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Ne tscape Directory Server' 'user defined' ) ) attributeTypes: ( nsSSL2Ciphers-oid NAME 'nsSSL2Ciphers' DESC 'Netscape define d attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( nsServerAddress-oid NAME 'nsServerAddress' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsca pe' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInterval' E QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIG IN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.91 NAME 'passwordExpirationTime' DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.24 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( 'Netscape Director y Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2241 NAME 'nsslapd-errorlog' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsProductName-oid NAME 'nsProductName' DESC 'Netscape define d attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.5.4.38 NAME 'authorityRevocationList' DESC 'X.509 authorit y revocation list' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.40 X-ORIGIN ( 'RFC 4523' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2027 NAME 'nsruvReplicaLastModified' D ESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X- ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2097 NAME 'autoMemberScope' DESC 'Auto Membership scope criteria' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timesta mp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466 .115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.695 NAME 'inetSubscriberChallenge' DES C 'Used to confirm subscriberIdentity. This attribute holds the challenge ph rase and is used in conjunction with the inetSubscriberResponse' SYNTAX 1.3.6 .1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'Netscape subscriber interop erability' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQU ALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2218 NAME 'nsslapd-localssf' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL UE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1115 NAME 'printer-stacking-order-supported' DE SC 'The possible stacking order of pages as they are printed and ejected from this printer.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 1.2.840.113556.1.4.479 NAME 'calFBURL' DESC 'RFC2739: URI to the users default freebusy data' EQUALITY caseIgnoreIA5Match SUBSTR caseIgno reIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'rfc2739 ' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALI TY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2. 0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2307 NAME 'nsslapd-allow-hashed-passwo rds' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.58 NAME 'replicaBindDn' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Net scape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.605 NAME 'entryid' DESC 'internal serv er defined attribute type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIG IN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2288 NAME 'nsslapd-defaultnamingcontex t' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 2 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.3.9 NAME 'mozillaWorkUrl' EQUALITY caseIg noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Mozil la Address Book' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2155 NAME 'nsds5ReplicaBackoffMax' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.42 NAME 'ipaPermDefaultAttr' DESC ' IPA permission default attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnor eOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.0' 'us er defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2267 NAME 'nsslapd-certmap-basedn' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.525 NAME 'ntUserWorkstations' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.100 NAME 'passwordKeepHistory' DESC 'N etscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.23 NAME 'mgrpAllowedDomain' DESC 'Nets cape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 1.2.840.113556.1.4.480 NAME 'calCAPURI' DESC 'RFC2739: URI u sed to communicate with the users calendar' EQUALITY caseIgnoreIA5Match SUBST R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'rfc2739' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.41 NAME 'ipk11KeyType' DESC 'Key type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( profileID-oid NAME 'profileID' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.237 NAME 'nsSNMPMasterHost' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsDefaultAcceptLanguage-oid NAME 'nsDefaultAcceptLanguage' D ESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X- ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VA LUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( requestOwner-oid NAME 'requestOwner' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.35157.1.1.1.7 NAME 'umAcstat' DESC 'account stat us' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.593 NAME 'nsSNMPName' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsc ape Directory Server' 'user defined' ) ) attributeTypes: ( nextRange-oid NAME 'nextRange' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.3.17 NAME 'hostCApolicy' DESC 'Policy on how to treat host requests for cert operations.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.60 NAME 'ipaKeyExtUsage' DESC 'Allo wed extended key usage' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.146 6.115.121.1.38 X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2205 NAME 'nsslapd-auditlog-logging-hi de-unhashed-pw' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.146 6.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defi ned' ) ) attributeTypes: ( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'List of site- specific administrative names of this printer in addition to the value specif ied for printer-name.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.35157.1.1.1.11 NAME 'umNtPwHash' DESC 'nt_pw' EQ UALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.14 66.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 0.9.2342.19200300.100.1.31 NAME 'cNAMERecord' EQUALITY case IgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( ' IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.45 NAME 'ntGroupCreateNewGroup' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- VALUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.7 NAME 'ipaDefaultLoginShell' EQUAL ITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORI GIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( serialno-oid NAME 'serialno' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.63 NAME 'ipk11Sign' DESC 'Key sup ports signatures where the signature is an appendix to the data' EQUALITY boo leanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4 .1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.215 NAME 'oid' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Dir ectory Server' 'user defined' ) ) attributeTypes: ( userDN-oid NAME 'userDN' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.4 NAME 'employeeType' DESC 'type of em ployment for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 2798' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2142 NAME 'nsSaslMapPriority' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA LUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Ma tch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust P assword Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. 26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( publicKeyData-oid NAME 'publicKeyData' DESC 'CMS defined att ribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.7.1 NAME 'memberAllowCmd' DESC 'Refere nce to a command or group of commands that are allowed by the rule.' SUP dist inguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.12 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2119 NAME 'dnaMagicRegen' DESC 'DNA va lue that will trigger regeneration of attribute value' SYNTAX 1.3.6.1.4.1.146 6.115.121.1.15 SINGLE-VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' E QUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IP A v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC 'Times tamp of when the user is allowed to update the password' EQUALITY integerMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' ' user defined' ) ) attributeTypes: ( sessionContext-oid NAME 'sessionContext' DESC 'CMS defined a ttribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) attributeTypes: ( tokenType-oid NAME 'tokenType' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.5.4.42 NAME 'givenName' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIG IN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2189 NAME 'nsslapd-auditlog-logrotatio ntimeunit' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.7.12 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IP A v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2312 NAME 'dnaExcludeScope' DESC 'DN o f a subtree excluded from DNA plugin scope' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .12 X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.67 NAME 'ntUserProfile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X- ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( revokedCerts-oid NAME 'revokedCerts' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2079 NAME ( 'passwordMinSpecials' 'pwd MinSpecials' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Ser ver' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.588 NAME 'nsDS5ReplicaId' DESC 'Netsca pe defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2160 NAME 'dnaRemoteBindMethod' DESC ' Remote bind method: SIMPLE, SSL, SASL/DIGEST-MD5, or SASL/GSSAPI' SYNTAX 1.3. 6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( '389 Directory Server' 'use r defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.4.3 NAME 'mozillaCustom3' EQUALITY caseIg noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 SINGLE-VALUE X-ORIGIN ( 'Mozilla Address Book' 'user defined' ) ) attributeTypes: ( transStatus-oid NAME 'transStatus' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.11.57 NAME 'ipaCertIssuerSerial' DESC 'Issuer name and serial number' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSub stringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' DESC 'Tr ust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1 .1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2272 NAME 'nsslapd-plugin-binddn-track ing' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.2 NAME 'ipatokenDisabled' DESC 'O ptionally marks token as Disabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1 466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.5.21.8 NAME 'matchingRuleUse' EQUALITY objectIdentifierFi rstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE directoryOperati on X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME ( 'labeledURI' 'labeledurl' ) EQU ALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.15 X-ORIGIN ( 'RFC 2079' 'user defined' ) X-DEPRECATED 'labeledurl' ) attributeTypes: ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' DESC 'Standard LDAP at tribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'RFC 2307' 'use r defined' ) ) attributeTypes: ( beginRange-oid NAME 'beginRange' DESC 'CMS defined attribute ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.54 NAME 'ipk11Wrap' DESC 'Key sup ports wrapping' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SIN GLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( signingAlgorithmId-oid NAME 'signingAlgorithmId' DESC 'CMS d efined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined ' ) attributeTypes: ( 2.16.840.1.113730.3.1.89 NAME 'cirSyncInterval' DESC 'Netsca pe defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'N etscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' DESC 'The class of a resource record' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 .1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.251 NAME 'nsValueFlags' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Net scape servers - value item' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Specifies the type of credentials either used, required, or supported by a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 .1.26 X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.6981.11.3.1 NAME 'FTPQuotaFiles' DESC 'Quota (in number of files) for an FTP user' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1 466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Pure-FTPd' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2106 NAME 'nsIDListScanLimit' DESC 'Bi nder-based search operation ID list scan limit (candidate entries)' SYNTAX 1. 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( '389' 'user defined' ) ) attributeTypes: ( nsServerSecurity-oid NAME 'nsServerSecurity' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Nets cape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.804 NAME 'nsSchemaCSN' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE USA GE directoryOperation X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.22 NAME 'ipaMigrationEnabled' DESC ' Enable adding user entries with pre-hashed passwords.' SYNTAX 1.3.6.1.4.1.146 6.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2210 NAME 'nsslapd-auditlog' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.20.2.4 NAME 'ipaReplTopoSegmentRightNo de' DESC 'IPA defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X- ORIGIN ( 'FreeIPA' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.50 NAME 'replicaBeginOrc' DESC 'Netsca pe defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'N etscape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.5 NAME ( 'drink' 'favouriteDrink' ) EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1 .1466.115.121.1.15 X-ORIGIN ( 'RFC 4524' 'user defined' ) X-DEPRECATED 'favou riteDrink' ) attributeTypes: ( 2.16.840.1.113730.3.1.2280 NAME 'nsslapd-bakdir' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surName' ) SUP name EQUALITY caseIgnor eMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 4519' 'user defined' ) X-DEPRECATED 'surName' ) attributeTypes: ( 2.16.840.1.113730.3.1.2066 NAME 'nsSaslMapFilterTemplate' DE SC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN GLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.3.1 NAME 'mozillaHomeStreet' EQUALITY cas eIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 SINGLE-VALUE X-ORIGIN ( 'Mozilla Address Book' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.198 NAME 'memberURL' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netsca pe Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY integerMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.16 NAME 'postalAddress' EQUALITY caseIgnoreListMatch SUBSTR caseIgnoreListSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 X-O RIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.108 NAME 'passwordUnlock' DESC 'Netsca pe defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' DESC 'Standard LDA P attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2124 NAME 'dnaRemainingValues' DESC 'D NA remaining values left to assign' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING LE-VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( duration-oid NAME 'duration' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( nsSSLClientAuth-oid NAME 'nsSSLClientAuth' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsca pe' 'user defined' ) ) attributeTypes: ( tokenID-oid NAME 'tokenID' DESC 'CMS defined attribute' SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2236 NAME 'nsslapd-anonlimitsdn' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE -VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2194 NAME 'nsslapd-errorlog-logminfree diskspace' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.574 NAME 'nsRole' DESC 'Netscape defin ed attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Server' 'user defined ' ) ) attributeTypes: ( nsAdminGroupName-oid NAME 'nsAdminGroupName' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Nets cape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.19.2.2 NAME 'ipaMinDomainLevel' DESC ' Minimal supported Domain Level value' EQUALITY numericStringMatch ORDERING nu mericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE X-ORIGIN ( 'IPA v4' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.72 NAME 'serverVersionNumber' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.246 NAME 'nsValueInt' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN ( 'Netsc ape servers - value item' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.1466.101.120.43 NAME 'preferredTimeZone' DESC 'p referred time zone for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSu bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'N etscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2173 NAME 'nsslapd-errorlog-maxlogsize ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.6 NAME 'userCategory' DESC 'Addition al classification for users' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrde ringMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) i mpersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.26 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( SecureAdminPort-oid NAME 'SecureAdminPort' SYNTAX 1.3.6.1.4 .1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'An age nt or service does or should follow referrals' EQUALITY booleanMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1130 NAME 'printer-document-format-supported' D ESC 'The possible source document formats which may be interpreted and printe d by this printer.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.23 NAME 'ipatokenTOTPauthWindow' DESC 'TOTP Auth Window (maximum authentication variance in seconds)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'I PA OTP' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.29 NAME 'nSRecord' EQUALITY caseIgn oreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'use r defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.25 NAME 'idnsSecKeyRevoke' DESC 'DNS KEY REVOKE flag (equivalent to bit 8): RFC 5011' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user define d' ) ) attributeTypes: ( requestId-oid NAME 'requestId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.552 NAME 'costargettree' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X -ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( tokenNotBefore-oid NAME 'tokenNotBefore' DESC 'CMS defined a ttribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.94 NAME 'retryCountResetTime' DESC 'Ne tscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.24 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( 'Netscape Directory S erver' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.21 NAME 'ipaAllowToImpersonate' DES C 'Principals that can be impersonated' SUP distinguishedName EQUALITY distin guishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA-v3' 'us er defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2244 NAME 'nnslapd-threadnumber' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE -VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' DESC 'Group that the entry belongs to' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Netscape D elegated Administrator' 'user defined' ) ) attributeTypes: ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' ) SYNTAX 1 .3.6.1.4.1.1466.115.121.1.22 X-ORIGIN ( 'RFC 4519' 'user defined' ) X-DEPRECA TED 'fax' ) attributeTypes: ( nsDirectoryURL-oid NAME 'nsDirectoryURL' DESC 'Netscape defi ned attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netscape ' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.7.9 NAME 'ipaSudoRunAsGroup' DESC 'Ref erence to group that the commands can be run as.' SUP memberUser EQUALITY dis tinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2111 NAME 'tombstoneNumSubordinates' D ESC 'count of immediate subordinates for tombstone entries' EQUALITY integerM atch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL E-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN ( '389 directo ry server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.22 NAME 'ipk11Subject' DESC 'DER- encoding of subject name' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.40 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( deltaSize-oid NAME 'deltaSize' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.690 NAME 'inetDomainBaseDN' DESC 'Base DN of user subtree for a DNS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SI NGLE-VALUE X-ORIGIN ( 'Netscape subscriber interoperability' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' E QUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2223 NAME 'nsslapd-localhost' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'Standard LDAP att ribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'RF C 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2181 NAME 'nsslapd-accesslog-logrotati onsyncmin' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.569 NAME 'cosPriority' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-O RIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsOsVersion-oid NAME 'nsOsVersion' DESC 'Netscape defined at tribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'use r defined' ) ) attributeTypes: ( nsJarfilename-oid NAME 'nsJarfilename' DESC 'Netscape define d attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2293 NAME 'nsslapd-ndn-cache-enabled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S INGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2071 NAME 'pamIDAttr' DESC 'Name of at tribute holding PAM ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Red Hat Directory Server' 'user defined' ) ) attributeTypes: ( tokenSerial-oid NAME 'tokenSerial' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( password-oid NAME 'password' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2158 NAME 'dnaRemoteBindDN' DESC 'Remo te bind DN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUAL ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextPassword ' DESC 'Previous clear text password (used for trusted domain passwords)' EQU ALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'IPA v 4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1127 NAME 'printer-pages-per-minute' DESC 'The nominal number of pages per minute which may be output by this printer.' EQUA LITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.27 SINGLE-VALUE X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.14 NAME 'ipatokenRadiusUserName' DESC 'Corresponding Radius username' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.520 NAME 'nswmExtendedUserPrefs' DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.54 NAME 'ditRedirect' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'RFC 12 74' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.26 NAME 'mgrpErrorsTo' DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.12 NAME 'idnsAllowTransfer' DESC 'BI ND9 allow-transfer ACL element' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4. 1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2137 NAME 'nsds5ReplicaAbortCleanRUV' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X -ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( algorithmId-oid NAME 'algorithmId' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.4203.1.3.5 NAME 'supportedFeatures' EQUALITY ob jectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation X -ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.232 NAME 'nsSNMPEnabled' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X -ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' DESC 'certificate , RFC 2538' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.1466.101.120.17 NAME 'ldapSchemas' SYNTAX 1.3.6 .1.4.1.1466.115.121.1.15 USAGE directoryOperation X-ORIGIN ( 'RFC 2927' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.7 NAME 'eduPersonEntitlement' DESC 'E ntitlement' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'http://middlewar e.internet2.edu/eduperson/' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.81 NAME 'cirPort' DESC 'Netscape defin ed attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.14 NAME 'ipaNTTrustPartner' DESC 'F ully qualified name of the domain with which a trust exists' EQUALITY caseIgn oreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user d efined' ) ) attributeTypes: ( 1.3.6.1.4.1.6981.11.3.9 NAME 'FTPgid' DESC 'System uid (over rides gidNumber if present)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Pure-FTPd' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.17 NAME 'ipk11CheckValue' DESC 'C hecksum' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORI GIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2087 NAME 'mepManagedEntry' DESC 'Mana ged Entries pointer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( '389 Dir ectory Server' 'user defined' ) ) attributeTypes: ( nsAdminSIEDN-oid NAME 'nsAdminSIEDN' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Netscape' 'u ser defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.685 NAME 'nsds5replicaLastUpdateStart' DESC 'Netscape defined attribute type' EQUALITY generalizedTimeMatch ORDERIN G generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VA LUE NO-USER-MODIFICATION X-ORIGIN ( 'Netscape Directory Server' 'user defined ' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2208 NAME 'nsslapd-rootdnpw' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.2 NAME 'ipaGroupSearchFields' EQUAL ITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4 .2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.48 NAME 'replicaPort' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsc ape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.210 NAME 'vlvSort' DESC 'Netscape defi ned attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( dateOfModify-oid NAME 'dateOfModify' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.51 NAME 'nSEC3PARAMRecord' DESC 'RFC 5 155' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defin ed' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2145 NAME 'rootdn-close-time' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2257 NAME 'nsslapd-accesslog-logbuffer ing' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'IPA principal alias' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMa tch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN GLE-VALUE X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.43 NAME ( 'co' 'friendlycountryname' ) EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 4524' 'user defined' ) X-DEPRECATED 'fr iendlycountryname' ) attributeTypes: ( extension-oid NAME 'extension' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.13 NAME 'mailAlternateAddress' DESC 'N etscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.227 NAME 'nsslapd-pluginId' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC 'Roamin g profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.45 NAME 'x500UniqueIdentifier' EQUALITY bitStringMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.5 NAME 'idnsSOAserial' DESC 'SOA ser ial number' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user de fined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2315 NAME 'nsDS5ReplicaWaitForAsyncRes ults' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121. 1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsServerPort-oid NAME 'nsServerPort' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'u ser defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.613 NAME 'copiedFrom' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE USAG E directoryOperation X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.4.1.8 NAME 'javaSerializedData' DESC 'Se rialized form of a Java object' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-V ALUE X-ORIGIN ( 'RFC 2713' 'user defined' ) ) attributeTypes: ( deltaNumber-oid NAME 'deltaNumber' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.583 NAME 'nsDS5ReplicaBindMethod' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2275 NAME 'nsslapd-schemadir' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsSSLActivation-oid NAME 'nsSSLActivation' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsca pe' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1138 NAME 'printer-make-and-model' DESC 'Make a nd model of this printer.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrin gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'rfc3712 ' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.5 NAME 'ipatokenVendor' DESC 'Opt ional Vendor identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.1000 NAME 'nsds7WindowsReplicaSubtree' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.21 NAME 'secretary' EQUALITY distin guishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'RFC 4524' ' user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.533 NAME 'ntUserCodePage' DESC 'Netsca pe defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X -ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.35 NAME 'changeLog' DESC 'the distingu ished name of the entry which contains the set of entries comprising this ser vers changelog' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.12 X-ORIGIN ( 'Changelog Internet Draft' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.53 NAME 'ipk11VerifyRecover' DESC 'Key supports verification where data is recovered from the signature' EQUAL ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.205 NAME 'changeLogMaximumConcurrentWr ites' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Signature, R FC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.3 NAME 'ipaNTFlatName' DESC 'Flat/N etbios Name' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC 'A boole an option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-V ALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( nsDirectoryInfoRef-oid NAME 'nsDirectoryInfoRef' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( ' Netscape' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.6981.11.3.6 NAME 'FTPDownloadBandwidth' DESC 'Ba ndwidth (in KB/s) to limit download speeds to' EQUALITY integerMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Pure-FTPd' 'user define d' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2109 NAME 'nsPagedIDListScanLimit' DES C 'Binder-based simple paged search operation ID list scan limit' SYNTAX 1.3. 6.1.4.1.1466.115.121.1.27 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( '3 89' 'user defined' ) ) attributeTypes: ( transOps-oid NAME 'transOps' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2092 NAME 'nsslapd-ldapiautodnsuffix' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X -ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.25 NAME 'ipaPermissionType' DESC 'IP A permission flags' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIG IN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1116 NAME 'printer-output-features-supported' D ESC 'The possible output features supported by this printer.' EQUALITY caseIg noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'rfc3712' 'user def ined' ) ) attributeTypes: ( 2.5.4.52 NAME 'supportedAlgorithms' DESC 'X.509 supported al gorithms' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-OR IGIN ( 'RFC 4523' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2302 NAME 'nsslapd-listen-backlog-size ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.57 NAME 'replicaRoot' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Netsc ape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.608 NAME 'nsDS5Task' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsca pe Directory Server' 'user defined' ) ) attributeTypes: ( nextUpdate-oid NAME 'nextUpdate' DESC 'CMS defined attribute ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2069 NAME 'pamMissingSuffix' DESC 'How to handle missing include or exclude suffixes' SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.15 SINGLE-VALUE X-ORIGIN ( 'Red Hat Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.9 NAME ( 'street' 'streetaddress' ) EQUALITY caseIgno reMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 4519' 'user defined' ) X-DEPRECATED 'streetaddress' ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'RRSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQ UALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-OR IGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2150 NAME 'rootdn-deny-ip' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( ' Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsGroupRDNComponent-oid NAME 'nsGroupRDNComponent' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( algorithm-oid NAME 'algorithm' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.11.47 NAME 'ipaPermRight' DESC 'IPA pe rmission rights' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 X-ORIGIN ( 'IPA v4.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' EQUALITY in tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2262 NAME 'nsslapd-maxbersize' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-V ALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.19 NAME 'physicalDeliveryOfficeName' EQUALITY caseIgn oreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.528 NAME 'ntUserAcctExpires' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.103 NAME ( 'passwordCheckSyntax' 'pwdC heckSyntax' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1 .3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Serv er' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' DESC 'Standard LDA P attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'RFC 2307' 'user defined' ) ) attributeTypes: ( 1.2.840.113556.1.4.483 NAME 'calOtherFBURLs' DESC 'RFC2739: multi-value URI for other free/busy data' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'rfc2739' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.44 NAME 'ipk11AllowedMechanisms' DESC 'Space-separated list of mechanisms allowed to be used with this key' EQ UALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.14 66.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2239 NAME 'nsslapd-SSL3ciphers' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( issuerName-oid NAME 'issuerName' DESC 'CMS defined attribute ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.79 NAME 'cirReplicaRoot' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Ne tscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.35157.1.1.1.4 NAME 'accountState' DESC 'Account state' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6 .1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( nsProductVersion-oid NAME 'nsProductVersion' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Nets cape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.241 NAME 'displayName' DESC 'preferred name of a person to be used when displaying entries' EQUALITY caseIgnoreMatc h SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( 'RFC 2798' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA v ault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORI GIN ( 'IPA v4.2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2176 NAME 'nsslapd-errorlog-logrotatio nsync-enabled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466 .115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defin ed' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.1 NAME 'ipaUniqueID' DESC 'Unique id entifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1. 3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( endRange-oid NAME 'endRange' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.3.12 NAME 'sourceHostCategory' DESC 'A dditional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgn oreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( crlCache-oid NAME 'crlCache' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKC S#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltType s' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2200 NAME 'nsslapd-errorlog-logexpirat iontimeunit' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined ' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'List of default servers' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'RFC4876' 'use r defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE -VALUE X-ORIGIN ( 'RFC 2307bis' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.40 NAME 'userSMIMECertificate' DESC 's igned message used to support S/MIME' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-O RIGIN ( 'RFC 2798' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#1 1 URI of the key' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( nsSecureServerPort-oid NAME 'nsSecureServerPort' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( ' Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.66 NAME 'ipk11Extractable' DESC ' Key is extractable and can be wrapped' EQUALITY booleanMatch SYNTAX 1.3.6.1.4 .1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.218 NAME 'replicaAbandonedChanges' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-OR IGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' DESC 'Location, RF C 1876' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTA X 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( usertype-oid NAME 'usertype' DESC 'Distinguish whether the u ser is administrator, agent or subsystem.' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.7 NAME 'changeType' DESC 'Changelog at tribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Changelog Inte rnet Draft' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Co ncatenated MD5 hashes of the salted NT passwords used on this account' EQUALI TY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4 .2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.26 NAME 'registeredAddress' SUP postalAddress EQUALIT Y caseIgnoreListMatch SUBSTR caseIgnoreListSubstringsMatch SYNTAX 1.3.6.1.4.1 .1466.115.121.1.41 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.999 NAME ( 'passwordGraceLimit' 'pwdGr aceLoginLimit' ) DESC 'Netscape defined password policy attribute type' SYNTA X 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory S erver' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.7.4 NAME 'externalUser' DESC 'Multival ue string attribute that allows storing user names.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1 .1466.115.121.1.15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2114 NAME 'internalCreatorsName' DESC 'plugin dn' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFIC ATION USAGE directoryOperation X-ORIGIN ( '389 Directory Server' 'user define d' ) ) attributeTypes: ( nsBindPassword-oid NAME 'nsBindPassword' DESC 'Netscape defi ned attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape ' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.812 NAME 'netscapeReversiblePassword' DESC 'password for HTTP Digest/MD5 authentication' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'Netscape Web Server' 'user d efined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' DESC 'domain name pointer, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defi ned' ) ) attributeTypes: ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' DESC 'Standard LDAP attribu te type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'RFC 23 07' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2226 NAME 'nsslapd-listenhost' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-V ALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2184 NAME 'nsslapd-accesslog-logrotati ontime' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.10 NAME 'manager' EQUALITY distingu ishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'RFC 4524' 'us er defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.62 NAME 'ntUserParms' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-OR IGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2296 NAME 'nsslapd-ignore-virtual-attr s' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2074 NAME 'pamService' DESC 'Service n ame to pass to pam_start' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X -ORIGIN ( 'Red Hat Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIG IN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.1 NAME 'ipk11UniqueId' DESC 'Mean ingless unique identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2163 NAME 'winSyncWindowsFilter' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE -VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.4.4 NAME 'mozillaCustom4' EQUALITY caseIg noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 SINGLE-VALUE X-ORIGIN ( 'Mozilla Address Book' 'user defined' ) ) attributeTypes: ( resourceACLS-oid NAME 'resourceACLS' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DESC 'Dir ection of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.58 NAME 'ipaKeyTrust' DESC 'Key tru st (unknown, trusted, distrusted)' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4. 1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1120 NAME 'printer-print-quality-supported' DES C 'List of print qualities supported for printing documents on this printer.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'rf c3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.13 NAME 'ipatokenOwner' DESC 'Use r entry that owns this token' SUP distinguishedName EQUALITY distinguishedNam eMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.24 NAME 'bootFile' DESC 'Standard LDAP attribu te type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'RFC 2307' 'user def ined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.15 NAME 'idnsForwarders' DESC 'list of forwarders' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'eduPersonNickName' DESC 'Nick Name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'http://middleware.inte rnet2.edu/eduperson/' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.542 NAME 'nsUniqueId' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-U SER-MODIFICATION USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Serv er' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.84 NAME 'cirUseSsl' DESC 'Netscape def ined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscap e Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.11 NAME 'ipaNTTrustType' DESC 'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE- VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( expiredCerts-oid NAME 'expiredCerts' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) attributeTypes: ( nsServerID-oid NAME 'nsServerID' DESC 'Netscape defined attr ibute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.254 NAME 'nsValueHelpURL' DESC 'Netsca pe defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'N etscape servers - value item' 'user defined' ) ) attributeTypes: ( 2.5.4.33 NAME 'roleOccupant' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Ident ifies type of credentials either used, required, or supported by an agent or service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN GLE-VALUE X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2101 NAME 'autoMemberDefaultGroup' DES C 'Auto Membership default group' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIG IN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.12 NAME 'ipk11Modifiable' DESC 'C an be modified by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.807 NAME 'nsds5replicaLastInitStart' D ESC 'Netscape defined attribute type' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALU E NO-USER-MODIFICATION X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALIT Y integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( ' IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2213 NAME 'nsslapd-userat' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.20.2.7 NAME 'ipaReplTopoManagedAgreeme ntState' DESC 'IPA defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 X-ORIGIN ( 'FreeIPA' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptionTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SYNTAX 1. 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user define d' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.8 NAME 'userClass' EQUALITY caseIgn oreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2283 NAME 'nsslapd-SSLclientAuth' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.1 NAME 'aliasedObjectName' EQUALITY distinguishedName Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.3.2 NAME 'mozillaHomeStreet2' EQUALITY ca seIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.15 SINGLE-VALUE X-ORIGIN ( 'Mozilla Address Book' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2148 NAME 'rootdn-deny-host' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'L ength of Password History Entries (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'us er defined' ) ) attributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) SUP name EQ UALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.14 66.115.121.1.15 X-ORIGIN ( 'RFC 4519' 'user defined' ) X-DEPRECATED 'organiza tionalUnitName' ) attributeTypes: ( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.16 NAME 'mailDeliveryOption' DESC 'Net scape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2127 NAME 'dnaPortNum' DESC 'DNA port number of replica to get new range of values' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.27 SINGLE-VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.222 NAME ( 'passwordMinAge' 'pwdMinAge ' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1 .1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' DESC 'Last login time' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE director yOperation X-ORIGIN ( 'Account Policy Plugin' 'user defined' ) ) attributeTypes: ( SecurePort-oid NAME 'SecurePort' SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2231 NAME 'nsslapd-ldapimaprootdn' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2197 NAME 'nsslapd-errorlog-logexpirat iontime' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.577 NAME 'cosIndirectSpecifier' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.0 NAME 'idnsName' DESC 'DNS FQDN' EQ UALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 5.3.6.1.1.1.1.1 NAME 'accessTo' DESC 'Access to which server s user is allowed' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'nss_ldap/pam_ldap' 'us er defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VA LUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.71 NAME 'serverProductName' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.249 NAME 'nsValueType' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Nets cape servers - value item' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQ UALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.9 NAME 'ipaEnabledFlag' DESC 'The fl ag to show if the association is active or should be ignored' EQUALITY boolea nMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v2' ' user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) f ollowed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1 .26 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2278 NAME 'nsslapd-certdir' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1135 NAME 'printer-name' DESC 'The site-specifi c administrative name of this printer.' EQUALITY caseIgnoreMatch SUBSTR caseI gnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIG IN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.26 NAME 'ipatokenHOTPsyncWindow' DESC 'HOTP Sync Window (maximum synchronization skip-ahead)' EQUALITY integer Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.21.1.2 NAME 'ipaMemberCa' DESC 'Refere nce to a CA member' SUP distinguishedName EQUALITY distinguishedNameMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v4.2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.38 NAME 'nsLicenseEndTime' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( ' Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.20 NAME 'idnsSecKeyPublish' DESC 'DN SSEC key (planned) publication time' EQUALITY generalizedTimeMatch ORDERING g eneralizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.200 NAME 'changeLogMaximumAge' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.18.3 NAME 'creatorsName' EQUALITY distinguishedNameMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAG E directoryOperation X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.93 NAME 'passwordRetryCount' DESC 'Net scape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Se rver' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.6 NAME 'ipaNTLogonScript' DESC 'Use r Logon Script Name' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatc h SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC 'Ta rget principals alowed to get a ticket for' SUP distinguishedName EQUALITY di stinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA-v3' 'user defined' ) ) attributeTypes: ( requestSourceId-oid NAME 'requestSourceId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2247 NAME 'nsslapd-conntablesize' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL E-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.12 NAME 'ipaGroupObjectClasses' SYN TAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( crlSize-oid NAME 'crlSize' DESC 'CMS defined attribute' SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.21 NAME 'ipk11Distrusted' DESC 'M ust not be trusted by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1 466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( nsSuiteSpotUser-oid NAME 'nsSuiteSpotUser' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsca pe' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2095 NAME 'connection' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Nets cape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.693 NAME 'inetUserHttpURL' DESC 'A use rs Web addresses' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netscape s ubscriber interoperability' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 has h of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.146 6.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1113 NAME 'printer-service-person' DESC 'The id entity of the current human service person responsible for servicing this pri nter.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6 .1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2305 NAME 'nsslapd-moddn-aci' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.603 NAME 'dncomp' DESC 'internal serve r defined attribute type' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1. 1466.115.121.1.12 NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN 'use r defined' ) attributeTypes: ( revokedOn-oid NAME 'revokedOn' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' DESC 'Delegation Si gner, RFC 3658' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined ' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.1099 NAME 'winSyncInterval' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsBaseDN-oid NAME 'nsBaseDN' DESC 'Netscape defined attribut e type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Netscape' 'user defi ned' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'All owed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466 .115.121.1.15 X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2265 NAME 'nsslapd-versionstring' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1128 NAME 'printer-compression-supported' DESC 'Compression algorithms supported by this printer.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI N ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.523 NAME 'ntUserFlags' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X-OR IGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.25 NAME 'mgrpDeliverTo' DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( nsExecRef-oid NAME 'nsExecRef' DESC 'Netscape defined attrib ute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user de fined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2132 NAME 'nsds5ReplicaEnabled' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.43 NAME 'ipk11KeyGenMechanism' DE SC 'Mechanism used to generate this key' EQUALITY caseIgnoreMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.235 NAME 'nsSNMPContact' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Ne tscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octe tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'IPA v4.2.0' 'us er defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.19 NAME 'ipaNTSupportedEncryptionTy pes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SYNTA X 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user de fined' ) ) attributeTypes: ( 1.3.6.1.4.1.35157.1.1.1.9 NAME 'umGeneric2' DESC 'Class as p er Idm' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2179 NAME 'nsslapd-errorlog-logrotatio nsynchour' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.591 NAME 'nsDS5ReplicaReferral' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI N ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2082 NAME ( 'passwordMinCategories' 'p wdMinCategories' ) DESC 'Netscape defined password policy attribute type' SYN TAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.15 NAME 'nisDomainName' DESC 'NIS do main name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IP A v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.688 NAME 'nsds5replicaLastUpdateStatus ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN ( 'Netscape Directory Server' 'us er defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.14 66.115.121.1.26 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.5 NAME 'ipaCustomFields' EQUALITY c aseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' ' user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.213 NAME 'vlvEnabled' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN ( 'Netsc ape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2140 NAME 'passwordTrackUpdateTime' DE SC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466. 115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user define d' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.37 NAME 'ipaKrbAuthzData' DESC 'typ e of PAC preferred by a service' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1 466.115.121.1.15 X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Security I D List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-OR IGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2252 NAME 'nsslapd-groupevalnestlevel' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'IPA v4.2.0 ' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' DESC 'L ist of user workstations the user is allowed to logon to' EQUALITY caseIgnore Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2. 0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' DESC 'Standard LDAP at tribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'R FC 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.12.33 NAME 'ipaAssignedIDView' DESC 'D N of view assigned to this particular host' SUP distinguishedName EQUALITY di stinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIG IN ( 'IPA v4' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2229 NAME 'nsslapd-ldapilisten' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.40 NAME 'crossCertificatePair' DESC 'X.509 cross certi ficate pair' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X -ORIGIN ( 'RFC 4523' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.7.10 NAME 'ipaSudoRunAsExtGroup' DESC 'Multivalue string attribute that allows storing group name the command can b e run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnore SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v2' 'use r defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.8 NAME 'idnsSOAexpire' DESC 'SOA exp ire value' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SY NTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user def ined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2310 NAME 'nsds5ReplicaFlowControlWind ow' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.69 NAME 'subtreeACI' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netsca pe Directory Server 1.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2299 NAME 'nsslapd-connection-buffer' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S INGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( revokedBy-oid NAME 'revokedBy' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2166 NAME 'schemaUpdateObjectclassReje ct' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.586 NAME 'nsDS5ReplicaUpdateSchedule' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X -ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.4.1 NAME 'mozillaCustom1' EQUALITY caseIg noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 SINGLE-VALUE X-ORIGIN ( 'Mozilla Address Book' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.55 NAME 'ipaSecretKey' DESC 'Encryp ted secret key data' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.40 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2270 NAME 'nsslapd-auditlog-list' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORI GIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.1003 NAME 'nsds7NewWinGroupSyncEnabled ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.536 NAME 'ntGroupAttributes' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALU E X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.111 NAME 'ntUniqueId' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-OR IGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'RFC 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' DESC 'N etscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.18 NAME 'idnsSecInlineSigning' DESC 'allow inline DNSSEC signing' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.208 NAME 'vlvScope' DESC 'Netscape def ined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN ( 'Netscap e Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'Non-Termin al DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORI GIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( privateKeyData-oid NAME 'privateKeyData' DESC 'CMS defined a ttribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' E QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIG IN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( nsNickName-oid NAME 'nsNickName' DESC 'Netscape defined attr ibute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DESC 'An i nteger option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SIN GLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.36 NAME 'userCertificate' DESC 'X.509 user certificate ' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( ' RFC 4523' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2104 NAME 'nsslapd-pluginConfigArea' D ESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SI NGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Specifies types authentication methods either used, required, or suppo rted by a particular service' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubst ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC4876' 'user de fined' ) ) attributeTypes: ( 1.3.6.1.4.1.6981.11.3.3 NAME 'FTPUploadRatio' DESC 'Ratio (c ompared with FTPRatioDown) for uploaded files' EQUALITY integerMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Pure-FTPd' 'user define d' ) ) attributeTypes: ( 1.3.6.1.1.5 NAME 'vendorVersion' EQUALITY 1.3.6.1.4.1.1466. 109.114.1 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICAT ION USAGE dSAOperation X-ORIGIN ( 'RFC 3045' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.19 NAME 'ipk11EndDate' DESC 'Vali dity end date' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrdering Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.802 NAME 'nsds5ReplicaLegacyConsumer' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S INGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.20 NAME 'memberService' DESC 'Refere nce to the pam service of this operation.' SUP distinguishedName EQUALITY dis tinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2216 NAME 'nsslapd-require-secure-bind s' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsKeyfile-oid NAME 'nsKeyfile' DESC 'Netscape defined attrib ute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user de fined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.52 NAME 'replicaUpdateSchedule' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI N ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.7 NAME 'photo' SYNTAX 1.3.6.1.4.1.1 466.115.121.1.23 X-ORIGIN ( 'RFC 1274' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.70 NAME 'ipk11UnwrapTemplate' DES C 'DN of template to apply to keys unwrapped using this key' EQUALITY disting uishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2286 NAME 'nsslapd-outbound-ldap-io-ti meout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.6 NAME ( 'c' 'countryName' ) SUP name EQUALITY caseIg noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 11 SINGLE-VALUE X-ORIGIN ( 'RFC 4519' 'user defined' ) X-DEPRECATED 'countryN ame' ) attributeTypes: ( 2.16.840.1.113730.3.1.2064 NAME 'nsSaslMapRegexString' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE -VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2153 NAME ( 'passwordAdminDN' 'pwdAdmi nDN' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1. 4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'us er defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.48 NAME 'ipaPermTargetFilter' DESC 'IPA permission target filter' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.14 66.115.121.1.15 X-ORIGIN ( 'IPA v4.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' EQU ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( version-oid NAME 'version' DESC 'CMS defined attribute' SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.5.4.14 NAME 'searchGuide' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.25 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.106 NAME ( 'passwordMaxFailure' 'pwdMa xFailure' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3 .6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server ' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Standard LDA P attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'RFC 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2234 NAME 'nsslapd-ldapigidnumbertype' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.572 NAME 'nsTimeLimit' DESC 'Binder-ba sed search operation time limit (seconds)' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 27 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Serve r' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.74 NAME 'administratorContactInfo' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-OR IGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( nsClassname-oid NAME 'nsClassname' DESC 'Netscape defined at tribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'use r defined' ) ) attributeTypes: ( 1.3.6.1.4.1.35157.1.1.1.1 NAME 'isPubliclyViewable' DESC 'Is the entry available to White Pages' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1 .1466.115.121.1.7 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.244 NAME 'nsValueCES' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netsc ape servers - value item' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1. 1466.115.121.1.15 X-ORIGIN ( 'NSS LDAP schema' 'user defined' ) ) attributeTypes: ( allowWeakCipher-oid NAME 'allowWeakCipher' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsca pe' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2171 NAME 'nsslapd-accesslog-maxlogspe rdir' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121. 1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY c aseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2203 NAME 'nsslapd-errorlog-logging-en abled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to liv e, in seconds, before a profile is considered stale' EQUALITY integerMatch OR DERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCertProfileCategory' D ESC 'Additional classification for certificate profiles' EQUALITY caseIgnoreM atch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key val ue' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA LUE X-ORIGIN ( 'RFC 2307bis' 'user defined' ) ) attributeTypes: ( nsDeleteclassname-oid NAME 'nsDeleteclassname' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Ne tscape Administration Services' 'user defined' ) ) attributeTypes: ( nsmsgNumMsgQuota-oid NAME 'nsmsgNumMsgQuota' DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.65 NAME 'ipk11Unwrap' DESC 'Key s upports unwrapping' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( nsAdminCgiWaitPid-oid NAME 'nsAdminCgiWaitPid' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Ne tscape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' DESC 'identi fies a department within an organization' EQUALITY caseIgnoreMatch SUBSTR cas eIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 2 798' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.550 NAME 'cosAttribute' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Net scape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.96 NAME ( 'passwordHistory' 'pwdHistor y' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4. 1.1466.115.121.1.5 USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Se rver' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIG IN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.9 NAME 'ipaNTHomeDirectoryDrive' DE SC 'User Home Drive Letter' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrder ingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 SINGLE-VALUE X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' DESC 'Ti me of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1 .1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.21 NAME 'telexNumber' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.52 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( numberOfRenewals-oid NAME 'numberOfRenewals' DESC 'CMS defin ed attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.7.7 NAME 'ipaSudoRunAsExtUser' DESC 'M ultivalue string attribute that allows storing user name the command can be r un as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSub stringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v2' 'user d efined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2117 NAME 'dnaNextValue' DESC 'DNA nex t available value for assignment' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE -VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2098 NAME 'autoMemberFilter' DESC 'Aut o Membership filter criteria' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.17 NAME 'RPRecord' DESC 'Responsible P erson, RFC 1183' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user define d' ) ) attributeTypes: ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' DESC 'Standard LDAP attribu te type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'RFC 23 07' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2221 NAME 'nsslapd-validate-cert' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2187 NAME 'nsslapd-accesslog-logrotati ontimeunit' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2308 NAME 'nstombstonecsn' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.61 NAME 'ntUserUsrComment' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2291 NAME 'nsslapd-disk-monitoring-gra ce-period' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2077 NAME ( 'passwordMinUppers' 'pwdMi nUppers' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3. 6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( SecureEEClientAuthPort-oid NAME 'SecureEEClientAuthPort' SY NTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.407 NAME 'nsSynchUniqueAttribute' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORI GIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' DESC 'SID of a trusted domain' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5Subs tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2268 NAME 'nsslapd-accesslog-list' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-OR IGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1125 NAME 'printer-finishings-supported' DESC ' The possible finishing operations supported by this printer.' EQUALITY caseIg noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.8 NAME 'ipatokenOTPkey' DESC 'OTP Token Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SI NGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.16 NAME 'ipatokenRadiusServer' DE SC 'Server String Configuration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 .1.1466.115.121.1.26 X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.5.21.6 NAME 'objectClasses' EQUALITY objectIdentifierFirs tComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE directoryOperation X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( cmsUserGroup-oid NAME 'cmsUserGroup' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'nisSecretkey' EQU ALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'RFC 2307bis' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.28 NAME 'mgrpMsgRejectAction' DESC 'Ne tscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.10 NAME 'idnsUpdatePolicy' DESC 'DNS dynamic updates policy' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2135 NAME 'nsds5ReplicaCleanRUV' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIG IN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.230 NAME 'nsslapd-pluginDescription' D ESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI NGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsAdminCacheLifetime-oid NAME 'nsAdminCacheLifetime' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.327 NAME 'nsIndexType' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Nets cape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.5 NAME 'eduPersonPrimaryAffiliation' DESC 'Primary Affiliation' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'http://middleware.internet2.edu/eduperson/' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.545 NAME 'nscpEntryDN' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO- USER-MODIFICATION USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Ser ver' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.83 NAME 'cirUsePersistentSearch' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIG IN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.12 NAME 'ipaNTTrustAttributes' DESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.6.1 .4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.4.1.10 NAME 'javaFactory' DESC 'Fully qu alified Java class name of a JNDI object factory' EQUALITY caseExactMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'RFC 2713' 'user de fined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.11 NAME 'ipk11Private' DESC 'Is p rivate to application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.5.18.10 NAME 'subschemaSubentry' EQUALITY distinguishedNa meMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATIO N USAGE directoryOperation X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2085 NAME 'isReplicated' DESC 'Changel og attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 X-ORIGIN ( 'Netscape D irectory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of ent ries allowed to manage' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.683 NAME 'nsds5ReplicaTombstonePurgeIn terval' DESC 'Netscape defined attribute type' EQUALITY integerMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Serv er' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.38 NAME 'associatedName' DESC 'Stand ard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'RFC 1274' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.20.2.2 NAME 'ipaReplTopoSegmentDirecti on' DESC 'IPA defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X- ORIGIN ( 'FreeIPA' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.68 NAME 'ipk11NeverExtractable' D ESC 'Key has never been extractable' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1 .1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.1100 NAME 'oneWaySync' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-O RIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( requestType-oid NAME 'requestType' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( nsConfigRoot-oid NAME 'nsConfigRoot' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'u ser defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQ UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGI N ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.3.7 NAME 'mozillaHomeUrl' EQUALITY caseIg noreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Mozil la Address Book' 'user defined' ) ) attributeTypes: ( issuedBy-oid NAME 'issuedBy' DESC 'CMS defined attribute' SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.11.30 NAME 'ipaSELinuxUser' DESC 'An S ELinux user' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2255 NAME 'passwordIsGlobalPolicy' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( requestState-oid NAME 'requestState' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 0.9.2342.19200300.100.1.41 NAME ( 'mobile' 'mobileTelephoneN umber' ) EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 X-ORIGIN ( 'RFC 4524' 'user defined' ) X-DEPRECATED 'mobileTelephoneNumber' ) attributeTypes: ( nsAdminDomainName-oid NAME 'nsAdminDomainName' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Ne tscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.15 NAME 'mailAutoReplyText' DESC 'Nets cape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2122 NAME 'dnaMaxValue' DESC 'DNA maxi mum value to assign' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIG IN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.225 NAME 'nsslapd-pluginInitfunc' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsAdminEndUserHTMLIndex-oid NAME 'nsAdminEndUserHTMLIndex' D ESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X- ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.2.1.3 NAME 'accountInactivityLimit' DESC 'Account inactivity limit' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Account Policy Plugin' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver l etter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 .1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2192 NAME 'nsslapd-auditlog-logmaxdisk space' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsBuildSecurity-oid NAME 'nsBuildSecurity' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsca pe' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.3 NAME 'idnsSOAmName' DESC 'SOA Name ' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.708 NAME 'vacationenddate' DESC 'Netsc ape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2169 NAME 'nsslapd-pagedsizelimit' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.581 NAME 'nsDS5ReplicaBindDN' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( mgrpApprovePassword-oid NAME 'mgrpApprovePassword' DESC 'Net scape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.26 SINGLE-VALUE X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustInfo' DES C 'Forest trust information for a trusted domain object' EQUALITY caseExactMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user define d' ) ) attributeTypes: ( 1.3.18.0.2.4.1136 NAME 'printer-location' DESC 'The physical location of this printer.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstri ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'rfc371 2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.25 NAME 'ipatokenHOTPauthWindow' DESC 'HOTP Auth Window (maximum authentication skip-ahead)' EQUALITY integerM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' ' user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.27 NAME 'mDRecord' EQUALITY caseIgn oreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'use r defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.531 NAME 'ntUserBadPwCount' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.37 NAME 'nsLicenseStartTime' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.23 NAME 'idnsSecKeyDelete' DESC 'DNS SEC key (planned) deletion timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALU E X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.203 NAME 'replicaEntryFilter' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember' DESC 'Ex ternal Group Member Identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreO rderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v3' 'user d efined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'Share Na me' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2242 NAME 'nsslapd-securePort' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-V ALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.39 NAME 'certificateRevocationList' DESC 'X.509 certif icate revocation list' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.40 X-ORIGIN ( 'RFC 4523' 'user defined' ) ) attributeTypes: ( nsAdminAccountInfo-oid NAME 'nsAdminAccountInfo' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( ' Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.24 NAME 'ipk11Local' DESC 'Was cr eated locally on token' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2090 NAME 'mepRDNAttr' DESC 'Managed E ntries RDN attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( '389 Di rectory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.696 NAME 'inetSubscriberResponse' DESC 'Used to confirm subscriberIdentity. This attribute holds the response phra se and is used in conjunction with the inetSubscriberChallenge' SYNTAX 1.3.6. 1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'Netscape subscriber interope rability' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGL E-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2219 NAME 'nsslapd-minssf' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1114 NAME 'printer-delivery-orientation-support ed' DESC 'The possible delivery orientations of pages as they are printed and ejected from this printer.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466 .115.121.1.15 X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.5.4.50 NAME 'uniqueMember' EQUALITY uniqueMemberMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.34 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.250.1.60 NAME ( 'ttl' 'timeToLive' ) DESC 'time to live in seconds for cached objects' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X -ORIGIN ( 'LDAP Caching Internet Draft' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'I PA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2300 NAME 'nsslapd-connection-nocanon' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.59 NAME 'ntUserPriv' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X-ORIG IN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2289 NAME 'nsslapd-disk-monitoring' DE SC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN GLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsDefaultObjectClass-oid NAME 'nsDefaultObjectClass' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.3.8 NAME 'mozillaWorkStreet2' EQUALITY ca seIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.15 SINGLE-VALUE X-ORIGIN ( 'Mozilla Address Book' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2156 NAME 'nsslapd-sasl-max-buffer-siz e' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.2 7 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2260 NAME 'nsslapd-result-tweak' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE -VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.45 NAME 'ipaPermBindRuleType' DESC 'IPA permission bind rule type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.14 66.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.526 NAME 'ntUserLastLogon' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.101 NAME ( 'passwordInHistory' 'pwdInH istory' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6 .1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined ' ) ) attributeTypes: ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' DESC 'Standard LDAP attri bute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'RFC 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.20 NAME 'mailProgramDeliveryInfo' DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.26 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 1.2.840.113556.1.4.481 NAME 'calCalAdrURI' DESC 'RFC2739: UR I for event equests destination' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'rfc2739' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.238 NAME 'nsSNMPMasterPort' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer t o order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.35157.1.1.1.6 NAME 'umIdmIdtype' DESC 'student e mployee etc' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( firstUnsaved-oid NAME 'firstUnsaved' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.4.1.7 NAME 'javaCodebase' DESC 'URL(s) s pecifying the location of class definition' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'RFC 2713' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2174 NAME 'nsslapd-auditlog-maxlogsize ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.594 NAME 'nsDS5ReplicatedAttributeList Total' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.10 NAME 'sourceHost' DESC 'Link to a host or group of hosts' SUP memberHost EQUALITY distinguishedNameMatch SYNTA X 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2206 NAME 'nsslapd-unhashed-pw-switch' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.63 NAME 'ipaOriginalUid' DESC 'Orig inal UID of overriden user' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrder ingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4 ' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Li st of preferred servers' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.42 NAME 'ntUserCreateNewAccount' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE -VALUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.8 NAME 'ipaDefaultPrimaryGroup' EQU ALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIG IN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'PKCS #12 P FX PDU for exchange of personal identity information' SYNTAX 1.3.6.1.4.1.1466 .115.121.1.5 X-ORIGIN ( 'RFC 2798' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.5 NAME 'changeNumber' DESC 'Changelog attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN ( 'Changelog In ternet Draft' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2143 NAME 'nsslapd-sasl-mapping-fallba ck' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.18.9 NAME 'hasSubordinates' DESC 'if TRUE, subordinate e ntries may exist' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S INGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN ( 'numSubo rdinates Internet Draft' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Ma tch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( SecureAgentPort-oid NAME 'SecureAgentPort' SYNTAX 1.3.6.1.4 .1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch SUB STR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 X-ORIGI N ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.7.2 NAME 'memberDenyCmd' DESC 'Referen ce to a command or group of commands that are denied by the rule.' SUP distin guishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 .12 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.997 NAME 'pwdpolicysubentry' DESC 'Net scape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.12 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Se rver' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2224 NAME 'nsslapd-port' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X -ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'Standard LDAP attrib ute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'RFC 2 307' 'user defined' ) ) attributeTypes: ( 2.5.4.43 NAME 'initials' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI N ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.7.13 NAME 'sudoCmd' DESC 'Command(s) t o be executed by sudo' EQUALITY caseExactMatch ORDERING caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IP A v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALIT Y integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( ' IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2313 NAME 'nsslapd-changelogtrim-inter val' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.64 NAME 'ntUserNumLogons' DESC 'Netsca pe defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X -ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2294 NAME 'nsslapd-ndn-cache-max-size' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2161 NAME 'nsIndexIDListScanLimit' DES C 'fine grained idlistscanlimit - per index/type/value' SYNTAX 1.3.6.1.4.1.14 66.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.589 NAME 'nsDS5ReplicaType' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.4.2 NAME 'mozillaCustom2' EQUALITY caseIg noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 SINGLE-VALUE X-ORIGIN ( 'Mozilla Address Book' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORD ERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 X-ORI GIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.56 NAME 'ipaCertSubject' DESC 'Subj ect name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGL E-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC 'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALU E X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2273 NAME 'nsslapd-config' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.3 NAME 'ipatokenNotBefore' DESC ' Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.5.21.9 NAME 'structuralObjectClass' EQUALITY objectIdenti fierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE NO-USER-MODIFICAT ION USAGE directoryOperation X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( nsDisplayName-oid NAME 'nsDisplayName' DESC 'Netscape define d attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape A dministration Services' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'Standard LDAP attri bute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 2307' 'user d efined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2138 NAME 'nsslapd-readonly' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.55 NAME 'ipk11WrapTemplate' DESC 'DN of template of keys which can be wrapped using this key' EQUALITY disting uishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( certProfileConfig-oid NAME 'certProfileConfig' DESC 'Certifi cate profile configuration' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'us er defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.86 NAME 'cirLastUpdateApplied' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' DESC 'An integer denot ing time to live' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( sslVersionMax-oid NAME 'sslVersionMax' DESC 'Netscape define d attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.252 NAME 'nsValueDescription' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape servers - value item' 'user defined' ) ) attributeTypes: ( 2.5.4.31 NAME 'member' SUP distinguishedName EQUALITY disti nguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( userstate-oid NAME 'userstate' DESC 'Distinguish whether the user is administrator, agent or subsystem.' SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15 X-ORIGIN 'user defined' ) attributeTypes: ( tokenSubject-oid NAME 'tokenSubject' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'De fault scope used when performing a search' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'RFC4876' 'user define d' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALIT Y distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2107 NAME 'nsPagedSizeLimit' DESC 'Bin der-based simple paged search operation size limit' SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.27 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( '389' 'user defi ned' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.805 NAME 'nsds5replicaTimeout' DESC 'N etscape defined attribute type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466 .115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defin ed' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2088 NAME 'mepStaticAttr' DESC 'Manage d Entries static attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( ' 389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.23 NAME 'ipaCertificateSubjectBase' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( keyInfo-oid NAME 'keyInfo' DESC 'CMS defined attribute' SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2211 NAME 'nsslapd-dynamicconf' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.20.2.5 NAME 'ipaReplTopoSegmentStatus' DESC 'IPA defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORI GIN ( 'FreeIPA' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.51 NAME 'replicaUpdateReplayed' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI N ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2281 NAME 'nsslapd-saslpath' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' ) SUP name EQUALITY caseIg noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 X-ORIGIN ( 'RFC 4519' 'user defined' ) X-DEPRECATED 'commonName' ) attributeTypes: ( 2.16.840.1.113730.3.1.2067 NAME 'pamIncludeSuffix' DESC 'Suf fixes to include for PAM authentication' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'Red Hat Directory Server' 'user defined' ) ) attributeTypes: ( UnSecurePort-oid NAME 'UnSecurePort' SYNTAX 1.3.6.1.4.1.146 6.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.199 NAME 'memberCertificateDescription ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2312.4.3.3.1 NAME 'sabayonProfileURL' DESC 'The URL of a sabayon profile' SUP labeledURI EQUALITY caseExactMatch SUBSTR caseE xactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Sabayon' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' D ESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' ' user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2258 NAME 'nsslapd-csnlogging' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-V ALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.17 NAME 'postalCode' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RF C 4519' 'user defined' ) ) attributeTypes: ( nsSSL2-oid NAME 'nsSSL2' DESC 'Netscape defined attribute ty pe' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.109 NAME ( 'passwordLockoutDuration' ' pwdLockoutDuration' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Direct ory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'Standard LDAP att ribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.18 NAME 'mailHost' DESC 'Netscape Mess aging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-OR IGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2125 NAME 'dnaThreshold' DESC 'DNA thr eshold for getting next range of values' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.220 NAME ( 'passwordMustChange' 'pwdMu stChange' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3 .6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server ' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2237 NAME 'nsslapd-counters' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2195 NAME 'nsslapd-auditlog-logminfree diskspace' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.575 NAME 'nsRoleDN' DESC 'Netscape def ined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE directoryOper ation X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.19.2.3 NAME 'ipaMaxDomainLevel' DESC ' Maximal supported Domain Level value' EQUALITY numericStringMatch ORDERING nu mericStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE X-ORIGIN ( 'IPA v4' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.73 NAME 'installationTimeStamp' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI N ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.247 NAME 'nsValueBin' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN ( 'Netsca pe servers - value item' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to a device where the operation takes place (usually host).' SUP distinguishe dName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X- ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115 .121.1.26 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1133 NAME 'printer-ipp-versions-supported' DESC 'IPP protocol version(s) that this printer supports.' EQUALITY caseIgnoreMat ch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-OR IGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute ' DESC 'Attribute to map from the user entry for RADIUS server authentication ' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.28 NAME 'mXRecord' EQUALITY caseIgn oreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'use r defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY SEP flag (equivalent to bit 15): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.5.18.1 NAME 'createTimestamp' EQUALITY generalizedTimeMat ch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN ( 'RFC 4 512' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.553 NAME 'costemplatedn' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X -ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.95 NAME 'accountUnlockTime' DESC 'Nets cape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121. 1.24 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Ser ver' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.4 NAME 'ipaNTFallbackPrimaryGroup' DESC 'Fallback Group to set the Primary group Security Identifier for users w ith UPGs' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6. 1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.20 NAME 'memberPrincipal' DESC 'Pri ncipal names member of a groupOfPrincipals group' EQUALITY caseIgnoreMatch SU BSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA-v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2245 NAME 'nsslapd-maxthreadsperconn' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 S INGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUAL ITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'IPA v4. 2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.10 NAME 'ipaPwdExpAdvNotify' EQUALI TY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( numberOfEnrollments-oid NAME 'numberOfEnrollments' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'user defin ed' ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.23 NAME 'ipk11Id' DESC 'Key assoc iation identifier' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.40 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2112 NAME 'ntGroupType' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X- ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' DESC 'mailbox or mail list information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgno reIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4. 2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' DESC 'Pr imary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466. 115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.691 NAME 'inetDomainStatus' DESC '"act ive", "inactive", or "deleted" status of a domain' SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape subscriber interoperability' 'us er defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1111 NAME 'printer-job-k-octets-supported' DESC 'The maximum size in kilobytes (1,024 octets actually) incoming print job th at this printer will accept.' EQUALITY integerMatch ORDERING integerOrderingM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'rfc3712' ' user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2182 NAME 'nsslapd-errorlog-logrotatio nsyncmin' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115. 121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( crlNumber-oid NAME 'crlNumber' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.788 NAME 'mgrpBroadcasterPolicy' DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.601 NAME 'adminRole' DESC 'Administrat ive role' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Delegated Administrator' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2072 NAME 'pamFallback' DESC 'Fallback to regular LDAP BIND if PAM auth fails' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'Red Hat Directory Server' 'user defined' ) ) attributeTypes: ( nsLogSuppress-oid NAME 'nsLogSuppress' DESC 'Netscape define d attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2159 NAME 'dnaRemoteConnProtocol' DESC 'Connection protocol: LDAP, TLS, or SSL' SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 SINGLE-VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' DESC ' Clear text password (used for trusted domain passwords)' EQUALITY octetString Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'IPA v4.2.0' 'user defi ned' ) ) attributeTypes: ( 1.3.18.0.2.4.1126 NAME 'printer-pages-per-minute-color' DESC 'The nominal number of color pages per minute which may be output by this pr inter.' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4. 1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.5.21.1 NAME 'dITStructureRules' EQUALITY integerFirstComp onentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE directoryOperation X-OR IGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.15 NAME 'ipatokenRadiusConfigLink ' DESC 'Corresponding Radius Configuration link' SUP distinguishedName EQUALI TY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X -ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.521 NAME 'ntUserHomeDir' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X -ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 1.2.840.113556.1.4.484 NAME 'calOtherCAPURIs' DESC 'RFC2739: multi-value URI to other calendars' EQUALITY caseIgnoreIA5Match SUBSTR caseI gnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'rfc2 739' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.13 NAME 'idnsAllowSyncPTR' DESC 'per mit synchronization of PTR records' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1. 1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' E QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIG IN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2130 NAME 'dnaRangeRequestTimeout' DES C 'DNA timeout for querying replica for next range of values' SYNTAX 1.3.6.1. 4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( '389 Directory Server' 'user de fined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.233 NAME 'nsSNMPOrganization' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' DESC 'Key Exchange Delegation, RFC 2230' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substri ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user d efined' ) ) attributeTypes: ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE dSAOperation X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.8 NAME 'eduPersonPrimaryOrgUnitDN' DE SC 'Primary Organizational Unit' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGI N ( 'http://middleware.internet2.edu/eduperson/' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.17 NAME 'ipaNTTrustForestTrustInfo' DESC 'Forest trust information for a trusted domain object' EQUALITY octetSt ringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( nsHardwarePlatform-oid NAME 'nsHardwarePlatform' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( ' Netscape' 'user defined' ) ) attributeTypes: ( transName-oid NAME 'transName' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.6981.11.3.8 NAME 'FTPuid' DESC 'System uid (over rides uidNumber if present)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Pure-FTPd' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.14 NAME 'ipk11Copyable' DESC 'Can be copied by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2080 NAME ( 'passwordMin8bit' 'pwdMin8 bit' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1. 4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'us er defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.686 NAME 'nsds5replicaLastUpdateEnd' D ESC 'Netscape defined attribute type' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALU E NO-USER-MODIFICATION X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2209 NAME 'nsslapd-rootpwstoragescheme ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.49 NAME 'replicaUpdateFailedAt' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI N ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.3 NAME 'ipaSearchTimeLimit' EQUALIT Y integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( ' IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.8 NAME 'changes' DESC 'Changelog attri bute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN ( 'Changelog Internet Draft' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2146 NAME 'rootdn-days-allowed' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VA LUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First va lue of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTA X 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v3' 'user define d' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2250 NAME 'nsslapd-ioblocktimeout' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.42 NAME ( 'pager' 'pagerTelephoneNum ber' ) EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.50 X-ORIGIN ( 'RFC 4524' 'user defined' ) X- DEPRECATED 'pagerTelephoneNumber' ) attributeTypes: ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension' SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.10 NAME 'deleteOldRdn' DESC 'Changelog attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 X-ORIGIN ( 'Changelog In ternet Draft' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.228 NAME 'nsslapd-pluginVersion' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE -VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC 'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI NGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.46 NAME 'dnQualifier' EQUALITY caseIgnoreMatch ORDERI NG caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4. 1.1466.115.121.1.44 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.6 NAME 'idnsSOArefresh' DESC 'SOA re fresh value' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user d efined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.614 NAME 'copyingFrom' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE USA GE directoryOperation X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsSSLToken-oid NAME 'nsSSLToken' DESC 'Netscape defined attr ibute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.584 NAME 'nsDS5ReplicaRoot' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2164 NAME 'winSyncSubtreePair' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.53 NAME 'ipaPublicKey' DESC 'Public key as DER-encoded SubjectPublicKeyInfo (RFC 5280)' EQUALITY octetStringMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2276 NAME 'nsslapd-lockdir' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.6 NAME 'ipatokenModel' DESC 'Opti onal Model identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'u ser defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' D ESC 'Server Timeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 27 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.1001 NAME 'nsds7DirectoryReplicaSubtre e' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.534 NAME 'ntUserPrimaryGroupId' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-V ALUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.20 NAME ( 'homePhone' 'homeTelephone Number' ) EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 X-ORIGIN ( 'RFC 4524' 'user defined' ) X-DEPRECATED 'homeTelephoneNumber' ) attributeTypes: ( 2.16.840.1.113730.3.1.32 NAME 'mgrpMsgMaxSize' DESC 'Netscap e Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 SINGLE-VALUE X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.206 NAME 'filterInfo' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsc ape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1140 NAME 'printer-uri' DESC 'A URI supported b y this printer.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'rfc3712' 'user de fined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC 'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6. 1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.34 NAME 'seeAlso' SUP distinguishedName EQUALITY dist inguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( nsSSL3Ciphers-oid NAME 'nsSSL3Ciphers' DESC 'Netscape define d attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.6981.11.3.5 NAME 'FTPUploadBandwidth' DESC 'Band width (in KB/s) to limit upload speeds to' EQUALITY integerMatch SYNTAX 1.3.6 .1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Pure-FTPd' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2093 NAME 'nsslapd-changelogsuffix' DE SC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-O RIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.26 NAME 'ipaSELinuxUserMapDefault' D ESC 'Default SELinux user' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- VALUE X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( nsUniqueAttribute-oid NAME 'nsUniqueAttribute' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Ne tscape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'S ource location from where moving an entry IPA permission ACI' EQUALITY distin guishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'IPA v4.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2214 NAME 'nsslapd-svrtab' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1119 NAME 'printer-natural-language-configured' DESC 'The configured natural language in which error and status messages wil l be generated (by default) by this printer.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.5.4.53 NAME 'deltaRevocationList' DESC 'X.509 delta revoca tion list' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-O RIGIN ( 'RFC 4523' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUAL ITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466 .115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2303 NAME 'nsslapd-ignore-time-skew' D ESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI NGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.54 NAME 'replicaUseSSL' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Net scape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.15 X-ORIGIN ( 'RFC 4519' 'user defined' ) X-DEPRECATED 'userid' ) attributeTypes: ( 2.16.840.1.113730.3.1.609 NAME 'nsds5BeginReplicaRefresh' DE SC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN GLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2284 NAME 'nsslapd-ssl-check-hostname' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.1097 NAME 'nsds5replicaBusyWaitTime' D ESC 'Netscape defined attribute type' EQUALITY integerMatch SYNTAX 1.3.6.1.4. 1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) SUP name EQUALI TY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.15 X-ORIGIN ( 'RFC 4519' 'user defined' ) X-DEPRECATED 'stateOrProvi nceName' ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.45 NAME 'IPSECKEYRecord' DESC 'IPSECKE Y, RFC 4025' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2151 NAME 'nsslapd-plugin-depends-on-t ype' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsViewConfiguration-oid NAME 'nsViewConfiguration' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALI TY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.46 NAME 'ipaPermLocation' DESC 'Loc ation of IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4 .1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'IPA v4.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DESC 'Forc e Users to logon for password change (default: 0 => off, 2 => on)' EQUALITY i ntegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2263 NAME 'nsslapd-maxsasliosize' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL E-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.529 NAME 'ntUserMaxStorage' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.104 NAME ( 'passwordWarning' 'pwdExpir eWarning' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3 .6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server ' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.12 NAME 'memberUid' DESC 'Standard LDAP attrib ute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'RFC 2307' 'user de fined' ) ) attributeTypes: ( nsAccessLog-oid NAME 'nsAccessLog' DESC 'Netscape defined at tribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'use r defined' ) ) attributeTypes: ( dateOfRecovery-oid NAME 'dateOfRecovery' DESC 'CMS defined a ttribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2128 NAME 'dnaSecurePortNum' DESC 'DNA secure port number of replica to get new range of values' SYNTAX 1.3.6.1.4.1 .1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( '389 Directory Server' 'user defin ed' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Next NT ri d to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( nsPidLog-oid NAME 'nsPidLog' DESC 'Netscape defined attribut e type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defi ned' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2198 NAME 'nsslapd-auditlog-logexpirat iontime' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.570 NAME 'nsLookThroughLimit' DESC 'Bi nder-based search operation look through limit (candidate entries)' SYNTAX 1. 3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' DESC 'nisNetI dUser' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIG IN ( 'RFC2307bis' 'user defined' ) ) attributeTypes: ( nsCertfile-oid NAME 'nsCertfile' DESC 'Netscape defined attr ibute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.76 NAME 'serverHostName' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Ne tscape Administration Services' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.35157.1.1.1.3 NAME 'gobsrid' DESC 'Umanitoba Ban ner gobsrid' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.242 NAME 'nsSystemIndex' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Ne tscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA v ault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-O RIGIN ( 'IPA v4.2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2177 NAME 'nsslapd-auditlog-logrotatio nsync-enabled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466 .115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defin ed' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.2 NAME 'ipaClientVersion' DESC 'Text string describing client version of the IPA software installed' EQUALITY cas eIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.13 NAME 'accessRuleType' DESC 'The f lag to represent if it is allow or deny rule.' EQUALITY caseIgnoreMatch ORDER ING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4 .1.1466.115.121.1.15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of the ipa key object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.146 6.115.121.1.12 X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2201 NAME 'nsslapd-auditlog-logexpirat iontimeunit' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined ' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Defa ult base for searches' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.146 6.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( nsServerCreationClassname-oid NAME 'nsServerCreationClassnam e' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 5 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.41 NAME 'ntUserDomainId' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X -ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.67 NAME 'ipk11AlwaysSensitive' DE SC 'Key has always been sensitive' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1 466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.219 NAME 'vlvUses' DESC 'Netscape defi ned attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' DESC 'IPv6 addres s, RFC 1886' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.973 NAME 'nsds5ReplConflict' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE dire ctoryOperation X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.18.4 NAME 'modifiersName' EQUALITY distinguishedNameMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USA GE directoryOperation X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.98 NAME 'passwordExp' DESC 'Netscape d efined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S INGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2248 NAME 'nsslapd-reservedescriptors' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.27 NAME 'destinationIndicator' EQUALITY caseIgnoreMat ch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 X-OR IGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( tokenIP-oid NAME 'tokenIP' DESC 'CMS defined attribute' SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( subjectName-oid NAME 'subjectName' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.7.5 NAME 'ipaSudoOpt' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 .1.26 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2115 NAME 'dnaType' DESC 'DNA attribut e type to maintain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( '389 Dire ctory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2227 NAME 'nsslapd-snmp-index' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-V ALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' DESC 'Standard LDAP attribu te type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'RFC 23 07' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2185 NAME 'nsslapd-errorlog-logrotatio ntime' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.15 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.63 NAME 'ntUserUnitsPerWeek' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALU E X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2297 NAME 'nsslapd-search-return-origi nal-type-switch' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.14 66.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user def ined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2075 NAME ( 'passwordMinDigits' 'pwdMi nDigits' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3. 6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing' DESC ' Authentication information for the outgoing portion of a trust' EQUALITY case ExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1123 NAME 'printer-sides-supported' DESC 'The n umber of impression sides (one or two) and the two-sided impression rotations supported by this printer.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466 .115.121.1.15 X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.10 NAME 'ipatokenOTPdigits' DESC 'OTP Token Number of digits' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.5.21.4 NAME 'matchingRules' EQUALITY objectIdentifierFirs tComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE directoryOperation X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( requestResult-oid NAME 'requestResult' DESC 'CMS defined att ribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' DESC 'Standard LDAP attr ibute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'RFC 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.16 NAME 'idnsZoneRefresh' DESC 'zone refresh interval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' DESC 'service loca tion, RFC 2782' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined ' ) ) attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.3 NAME 'eduPersonOrgDN' DESC 'Organiz ation DN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( 'http: //middleware.internet2.edu/eduperson/' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.543 NAME 'nsState' DESC 'Netscape defi ned attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.85 NAME 'cirBindCredentials' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( dateOfCreate-oid NAME 'dateOfCreate' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.11.10 NAME 'ipaNTDomainGUID' DESC 'NT Domain GUID' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v3' 'user d efined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALIT Y integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( ' IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.4.1.12 NAME 'javaDoc' DESC 'The Java doc umentation for the class' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466. 115.121.1.26 X-ORIGIN ( 'RFC 2713' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2102 NAME 'autoMemberGroupingAttr' DES C 'Auto Membership grouping attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S INGLE-VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.13 NAME 'ipk11Label' DESC 'Descri ption' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( nsUserIDFormat-oid NAME 'nsUserIDFormat' DESC 'Netscape defi ned attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.808 NAME 'nsds5replicaLastInitEnd' DES C 'Netscape defined attribute type' EQUALITY generalizedTimeMatch ORDERING ge neralizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.9 NAME 'host' EQUALITY caseIgnoreMa tch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-O RIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( nsAdminOneACLDir-oid NAME 'nsAdminOneACLDir' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Nets cape Administration Services' 'user defined' ) ) attributeTypes: ( 2.5.4.0 NAME 'objectClass' EQUALITY objectIdentifierMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.38 X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( nsBuildNumber-oid NAME 'nsBuildNumber' DESC 'Netscape define d attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.3.5 NAME 'mozillaHomePostalCode' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 SINGLE-VALUE X-ORIGIN ( 'Mozilla Address Book' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2149 NAME 'rootdn-allow-ip' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2312.4.3.3.2 NAME 'sabayonProfileName' DESC 'The Name of a sabayon profile' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstri ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Sabayo n' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC 'Minim al password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146 6.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.12 NAME 'title' SUP name EQUALITY caseIgnoreMatch SUB STR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.17 NAME 'mailForwardingAddress' DESC ' Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115. 121.1.15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( revInfo-oid NAME 'revInfo' DESC 'CMS defined attribute' SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2120 NAME 'dnaFilter' DESC 'DNA filter for finding entries' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI GIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.223 NAME ( 'passwordResetFailureCount' 'pwdFailureCountInterval' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timesta mp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.49 NAME ( 'distinguishedName' 'dn' ) EQUALITY disting uishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'RFC 4519' 'u ser defined' ) X-DEPRECATED 'dn' ) attributeTypes: ( 2.16.840.1.113730.3.1.2232 NAME 'nsslapd-ldapimaptoentries' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S INGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2190 NAME 'nsslapd-accesslog-logmaxdis kspace' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.578 NAME 'nsDS5ReplicaHost' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.1 NAME 'idnsAllowDynUpdate' DESC 'pe rmit dynamic updates on this zone' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1 466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUA LITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X -ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.21.10 NAME 'governingStructureRule' EQUALITY integerMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE NO-USER-MODIFICATION USA GE directoryOperation X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who ma y run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'SUDO' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2279 NAME 'nsslapd-ldifdir' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used, required, or supported by an agent or service' EQUALITY caseI gnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1134 NAME 'printer-more-info' DESC 'A URI for m ore information about this specific printer.' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( certStatus-oid NAME 'certStatus' DESC 'CMS defined attribute ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORI GIN ( 'RFC 2247' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.1004 NAME 'nsds7WindowsDomain' DESC 'N etscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-V ALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.21.1.3 NAME 'ipaMemberCertProfile' DES C 'Reference to a certificate profile member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v 4.2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.39 NAME 'preferredLanguage' DESC 'pref erred written or spoken language for a person' EQUALITY caseIgnoreMatch SUBST R caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'RFC 2798' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.21 NAME 'idnsSecKeyActivate' DESC 'D NSSEC key (planned) activation time' EQUALITY generalizedTimeMatch ORDERING g eneralizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.2.3 NAME ( 'mozillaUseHtmlMail' 'xmozillau sehtmlmail' ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'M ozilla Address Book' 'user defined' ) ) attributeTypes: ( adminMessages-oid NAME 'adminMessages' DESC 'CMS defined att ribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.201 NAME 'changeLogMaximumSize' DESC ' Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI N ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsSerialNumber-oid NAME 'nsSerialNumber' DESC 'Netscape defi ned attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape ' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' EQUALI TY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.90 NAME 'cirBeginORC' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsc ape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.7 NAME 'ipaNTProfilePath' DESC 'Use r Profile Path' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUB STR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2240 NAME 'nsslapd-accesslog' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.13 NAME 'ipaDefaultEmailDomain' EQU ALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4 .2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.99 NAME 'SPFRecord' DESC 'Sender Polic y Framework (SPF) for Authorizing Use of Domains in Email, RFC 7208' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.14 66.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2096 NAME 'entryusn' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE NO-US ER-MODIFICATION USAGE directoryOperation X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanMana ger Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.2 6 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.694 NAME 'inetSubscriberAccountId' DES C 'A unique attribute linking the subscriber to a billing system' SYNTAX 1.3. 6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape subscriber interoperability' ' user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALIT Y distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1112 NAME 'printer-current-operator' DESC 'The identity of the current human operator responsible for operating this printer .' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4 .1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2306 NAME 'nsslapd-return-default-opat tr' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Server' 'user defi ned' ) ) attributeTypes: ( 1.2.840.113556.1.4.478 NAME 'calCalURI' DESC 'RFC2739: URI o f entire default calendar' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Su bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'rfc2739' 'user defined' ) ) attributeTypes: ( tokenNotAfter-oid NAME 'tokenNotAfter' DESC 'CMS defined att ribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.604 NAME 'parentid' DESC 'internal ser ver defined attribute type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORI GIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.42 NAME 'APLRecord' DESC 'Lists of Add ress Prefixes, RFC 3132' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'use r defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2154 NAME 'nsds5ReplicaBackoffMin' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.43 NAME 'ipaPermIncludedAttr' DESC 'IPA permission explicitly included attribute' EQUALITY caseIgnoreMatch ORDER ING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( ' IPA v4.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2266 NAME 'nsslapd-enquote-sup-oc' DES C 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING LE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.524 NAME 'ntUserScriptPath' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU E X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.22 NAME 'mgrpAllowedBroadcaster' DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.26 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2133 NAME 'pwdUpdateTime' DESC 'Last p assword update time' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.236 NAME 'nsSNMPDescription' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl' SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( nsPreference-oid NAME 'nsPreference' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Adm inistration Services' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.35157.1.1.1.8 NAME 'umGeneric1' DESC 'account st atus postprocessed' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUAL ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.18 NAME 'ipaNTTrustPosixOffset' DES C 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( crlName-oid NAME 'crlName' DESC 'CMS defined attribute' SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( status-oid NAME 'status' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.592 NAME 'nsDS5ReplicaAutoReferral' DE SC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN GLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( requestAgentGroup-oid NAME 'requestAgentGroup' DESC 'CMS def ined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( numberOfRecoveries-oid NAME 'numberOfRecoveries' DESC 'CMS d efined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'user defined ' ) attributeTypes: ( 2.16.840.1.113730.3.1.2083 NAME ( 'passwordMinTokenLength' ' pwdMinTokenLength' ) DESC 'Netscape defined password policy attribute type' S YNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directo ry Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.16 NAME 'ipaConfigString' DESC 'Gene ric configuration stirng' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch S UBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.61 NAME 'ipaWrappingKey' DESC 'PKCS #11 URI of the wrapping key' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.689 NAME 'nsds5replicaUpdateInProgress ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN ( 'Netscape Directory Server' 'use r defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2204 NAME 'nsslapd-auditlog-logging-en abled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1109 NAME 'printer-charset-configured' DESC 'Th e configured charset in which error and status messages will be generated (by default) by this printer.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.35157.1.1.1.10 NAME 'umSvclass' DESC 'umIdmClass after postprocessing' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.20.2.8 NAME 'ipaReplTopoManagedSuffix' DESC 'IPA defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORI GIN ( 'FreeIPA' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.44 NAME 'ntGroupDomainId' DESC 'Netsca pe defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.6 NAME 'ipaHomesRootDir' EQUALITY c aseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( tokenStatus-oid NAME 'tokenStatus' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.62 NAME 'ipk11Decrypt' DESC 'Key supports decryption' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.214 NAME 'passwordAllowChangeTime' DES C 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.24 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( 'Netscape Direct ory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.55 NAME 'HIPRecord' DESC 'Host Identit y Protocol (HIP) Domain Name System (DNS) Extension, RFC 5205' EQUALITY caseI gnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2141 NAME 'dsOnlyMemberUid' DESC 'Elem ents from a memberuid attribute created to reflect dynamic group membership' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Red Hat Directory Server' 'u ser defined' ) ) attributeTypes: ( nsDirectoryFailoverList-oid NAME 'nsDirectoryFailoverList' D ESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X- ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( nsSSLSessionTimeout-oid NAME 'nsSSLSessionTimeout' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integer OrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'I PA v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2253 NAME 'nsslapd-nagle' DESC 'Netsca pe defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2118 NAME 'dnaInterval' DESC 'DNA inte rval between values' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIG IN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC 'Time stamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.41 NAME 'name' EQUALITY caseIgnoreMatch SUBSTR caseIg noreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 4519 ' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2188 NAME 'nsslapd-errorlog-logrotatio ntimeunit' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.32769 NAME 'DLVRecord' DESC 'DNSSEC Lo okaside Validation, RFC 4431' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA 5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.7.11 NAME 'ipaSudoRunAsGroupCategory' DESC 'Additional classification for groups' SUP userCategory EQUALITY caseIgn oreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SY NTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' EQUALITY d istinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'RFC 45 24' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.9 NAME 'idnsSOAminimum' DESC 'SOA mi nimum value' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user d efined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2311 NAME 'nsds5ReplicaFlowControlPaus e' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.2 7 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.66 NAME 'ntUserUniqueId' DESC 'Netscap e defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X- ORIGIN ( 'Netscape NT Synchronization' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2078 NAME ( 'passwordMinLowers' 'pwdMi nLowers' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3. 6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.587 NAME 'nsds50ruv' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netsca pe Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2167 NAME 'schemaUpdateAttributeAccept ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2271 NAME 'nsslapd-rewrite-rfc1274' DE SC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN GLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.54 NAME 'ipaPrivateKey' DESC 'Priva te key as DER-encoded EncryptedPrivateKeyInfo (RFC 5958)' EQUALITY octetStrin gMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1 ' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.1 NAME 'ipatokenUniqueID' DESC 'T oken Unique Identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'RFC 2307' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.31 NAME 'mailEnhancedUniqueMember' DES C 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.12 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Bool ean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.19 NAME 'idnsSecKeyCreated' DESC 'DN SSEC key creation timestamp' EQUALITY generalizedTimeMatch ORDERING generaliz edTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGI N ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.209 NAME 'vlvFilter' DESC 'Netscape de fined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netsca pe Directory Server' 'user defined' ) ) attributeTypes: ( nsErrorLog-oid NAME 'nsErrorLog' DESC 'Netscape defined attr ibute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' DESC 'A6 Record Typ e, RFC 2874' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.88 NAME 'cirUpdateFailedat' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.146 6.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.250 NAME 'nsValueDefault' DESC 'Netsca pe defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'N etscape servers - value item' 'user defined' ) ) attributeTypes: ( 2.5.4.37 NAME 'cACertificate' DESC 'X.509 CA certificate' EQ UALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'RFC 4523' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DES C 'Specifies search descriptors required, used, or supported by a particular service or agent' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.6981.11.3.2 NAME 'FTPQuotaMBytes' DESC 'Quota (i n megabytes) for an FTP user' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Pure-FTPd' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2105 NAME 'autoMemberTargetGroup' DESC 'Auto Membership target group' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-V ALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.803 NAME 'nsBackendSuffix' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE direct oryOperation X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2217 NAME 'nsslapd-allow-anonymous-acc ess' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.53 NAME 'replicaBindMethod' DESC 'Nets cape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.4 NAME 'info' EQUALITY caseIgnoreMa tch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-O RIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.71 NAME 'ipk11AlwaysAuthenticate' DESC 'User has to authenticate for each use with this key' EQUALITY booleanM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' ' user defined' ) ) attributeTypes: ( nsSSLSupportedCiphers-oid NAME 'nsSSLSupportedCiphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIG IN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2287 NAME 'nsslapd-force-sasl-external ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2065 NAME 'nsSaslMapBaseDNTemplate' DE SC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN GLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.5.4.5 NAME 'serialNumber' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 X-ORIGIN ( 'R FC 4519' 'user defined' ) ) attributeTypes: ( p12Expiration-oid NAME 'p12Expiration' DESC 'CMS defined att ribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( tokenUserID-oid NAME 'tokenUserID' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.197 NAME 'replicaHost' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Nets cape Directory Server' 'user defined' ) ) attributeTypes: ( tokenReason-oid NAME 'tokenReason' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' DESC 'L ockout users after bad logon attempts (default: 0 => off)' EQUALITY integerMa tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.15 NAME 'businessCategory' EQUALITY caseIgnoreMatch S UBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.48 NAME 'buildingName' EQUALITY cas eIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.15 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.107 NAME 'passwordResetDuration' DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'RFC 2307' 'user defined' ) ) attributeTypes: ( tokenAppletID-oid NAME 'tokenAppletID' DESC 'CMS defined att ribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( extensions-oid NAME 'extensions' DESC 'CMS defined attribute ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2235 NAME 'nsslapd-ldapientrysearchbas e' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 2 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsInstalledLocation-oid NAME 'nsInstalledLocation' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.573 NAME 'nsIdleTimeout' DESC 'Binder- based connection idle timeout (seconds)' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE USAGE directoryOperation X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.19.2.1 NAME 'ipaDomainLevel' DESC 'Dom ain Level value' EQUALITY numericStringMatch ORDERING numericStringMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE X-ORIGIN ( 'IPA v4' 'user defin ed' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.4 NAME 'UnknownRecord' DESC 'unknown DNS record, RFC 3597' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defi ned' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.75 NAME 'adminUrl' DESC 'Netscape defi ned attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.245 NAME 'nsValueTel' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 X-ORIGIN ( 'Netsc ape servers - value item' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.1466.101.120.42 NAME 'preferredLocale' DESC 'pre ferred locale for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstri ngsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netsca pe' 'user defined' ) ) attributeTypes: ( nsNYR-oid NAME 'nsNYR' DESC 'Netscape defined attribute type ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Administration Se rvices' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2172 NAME 'nsslapd-accesslog-maxlogsiz e' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.2 7 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.5 NAME 'memberUser' DESC 'Reference to a principal that performs an action (usually user).' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGI N ( 'IPA v2' 'user defined' ) ) attributeTypes: ( userMessages-oid NAME 'userMessages' DESC 'CMS defined attri bute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.18.0.2.4.1131 NAME 'printer-charset-supported' DESC 'Set of charsets supported for the attribute values of syntax DirectoryString for this directory entry.' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.15 X-ORIGIN ( 'rfc3712' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time an agent or service allows for a bind operation to complete' EQUALITY in tegerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'RFC4876' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.22 NAME 'ipatokenTOTPwatermark' D ESC 'TOTP watermark' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. 27 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.24 NAME 'idnsSecKeyZone' DESC 'DNSKE Y ZONE flag (equivalent to bit 7): RFC 4035' EQUALITY booleanMatch SYNTAX 1.3 .6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( archivedBy-oid NAME 'archivedBy' DESC 'CMS defined attribute ' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.3 NAME 'employeeNumber' DESC 'numerica lly identifies an employee within an organization' EQUALITY caseIgnoreMatch S UBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-V ALUE X-ORIGIN ( 'RFC 2798' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.551 NAME 'cosspecifier' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X- ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.97 NAME ( 'passwordMaxAge' 'pwdMaxAge' ) DESC 'Netscape defined password policy attribute type' SYNTAX 1.3.6.1.4.1. 1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user d efined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'B ad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.5.4.22 NAME 'teletexTerminalIdentifier' SYNTAX 1.3.6.1.4. 1.1466.115.121.1.51 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.7.8 NAME 'ipaSudoRunAsUserCategory' DE SC 'Additional classification for users' SUP userCategory EQUALITY caseIgnore Match ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTA X 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2099 NAME 'autoMemberExclusiveRegex' D ESC 'Auto Membership exclusive regex rule' SYNTAX 1.3.6.1.4.1.1466.115.121.1. 15 X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' DESC 'text string, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SY NTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'Standard LDAP attribute t ype' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'RFC 2307' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next N T rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2222 NAME 'nsslapd-localuser' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2180 NAME 'nsslapd-auditlog-logrotatio nsynchour' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115 .121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2309 NAME 'nsds5ReplicaPreciseTombston ePurging' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115. 121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( tokenOrigin-oid NAME 'tokenOrigin' DESC 'CMS defined attribu te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2292 NAME 'nsslapd-disk-monitoring-log ging-critical' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466 .115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defin ed' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2070 NAME 'pamIDMapMethod' DESC 'How t o map BIND DN to PAM identity' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Red Hat Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.408 NAME 'replicaLastRelevantChange' D ESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X- ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' DESC ' Authentication information for the incoming portion of a trust' EQUALITY case ExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( allowPinReset-oid NAME 'allowPinReset' DESC 'CMS defined att ribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) attributeTypes: ( 2.16.840.1.113730.3.1.2269 NAME 'nsslapd-errorlog-list' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORI GIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.18.0.2.4.1124 NAME 'printer-number-up-supported' DESC 'T he possible numbers of print-stream pages to impose upon a single side of an instance of a selected medium.' EQUALITY integerMatch ORDERING integerOrderin gMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN ( 'rfc3712' 'user define d' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.9 NAME 'ipatokenOTPalgorithm' DES C 'OTP Token Algorithm' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DE SC 'Server Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.40 SINGLE-VALUE X-ORIGIN ( 'IPA OTP' 'user defined' ) ) attributeTypes: ( 2.5.21.7 NAME 'nameForms' EQUALITY objectIdentifierFirstCom ponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE directoryOperation X-O RIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE- VALUE X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 0.9.2342.19200300.100.1.55 NAME 'audio' EQUALITY octetStrin gMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'RFC 1274' 'user defin ed' ) ) attributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'nisPublickey' EQU ALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'RFC 2307bis' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.29 NAME 'mgrpMsgRejectText' DESC 'Nets cape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121. 1.26 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.11 NAME 'idnsAllowQuery' DESC 'BIND9 allow-query ACL element' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466 .115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2136 NAME 'nsds5ReplicaCleanRUVNotifie d' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.2 7 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.231 NAME 'nsslapd-pluginEnabled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE -VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( nsWellKnownJarfiles-oid NAME 'nsWellKnownJarfiles' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' DESC 'non-existant , RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch S YNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( nsAdminAccessHosts-oid NAME 'nsAdminAccessHosts' DESC 'Netsc ape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( ' Netscape Administration Services' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes' EQUALITY ob jectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE directoryOperation X-ORIGIN ( 'RFC 4512' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.328 NAME 'nsMatchingRule' DESC 'Netsca pe defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'N etscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.6 NAME 'eduPersonPrincipalName' DESC 'Principal Name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'http://middleware.internet2.edu/eduperson/' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.80 NAME 'cirHost' DESC 'Netscape defin ed attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.15 NAME 'ipaNTTrustAuthOutgoing' DE SC 'Authentication information for the outgoing portion of a trust' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.4.1.11 NAME 'javaReferenceAddress' DESC 'Addresses associated with a JNDI Reference' EQUALITY caseExactMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'RFC 2713' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.16 NAME 'ipk11Trusted' DESC 'Can be trusted by application' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2086 NAME 'mepManagedBy' DESC 'Managed Entries backpointer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( '389 Di rectory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.3.19 NAME 'serviceCategory' DESC 'Addi tional classification for services' EQUALITY caseIgnoreMatch ORDERING caseIgn oreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.15 X-ORIGIN ( 'IPA v2' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.684 NAME 'nsds5ReplicaChangeCount' DES C 'Netscape defined attribute type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1. 1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user d efined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.20.2.3 NAME 'ipaReplTopoSegmentLeftNod e' DESC 'IPA defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-O RIGIN ( 'FreeIPA' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.1.1 NAME 'ipaUserSearchFields' EQUALI TY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4. 2.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.1101 NAME 'nsRoleScopeDN' DESC 'Scope of a role' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.17.1.69 NAME 'ipk11WrapWithTrusted' DE SC 'Key can only be wrapped with a trusted wrapping key' EQUALITY booleanMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.1' 'use r defined' ) ) attributeTypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN ( 'IPA v 4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.2428.20.1.52 NAME 'TLSARecord' DESC 'DNS-Based A uthentication of Named Entities - Transport Layer Security Protocol, RFC 6698 ' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'IPA v4.2.0' 'user defined' ) ) attributeTypes: ( 1.3.1.1.4.1.453.16.2.103 NAME 'numSubordinates' DESC 'count of immediate subordinates' EQUALITY integerMatch ORDERING integerOrderingMatc h SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE NO-USER-MODIFICATION USAG E directoryOperation X-ORIGIN ( 'numSubordinates Internet Draft' 'user define d' ) ) attributeTypes: ( 1.3.6.1.4.1.13769.3.6 NAME 'mozillaHomeCountryName' SUP nam e EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4. 1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Mozilla Address Book' 'user defi ned' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2144 NAME 'rootdn-open-time' DESC 'Net scape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VAL UE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First val ue of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121 .1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v3' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2256 NAME 'passwordLegacyPolicy' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE -VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.9999999 NAME 'nsds5debugreplicatimeout ' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( SubsystemName-oid NAME 'SubsystemName' SYNTAX 1.3.6.1.4.1.1 466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 0.9.2342.19200300.100.1.40 NAME 'personalTitle' EQUALITY ca seIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.15 X-ORIGIN ( 'RFC 4524' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts' SYNTAX 1.3 .6.1.4.1.1466.115.121.1.12 USAGE dSAOperation X-ORIGIN ( 'RFC 4512' 'user def ined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.12 NAME 'mailAccessDomain' DESC 'Netsc ape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1 .15 X-ORIGIN ( 'Netscape Messaging Server 4.x' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2123 NAME 'dnaSharedCfgDN' DESC 'DNA s hared configuration entry DN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VAL UE X-ORIGIN ( '389 Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.226 NAME 'nsslapd-pluginType' DESC 'Ne tscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA LUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC 'Timest amp of when the user will be logged off automatically' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'IPA v4.2.0' 'us er defined' ) ) attributeTypes: ( 2.5.4.44 NAME 'generationQualifier' SUP name EQUALITY caseI gnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 .15 X-ORIGIN ( 'RFC 4519' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2193 NAME 'nsslapd-accesslog-logminfre ediskspace' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.7.14 NAME 'ipaSudoRunAsExtUserGroup' D ESC 'Multivalue string attribute that allows storing groups of users that are not managed by IPA the command can be run as' EQUALITY caseIgnoreMatch ORDER ING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.15 X-ORIGIN ( 'IPA v4.0' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.2314 NAME 'nsslapd-changelogcompactdb- interval' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115. 121.1.15 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) attributeTypes: ( 2.16.840.1.113730.3.8.5.4 NAME 'idnsSOArName' DESC 'SOA root Name' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ( 'IPA v2' 'user defined ' ) ) attributeTypes: ( 2.16.840.1.113730.3.1.612 NAME 'generation' DESC 'Netscape d efined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ( 'Netsc ape Directory Server' 'user defined' ) ) nsSchemaCSN: 570fc86a000000000000 From gnotrica at candeal.com Wed Apr 20 16:00:03 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 20 Apr 2016 16:00:03 +0000 Subject: [Freeipa-users] ipa-client-install errors Message-ID: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Then I have "Installation failed. Rolling back changes." I have tried everything I know with no luck. Any idea on how to FIX this? Below is the full log. ----------------------------------------------------------- Continue to configure the system with these values? [no]: yes Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for admin at IPA.DOMAIN.COM: Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. --------------------------------------------------------------- Gady -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Apr 20 16:10:18 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 20 Apr 2016 19:10:18 +0300 Subject: [Freeipa-users] ipa ERROR on user-add after RHEL 7 yum update In-Reply-To: <5717A4CB.1000506@umanitoba.ca> References: <5717A4CB.1000506@umanitoba.ca> Message-ID: <20160420161018.GR24892@redhat.com> On Wed, 20 Apr 2016, Daryl Fonseca-Holt wrote: >After doing a yum update on April 14 we are experiencing this error on an ipa >user-add: > ipa: ERROR: missing attribute "nisMapName" required by object class > "nisMap" >The /var/log/ipaupgrade.log is too large to attach but I didn't see any obvious >errors in it. > >After the update the versions are: > ipa-server-4.2.0-15.el7_2.6.1.x86_64 > 389-ds-base-1.3.4.0-29 >The dirsrv instance log has this error: > [19/Apr/2016:09:48:44 -0500] - Entry > "uid=testuser,cn=users,cn=accounts,dc=uofmt1" missing attribute > "nisMapName" required by object class "nisMap" Default user object classes do not include nisMap object class. Did you add that yourself? >Looking at the schema for the instance the attribute seems to be there: > cd /etc/dirsrv/slapd-UOFMT1/schema > grep nisMapName * > 10rfc2307.ldif:attributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' > DESC 'Standard LDAP attribute type' SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2307' ) > 10rfc2307.ldif:objectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' > DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( cn $ > nisMapEntry $ nisMapName ) MAY ( description ) X-ORIGIN 'RFC 2307' ) > 10rfc2307.ldif:objectClasses: ( 1.3.6.1.1.1.2.13 NAME 'nisMap' DESC > 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( nisMapName ) > MAY ( description ) X-ORIGIN 'RFC 2307' ) > 99user.ldif: lass' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ > nisMapName ) MAY descripti > 99user.ldif: s' SUP top STRUCTURAL MUST nisMapName MAY description X- > ORIGIN ( 'RFC 2307' ' > 99user.ldif:attributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' DESC > 'Standard LDAP attri >I've attached the dirsrv instance 10rfc2307.ldif and 99user.ldif. It doesn't >make sense that 99user.ldif has an nisMap objectclass in it. Or is this >something the upgrade it trying to override? 99user.ldif accumulates all schema changes that come through replication or via updates. Can you show full entry for uid=testuser (filter userPassword field) and also output of $ ipa config-show --all|grep objectclass Default group objectclasses: top, ipaobject, groupofnames, ipausergroup, nestedgroup Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, organizationalperson, krbticketpolicyaux, krbprincipalaux, inetuser, posixaccount objectclass: ipaConfigObject, nsContainer, top, ipaGuiConfig, ipaUserAuthTypeClass > >Since this IPA server was first installed these updates have been applied: > grep 'IPA version' /var/log/ipaupgrade.log > 2016-02-02T15:47:48Z DEBUG IPA version 4.2.0-15.el7_2.3 > 2016-03-25T19:21:18Z DEBUG IPA version 4.2.0-15.el7_2.6 > 2016-03-25T19:33:21Z DEBUG IPA version 4.2.0-15.el7_2.6 > 2016-03-25T19:42:23Z DEBUG IPA version 4.2.0-15.el7_2.6 > 2016-04-14T15:47:31Z DEBUG IPA version 4.2.0-15.el7_2.6.1 > 2016-04-14T15:56:50Z DEBUG IPA version 4.2.0-15.el7_2.6.1 > 2016-04-14T16:12:58Z DEBUG IPA version 4.2.0-15.el7_2.6.1 > 2016-04-14T16:22:07Z DEBUG IPA version 4.2.0-15.el7_2.6.1 Difference between -15.el7_2.6 and -15.el7_2.6.1 is a rebuild against updated Samba version. -- / Alexander Bokovoy From mbasti at redhat.com Wed Apr 20 16:49:41 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 20 Apr 2016 18:49:41 +0200 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <5717B325.3080708@redhat.com> On 20.04.2016 18:00, Gady Notrica wrote: > > Hello World, > > I am having these errors trying to install ipa-client-install. Every > other machine is fine and they IPA servers are functioning perfectly > > Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library > > Then I have ?/Installation failed. Rolling back changes.?/ > > I have tried everything I know with no luck. Any idea on how to FIX > this? Below is the full log. > > ----------------------------------------------------------- > > /Continue to configure the system with these values? [no]: yes/ > > /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ > > /Skipping synchronizing time with NTP server./ > > /User authorized to enroll computers: admin/ > > /Password for admin at IPA.DOMAIN.COM:/ > > /Please make sure the following ports are opened in the firewall > settings:/ > > /TCP: 80, 88, 389/ > > /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ > > /Also note that following ports are necessary for ipa-client working > properly after enrollment:/ > > /TCP: 464/ > > /UDP: 464, 123 (if NTP enabled)/ > > /Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library/ > > // > > /Installation failed. Rolling back changes./ > > /Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > exit status 255/ > > /Disabling client Kerberos and LDAP configurations/ > > /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted/ > > /Restoring client configuration files/ > > /nscd daemon is not installed, skip configuration/ > > /nslcd daemon is not installed, skip configuration/ > > /Client uninstall complete./ > > /---------------------------------------------------------------/ > > Gady > > > Hello, IMO you have an old invalid keytab on that machine. Can you manually remove it and try to reinstall client? (Of course only if you are sure that keytab there is not needed) The keytab should be located here /etc/krb5.keytab Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmj at ast.cam.ac.uk Wed Apr 20 16:52:51 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Wed, 20 Apr 2016 17:52:51 +0100 Subject: [Freeipa-users] Warning about session memcached servers from ipa-replica-manage In-Reply-To: <57177E13.3090104@redhat.com> References: <57177B61.10409@ast.cam.ac.uk> <57177E13.3090104@redhat.com> Message-ID: <5717B3E3.8060205@ast.cam.ac.uk> On 20/04/16 14:03, Rob Crittenden wrote: > Roderick Johnstone wrote: >> Hi >> >> I'm getting the following warning on RHEL7 ipa servers >> (ipa-server-4.2.0-15.el7_2.6.1.x86_64). >> >> $ ipa-replica-manage list >> ipa: WARNING: session memcached servers not running >> aaa.xxx.yyy: master >> bbb.xxx.yyy: master >> >> Can someone advise please on what the session memcached servers are for >> and how to get them running, assuming they are worth having. > > I think this can be ignored. In order to see if there are servers > running the code needs to read /var/run/ipa_memcached and lack read > permissions. The warning is not particularly helpful. > > rob ok, thanks Rob. I'll ignore it. Roderick From mbabinsk at redhat.com Wed Apr 20 17:03:34 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 20 Apr 2016 19:03:34 +0200 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <5717B666.7000707@redhat.com> On 04/20/2016 06:00 PM, Gady Notrica wrote: > Hello World, > > I am having these errors trying to install ipa-client-install. Every > other machine is fine and they IPA servers are functioning perfectly > > Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library > > Then I have ?/Installation failed. Rolling back changes.?/ > > I have tried everything I know with no luck. Any idea on how to FIX > this? Below is the full log. > > ----------------------------------------------------------- > > /Continue to configure the system with these values? [no]: yes/ > > /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ > > /Skipping synchronizing time with NTP server./ > > /User authorized to enroll computers: admin/ > > /Password for admin at IPA.DOMAIN.COM:/ > > /Please make sure the following ports are opened in the firewall settings:/ > > / TCP: 80, 88, 389/ > > / UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ > > /Also note that following ports are necessary for ipa-client working > properly after enrollment:/ > > / TCP: 464/ > > / UDP: 464, 123 (if NTP enabled)/ > > /Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library/ > > // > > /Installation failed. Rolling back changes./ > > /Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit > status 255/ > > /Disabling client Kerberos and LDAP configurations/ > > /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted/ > > /Restoring client configuration files/ > > /nscd daemon is not installed, skip configuration/ > > /nslcd daemon is not installed, skip configuration/ > > /Client uninstall complete./ > > /---------------------------------------------------------------/ > > Gady > > > We would need to see the whole log, it should be located in '/var/log/ipaclient-install.log' -- Martin^3 Babinsky From gnotrica at candeal.com Wed Apr 20 17:12:34 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 20 Apr 2016 17:12:34 +0000 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <5717B666.7000707@redhat.com> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B666.7000707@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70ABF697D@cd-exchange01.CD-PRD.candeal.ca> Please find attached the install log Gady -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Babinsky Sent: April 20, 2016 1:04 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On 04/20/2016 06:00 PM, Gady Notrica wrote: > Hello World, > > I am having these errors trying to install ipa-client-install. Every > other machine is fine and they IPA servers are functioning perfectly > > Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library > > Then I have "/Installation failed. Rolling back changes."/ > > I have tried everything I know with no luck. Any idea on how to FIX > this? Below is the full log. > > ----------------------------------------------------------- > > /Continue to configure the system with these values? [no]: yes/ > > /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ > > /Skipping synchronizing time with NTP server./ > > /User authorized to enroll computers: admin/ > > /Password for admin at IPA.DOMAIN.COM:/ > > /Please make sure the following ports are opened in the firewall > settings:/ > > / TCP: 80, 88, 389/ > > / UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ > > /Also note that following ports are necessary for ipa-client working > properly after enrollment:/ > > / TCP: 464/ > > / UDP: 464, 123 (if NTP enabled)/ > > /Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library/ > > // > > /Installation failed. Rolling back changes./ > > /Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > exit status 255/ > > /Disabling client Kerberos and LDAP configurations/ > > /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted/ > > /Restoring client configuration files/ > > /nscd daemon is not installed, skip configuration/ > > /nslcd daemon is not installed, skip configuration/ > > /Client uninstall complete./ > > /---------------------------------------------------------------/ > > Gady > > > We would need to see the whole log, it should be located in '/var/log/ipaclient-install.log' -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ipa-client-install.txt URL: From gnotrica at candeal.com Wed Apr 20 17:13:27 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 20 Apr 2016 17:13:27 +0000 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <5717B325.3080708@redhat.com> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70ABF69AC@cd-exchange01.CD-PRD.candeal.ca> Thank you Martin, I have tried many different ways. I can't seem to be able to remove anything in the file. Gady From: Martin Basti [mailto:mbasti at redhat.com] Sent: April 20, 2016 12:50 PM To: Gady Notrica; freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On 20.04.2016 18:00, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Then I have "Installation failed. Rolling back changes." I have tried everything I know with no luck. Any idea on how to FIX this? Below is the full log. ----------------------------------------------------------- Continue to configure the system with these values? [no]: yes Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Skipping synchronizing time with NTP server. User authorized to enroll computers: admin Password for admin at IPA.DOMAIN.COM: Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. --------------------------------------------------------------- Gady Hello, IMO you have an old invalid keytab on that machine. Can you manually remove it and try to reinstall client? (Of course only if you are sure that keytab there is not needed) The keytab should be located here /etc/krb5.keytab Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Wed Apr 20 17:17:06 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 20 Apr 2016 19:17:06 +0200 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <0984AB34E553F54B8705D776686863E70ABF697D@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B666.7000707@redhat.com> <0984AB34E553F54B8705D776686863E70ABF697D@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <5717B992.4020003@redhat.com> On 04/20/2016 07:12 PM, Gady Notrica wrote: > Please find attached the install log > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Babinsky > Sent: April 20, 2016 1:04 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-client-install errors > > On 04/20/2016 06:00 PM, Gady Notrica wrote: >> Hello World, >> >> I am having these errors trying to install ipa-client-install. Every >> other machine is fine and they IPA servers are functioning perfectly >> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Then I have "/Installation failed. Rolling back changes."/ >> >> I have tried everything I know with no luck. Any idea on how to FIX >> this? Below is the full log. >> >> ----------------------------------------------------------- >> >> /Continue to configure the system with these values? [no]: yes/ >> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ >> >> /Skipping synchronizing time with NTP server./ >> >> /User authorized to enroll computers: admin/ >> >> /Password for admin at IPA.DOMAIN.COM:/ >> >> /Please make sure the following ports are opened in the firewall >> settings:/ >> >> / TCP: 80, 88, 389/ >> >> / UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> /Also note that following ports are necessary for ipa-client working >> properly after enrollment:/ >> >> / TCP: 464/ >> >> / UDP: 464, 123 (if NTP enabled)/ >> >> /Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library/ >> >> // >> >> /Installation failed. Rolling back changes./ >> >> /Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255/ >> >> /Disabling client Kerberos and LDAP configurations/ >> >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted/ >> >> /Restoring client configuration files/ >> >> /nscd daemon is not installed, skip configuration/ >> >> /nslcd daemon is not installed, skip configuration/ >> >> /Client uninstall complete./ >> >> /---------------------------------------------------------------/ >> >> Gady >> >> >> > We would need to see the whole log, it should be located in '/var/log/ipaclient-install.log' > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > It looks like the log is truncated. Are you sure that this is the full version? -- Martin^3 Babinsky From abokovoy at redhat.com Wed Apr 20 17:40:44 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 20 Apr 2016 20:40:44 +0300 Subject: [Freeipa-users] ipa ERROR on user-add after RHEL 7 yum update SOLVED In-Reply-To: <5717B153.4050207@umanitoba.ca> References: <5717A4CB.1000506@umanitoba.ca> <20160420161018.GR24892@redhat.com> <5717B153.4050207@umanitoba.ca> Message-ID: <20160420174044.GV24892@redhat.com> Hi Daryl, please always reply to the list. On Wed, 20 Apr 2016, Daryl Fonseca-Holt wrote: > > >On 04/20/16 11:10, Alexander Bokovoy wrote: >>On Wed, 20 Apr 2016, Daryl Fonseca-Holt wrote: >>>After doing a yum update on April 14 we are experiencing this >>>error on an ipa >>>user-add: >>> ipa: ERROR: missing attribute "nisMapName" required by object class >>> "nisMap" >>>The /var/log/ipaupgrade.log is too large to attach but I didn't >>>see any obvious >>>errors in it. >>> >>>After the update the versions are: >>> ipa-server-4.2.0-15.el7_2.6.1.x86_64 >>> 389-ds-base-1.3.4.0-29 >>>The dirsrv instance log has this error: >>> [19/Apr/2016:09:48:44 -0500] - Entry >>> "uid=testuser,cn=users,cn=accounts,dc=uofmt1" missing attribute >>> "nisMapName" required by object class "nisMap" >>Default user object classes do not include nisMap object class. Did you >>add that yourself? >Yes, in a misguided attempt to get an NIS map to work. I'll remove it. > >That fixed the problem. ipa user-add is working again! > Default group objectclasses: top, ipaobject, groupofnames, >ipausergroup, nestedgroup > Default user objectclasses: ipaobject, person, top, ipasshuser, >inetorgperson, umanitobaPerson, organizationalperson, >krbticketpolicyaux, krbprincipalaux, nisMap, inetuser, posixaccount As I suspected, nisMap is in the default user object classes. Never add it there :) >Thanks for your expertise! After I removed the nisMap from the user >object classes the user-add started working again. -- / Alexander Bokovoy From t.ruiten at rdmedia.com Wed Apr 20 17:44:06 2016 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Wed, 20 Apr 2016 19:44:06 +0200 Subject: [Freeipa-users] FreeIPA and PWM In-Reply-To: <20160420153935.GP24892@redhat.com> References: <20160420153935.GP24892@redhat.com> Message-ID: Thanks Alexander, that got my past that error. I created the sysaccount and I can bind successfully, but in accordance with the documentation, it doesn't have rights to modify other users: Unexpected error while testing ldap test user LDAP ? LDAP Directories ? default ? LDAP Test User, error: javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=test.user,cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com'. ] This LDAP Proxy User will try to do the following things to the LDAP Test User: "The following functionality (if enabled) will be tested using the test user account. Authentication Password policy reading Set password Set challenge/responses Load challenge/responses" What is best practice here, should I grant more privileges to the sysaccount (how?), or should I create a 'regular' user in the UI/through the ipa cli and grant the necessary roles there? On 20 April 2016 at 17:39, Alexander Bokovoy wrote: > On Wed, 20 Apr 2016, Tiemen Ruiten wrote: > >> Hello, >> >> I'm trying to set up a self-service page for a new IPA domain and I'm >> trying to use PWM for that. >> >> When I try to bind to FreeIPA from within PWM, with the configured "LDAP >> Proxy User", I get the following error: >> >> error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636': >> unable to create connection: unable to bind to ldaps:// >> polonium.ipa.rdmedia.com:636 as >> cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason: >> [LDAP: error code 48 - Inappropriate Authentication] >> > You are trying to bind as a group, not as a user. Group has no > passwords. > > You need to have a user object or just a sysaccount to bind to LDAP. > See http://www.freeipa.org/page/HowTo/LDAP#System_Accounts for > sysaccounts. > > >> In /var/log/krb5kdc.log I see: >> >> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6 >> etypes {18 17 16 23 25 26}) 192.168.50.33: NEEDED_PREAUTH: host/ >> protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for krbtgt/ >> IPA.RDMEDIA.COM at IPA.RDMEDIA.COM, Additional pre-authentication required >> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing >> down >> fd 12 >> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6 >> etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149, >> etypes {rep=18 tkt=18 ses=18}, host/ >> protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for krbtgt/ >> IPA.RDMEDIA.COM at IPA.RDMEDIA.COM >> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing >> down >> fd 12 >> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): TGS_REQ (6 >> etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149, >> etypes {rep=18 tkt=18 ses=18}, host/ >> protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM for ldap/ >> polonium.ipa.rdmedia.com at IPA.RDMEDIA.COM >> Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing >> down >> fd 12 >> > Kerberos is completely unrelated here. > > > >> What is going on? What can I do to debug this more? >> >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media >> > > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy > -- Tiemen Ruiten Systems Engineer R&D Media -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Apr 20 17:58:53 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Apr 2016 13:58:53 -0400 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <5717B325.3080708@redhat.com> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> Message-ID: <5717C35D.3030905@redhat.com> Martin Basti wrote: > > > On 20.04.2016 18:00, Gady Notrica wrote: >> >> Hello World, >> >> I am having these errors trying to install ipa-client-install. Every >> other machine is fine and they IPA servers are functioning perfectly >> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Then I have ?/Installation failed. Rolling back changes.?/ >> >> I have tried everything I know with no luck. Any idea on how to FIX >> this? Below is the full log. >> >> ----------------------------------------------------------- >> >> /Continue to configure the system with these values? [no]: yes/ >> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ >> >> /Skipping synchronizing time with NTP server./ >> >> /User authorized to enroll computers: admin/ >> >> /Password for admin at IPA.DOMAIN.COM:/ >> >> /Please make sure the following ports are opened in the firewall >> settings:/ >> >> /TCP: 80, 88, 389/ >> >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> /Also note that following ports are necessary for ipa-client working >> properly after enrollment:/ >> >> /TCP: 464/ >> >> /UDP: 464, 123 (if NTP enabled)/ >> >> /Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library/ >> >> // >> >> /Installation failed. Rolling back changes./ >> >> /Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255/ >> >> /Disabling client Kerberos and LDAP configurations/ >> >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted/ >> >> /Restoring client configuration files/ >> >> /nscd daemon is not installed, skip configuration/ >> >> /nslcd daemon is not installed, skip configuration/ >> >> /Client uninstall complete./ >> >> /---------------------------------------------------------------/ >> >> Gady >> >> >> > Hello, > > IMO you have an old invalid keytab on that machine. Can you manually > remove it and try to reinstall client? (Of course only if you are sure > that keytab there is not needed) > > The keytab should be located here /etc/krb5.keytab That or /etc/krb5.conf is messed up in some way. rob From gnotrica at candeal.com Wed Apr 20 18:11:47 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 20 Apr 2016 18:11:47 +0000 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <5717C35D.3030905@redhat.com> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> <5717C35D.3030905@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> Any specific command in particular to remove that keytab? Since these don't work [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab Kerberos context initialization failed [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab Kerberos context initialization failed [root at cprddb1 /]# Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 20, 2016 1:59 PM To: Martin Basti; Gady Notrica; freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Martin Basti wrote: > > > On 20.04.2016 18:00, Gady Notrica wrote: >> >> Hello World, >> >> I am having these errors trying to install ipa-client-install. Every >> other machine is fine and they IPA servers are functioning perfectly >> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Then I have "/Installation failed. Rolling back changes."/ >> >> I have tried everything I know with no luck. Any idea on how to FIX >> this? Below is the full log. >> >> ----------------------------------------------------------- >> >> /Continue to configure the system with these values? [no]: yes/ >> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ >> >> /Skipping synchronizing time with NTP server./ >> >> /User authorized to enroll computers: admin/ >> >> /Password for admin at IPA.DOMAIN.COM:/ >> >> /Please make sure the following ports are opened in the firewall >> settings:/ >> >> /TCP: 80, 88, 389/ >> >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> /Also note that following ports are necessary for ipa-client working >> properly after enrollment:/ >> >> /TCP: 464/ >> >> /UDP: 464, 123 (if NTP enabled)/ >> >> /Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library/ >> >> // >> >> /Installation failed. Rolling back changes./ >> >> /Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255/ >> >> /Disabling client Kerberos and LDAP configurations/ >> >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted/ >> >> /Restoring client configuration files/ >> >> /nscd daemon is not installed, skip configuration/ >> >> /nslcd daemon is not installed, skip configuration/ >> >> /Client uninstall complete./ >> >> /---------------------------------------------------------------/ >> >> Gady >> >> >> > Hello, > > IMO you have an old invalid keytab on that machine. Can you manually > remove it and try to reinstall client? (Of course only if you are sure > that keytab there is not needed) > > The keytab should be located here /etc/krb5.keytab That or /etc/krb5.conf is messed up in some way. rob From jeff.hallyburton at bloomip.com Wed Apr 20 18:18:28 2016 From: jeff.hallyburton at bloomip.com (Jeff Hallyburton) Date: Wed, 20 Apr 2016 14:18:28 -0400 Subject: [Freeipa-users] Servers intermittently losing connection to IPA In-Reply-To: References: <20160415071441.GD16887@p.redhat.com> <20160418145834.GB14060@p.redhat.com> Message-ID: Sumit, Raised the debug level to 10 and let it run for about 24 hours. Uploading the last 2000~ lines of the sssd_domain.com.log. Thanks for your help! https://pastebin.com/MD6N1Dj7 Jeff Hallyburton Strategic Systems Engineer Bloomip Inc. Web: http://www.bloomip.com Engineering Support: support at bloomip.com Billing Support: billing at bloomip.com Customer Support Portal: https://my.bloomip.com On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton < jeff.hallyburton at bloomip.com> wrote: > Sumit, > > Raised the debug level to 10 and let it run for about 24 hours. Uploading > the full sssd_domain.com.log. Thanks for your help! > > Jeff > > Jeff Hallyburton > Strategic Systems Engineer > Bloomip Inc. > Web: http://www.bloomip.com > > Engineering Support: support at bloomip.com > Billing Support: billing at bloomip.com > Customer Support Portal: https://my.bloomip.com > > On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose wrote: > >> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote: >> > After setting debug_level=8, this is what I see in the sssd_domain_log: >> >> Unfortunately the domain log and the krb5_child log do not relate to >> each other. >> >> > >> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]] >> [child_handler_setup] >> > (0x2000): Setting up signal handler up for pid [32382] >> > >> >> .... >> >> > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] [k5c_setup_fast] >> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ >> > jump02.west-2.production.example.com at EXAMPLE.COM] >> > >> >> ... >> >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] >> [get_and_save_tgt] >> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during >> > pre-auth. >> > >> > >> > Can you shed any light on this? >> > >> >> In the domain log the child with the pid 32382 is started to run a >> pre-authentication request. The request is needed to find out which kind >> of authentication types are available for the user, e.g. password or >> 2-factor authentication with the OTP token. The request in the child >> with the PID 32731 looks like a real authentication request with returns >> with an error code -1765328324 which just means 'Generic error' but >> might have cause SSSD to go offline. >> >> I would like to ask you to run the test again with debug_level=10 in the >> [domain/...] section of sssd.conf which would enable some low level >> Kerberos tracing messages which might help to understand what kind of >> 'Generic error' was hit here. Additionally I would like ask you to send >> the full log files as attachment or in an archive which would hep be to >> better navigate through them. >> >> bye, >> Sumit >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Wed Apr 20 18:24:23 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Wed, 20 Apr 2016 20:24:23 +0200 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> <5717C35D.3030905@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> Message-ID: hi Gady, On Wed, Apr 20, 2016 at 8:11 PM, Gady Notrica wrote: > Any specific command in particular to remove that keytab? > > Since these don't work > > [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > Kerberos context initialization failed > [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k > /etc/krb5.keytab > Kerberos context initialization failed I think that you just need to rm /etc/krb5.keytab and remove the host object in the web interface if it exists. -- groet, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Apr 20 18:25:13 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 20 Apr 2016 21:25:13 +0300 Subject: [Freeipa-users] FreeIPA and PWM In-Reply-To: References: <20160420153935.GP24892@redhat.com> Message-ID: <20160420182513.GX24892@redhat.com> On Wed, 20 Apr 2016, Tiemen Ruiten wrote: >Thanks Alexander, that got my past that error. > >I created the sysaccount and I can bind successfully, but in accordance >with the documentation, it doesn't have rights to modify other users: > >Unexpected error while testing ldap test user LDAP ? LDAP Directories ? >default ? LDAP Test User, error: javax.naming.NoPermissionException: [LDAP: >error code 50 - Insufficient 'write' privilege to the 'userPassword' >attribute of entry >'uid=test.user,cn=users,cn=accounts,dc=ipa,dc=rdmedia,dc=com'. ] > >This LDAP Proxy User will try to do the following things to the LDAP Test >User: > >"The following functionality (if enabled) will be tested using the test >user account. > >Authentication >Password policy reading >Set password >Set challenge/responses >Load challenge/responses" > >What is best practice here, should I grant more privileges to the >sysaccount (how?), or should I create a 'regular' user in the UI/through >the ipa cli and grant the necessary roles there? Well, the situation is much more complex than you can realise. FreeIPA does not really tolerate someone else doing password modifications other than the user herself. FreeIPA password plugin marks the password as expired if it was modified by someone else. You can look at http://www.freeipa.org/page/Self-Service_Password_Reset for more detailed reasoning. If password reset and forcing it to be marked as 'expired' is OK, a password change done by PWM would need to be performed by a user with access to a permission 'System: Change User password'. FreeIPA has a number of layered concepts for managing access rights: permission, privilege, and role. They all support group-like granting. For example, permission for changing user passwords looks like this: $ ipa permission-show 'System: Change User password' Permission name: System: Change User password Granted rights: write Effective attributes: krbprincipalkey, passwordhistory, sambalmpassword, sambantpassword, userpassword Default attributes: userpassword, krbprincipalkey, sambantpassword, passwordhistory, sambalmpassword Bind rule type: permission Subtree: cn=users,cn=accounts,dc=vda,dc=li Extra target filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=vda,dc=li)) Type: user Granted to Privilege: User Administrators, Modify Users and Reset passwords Indirect Member of roles: helpdesk, User Administrator You can see that permission can be granted to a privilege. A privilege can be given to a role and LDAP server access controls are based on these group-like memberships. The end result is that for 'System: Change User pasword' permission following LDAP server access control rule is added: aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) This means only members of the following LDAP group "cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example" are allowed to modify user passwords. IPA commands (either in WebUI or command line) don't allow you to add anything else than users and groups to roles, privileges, and permissions. If you want to add a sysaccount, you'd need to do so manually with LDAP tools. A safer way to do that is to use ipa-ldap-updater tool. Let's say, you have a sysaccount uid=pwm,cn=sysaccounts,cn=etc,$SUFFIX. Create following file: --------------------------------------------------------------------- # 70-add-sysaccount-to-permission.update dn: cn=System: Change User password,cn=permissions,cn=pbac,$SUFFIX add:member:uid=pwm,cn=sysaccounts,cn=etc,$SUFFIX --------------------------------------------------------------------- and run # ipa-ldap-updater ./70-add-sysaccount-to-permission.update This would add a new value to attribute 'member' of the 'System: Change User password' permission. For more details on ipa-ldap-updater see its man page and my article https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/ Now that I led you through the pain to see what is under the cover, it would probably be easier to use IPA user user_pwm and call 'ipa role-add-member helpdesk --users=pwm_user' to add it to the role. :) -- / Alexander Bokovoy From gnotrica at candeal.com Wed Apr 20 18:40:57 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 20 Apr 2016 18:40:57 +0000 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> <5717C35D.3030905@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <0984AB34E553F54B8705D776686863E70ABF6E2E@cd-exchange01.CD-PRD.candeal.ca> Thank you guys for your help. Still can't enroll the client. Any suggestion on the errors below? Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Gady Notrica -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica Sent: April 20, 2016 2:12 PM To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Any specific command in particular to remove that keytab? Since these don't work [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab Kerberos context initialization failed [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k /etc/krb5.keytab Kerberos context initialization failed [root at cprddb1 /]# Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 20, 2016 1:59 PM To: Martin Basti; Gady Notrica; freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Martin Basti wrote: > > > On 20.04.2016 18:00, Gady Notrica wrote: >> >> Hello World, >> >> I am having these errors trying to install ipa-client-install. Every >> other machine is fine and they IPA servers are functioning perfectly >> >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Then I have "/Installation failed. Rolling back changes."/ >> >> I have tried everything I know with no luck. Any idea on how to FIX >> this? Below is the full log. >> >> ----------------------------------------------------------- >> >> /Continue to configure the system with these values? [no]: yes/ >> >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ >> >> /Skipping synchronizing time with NTP server./ >> >> /User authorized to enroll computers: admin/ >> >> /Password for admin at IPA.DOMAIN.COM:/ >> >> /Please make sure the following ports are opened in the firewall >> settings:/ >> >> /TCP: 80, 88, 389/ >> >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> /Also note that following ports are necessary for ipa-client working >> properly after enrollment:/ >> >> /TCP: 464/ >> >> /UDP: 464, 123 (if NTP enabled)/ >> >> /Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library/ >> >> // >> >> /Installation failed. Rolling back changes./ >> >> /Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255/ >> >> /Disabling client Kerberos and LDAP configurations/ >> >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted/ >> >> /Restoring client configuration files/ >> >> /nscd daemon is not installed, skip configuration/ >> >> /nslcd daemon is not installed, skip configuration/ >> >> /Client uninstall complete./ >> >> /---------------------------------------------------------------/ >> >> Gady >> >> >> > Hello, > > IMO you have an old invalid keytab on that machine. Can you manually > remove it and try to reinstall client? (Of course only if you are sure > that keytab there is not needed) > > The keytab should be located here /etc/krb5.keytab That or /etc/krb5.conf is messed up in some way. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Apr 20 19:14:08 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Apr 2016 15:14:08 -0400 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <0984AB34E553F54B8705D776686863E70ABF6E2E@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> <5717C35D.3030905@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70ABF6E2E@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <5717D500.4040800@redhat.com> Gady Notrica wrote: > Thank you guys for your help. > > Still can't enroll the client. Any suggestion on the errors below? > > /Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library/ What does /etc/krb5.conf look like? > Installation failed. Rolling back changes. > > /Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit > status 255/ This is unrelated to the enrollment problem. rob > > Disabling client Kerberos and LDAP configurations > > Gady Notrica > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > Sent: April 20, 2016 2:12 PM > To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-client-install errors > > Any specific command in particular to remove that keytab? > > Since these don't work > > [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > Kerberos context initialization failed > > [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k > /etc/krb5.keytab Kerberos context initialization failed > > [root at cprddb1 /]# > > Gady > > -----Original Message----- > > From: Rob Crittenden [mailto:rcritten at redhat.com] > > Sent: April 20, 2016 1:59 PM > > To: Martin Basti; Gady Notrica; freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] ipa-client-install errors > > Martin Basti wrote: > > > > > > > > > On 20.04.2016 18:00, Gady Notrica wrote: > > >> > > >> Hello World, > > >> > > >> I am having these errors trying to install ipa-client-install. Every > > >> other machine is fine and they IPA servers are functioning perfectly > > >> > > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > >> > > >> Kerberos authentication failed: kinit: Improper format of Kerberos > > >> configuration file while initializing Kerberos 5 library > > >> > > >> Then I have "/Installation failed. Rolling back changes."/ > > >> > > >> I have tried everything I know with no luck. Any idea on how to FIX > > >> this? Below is the full log. > > >> > > >> ----------------------------------------------------------- > > >> > > >> /Continue to configure the system with these values? [no]: yes/ > > >> > > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ > > >> > > >> /Skipping synchronizing time with NTP server./ > > >> > > >> /User authorized to enroll computers: admin/ > > >> > > >> /Password for admin at IPA.DOMAIN.COM:/ > > >> > > >> /Please make sure the following ports are opened in the firewall > > >> settings:/ > > >> > > >> /TCP: 80, 88, 389/ > > >> > > >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ > > >> > > >> /Also note that following ports are necessary for ipa-client working > > >> properly after enrollment:/ > > >> > > >> /TCP: 464/ > > >> > > >> /UDP: 464, 123 (if NTP enabled)/ > > >> > > >> /Kerberos authentication failed: kinit: Improper format of Kerberos > > >> configuration file while initializing Kerberos 5 library/ > > >> > > >> // > > >> > > >> /Installation failed. Rolling back changes./ > > >> > > >> /Failed to list certificates in /etc/ipa/nssdb: Command > > >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > > >> exit status 255/ > > >> > > >> /Disabling client Kerberos and LDAP configurations/ > > >> > > >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > > >> /etc/sssd/sssd.conf.deleted/ > > >> > > >> /Restoring client configuration files/ > > >> > > >> /nscd daemon is not installed, skip configuration/ > > >> > > >> /nslcd daemon is not installed, skip configuration/ > > >> > > >> /Client uninstall complete./ > > >> > > >> /---------------------------------------------------------------/ > > >> > > >> Gady > > >> > > >> > > >> > > > Hello, > > > > > > IMO you have an old invalid keytab on that machine. Can you manually > > > remove it and try to reinstall client? (Of course only if you are sure > > > that keytab there is not needed) > > > > > > The keytab should be located here /etc/krb5.keytab > > That or /etc/krb5.conf is messed up in some way. > > rob > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > From gnotrica at candeal.com Wed Apr 20 19:40:04 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 20 Apr 2016 19:40:04 +0000 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <5717D500.4040800@redhat.com> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> <5717C35D.3030905@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70ABF6E2E@cd-exchange01.CD-PRD.candeal.ca> <5717D500.4040800@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70ABF6EC0@cd-exchange01.CD-PRD.candeal.ca> Please find below the kr5.conf. Still has with original content. [root at prddb1]# ipa-client-install Discovery was successful! ... Continue to configure the system with these values? [no]: yes .... Kerberos authentication failed: kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library Installation failed. Rolling back changes. Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted .... Client uninstall complete. [root at prddb1]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM [root at prddb1]# Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 20, 2016 3:14 PM To: Gady Notrica; Martin Basti; freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote: > Thank you guys for your help. > > Still can't enroll the client. Any suggestion on the errors below? > > /Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library/ What does /etc/krb5.conf look like? > Installation failed. Rolling back changes. > > /Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > exit status 255/ This is unrelated to the enrollment problem. rob > > Disabling client Kerberos and LDAP configurations > > Gady Notrica > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > Sent: April 20, 2016 2:12 PM > To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-client-install errors > > Any specific command in particular to remove that keytab? > > Since these don't work > > [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > Kerberos context initialization failed > > [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k > /etc/krb5.keytab Kerberos context initialization failed > > [root at cprddb1 /]# > > Gady > > -----Original Message----- > > From: Rob Crittenden [mailto:rcritten at redhat.com] > > Sent: April 20, 2016 1:59 PM > > To: Martin Basti; Gady Notrica; freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] ipa-client-install errors > > Martin Basti wrote: > > > > > > > > > On 20.04.2016 18:00, Gady Notrica wrote: > > >> > > >> Hello World, > > >> > > >> I am having these errors trying to install ipa-client-install. > Every > > >> other machine is fine and they IPA servers are functioning > perfectly > > >> > > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > >> > > >> Kerberos authentication failed: kinit: Improper format of Kerberos > > >> configuration file while initializing Kerberos 5 library > > >> > > >> Then I have "/Installation failed. Rolling back changes."/ > > >> > > >> I have tried everything I know with no luck. Any idea on how to > FIX > > >> this? Below is the full log. > > >> > > >> ----------------------------------------------------------- > > >> > > >> /Continue to configure the system with these values? [no]: yes/ > > >> > > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ > > >> > > >> /Skipping synchronizing time with NTP server./ > > >> > > >> /User authorized to enroll computers: admin/ > > >> > > >> /Password for admin at IPA.DOMAIN.COM:/ > > > >> > > >> /Please make sure the following ports are opened in the firewall > > >> settings:/ > > >> > > >> /TCP: 80, 88, 389/ > > >> > > >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ > > >> > > >> /Also note that following ports are necessary for ipa-client > working > > >> properly after enrollment:/ > > >> > > >> /TCP: 464/ > > >> > > >> /UDP: 464, 123 (if NTP enabled)/ > > >> > > >> /Kerberos authentication failed: kinit: Improper format of > Kerberos > > >> configuration file while initializing Kerberos 5 library/ > > >> > > >> // > > >> > > >> /Installation failed. Rolling back changes./ > > >> > > >> /Failed to list certificates in /etc/ipa/nssdb: Command > > >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > > >> exit status 255/ > > >> > > >> /Disabling client Kerberos and LDAP configurations/ > > >> > > >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved > to > > >> /etc/sssd/sssd.conf.deleted/ > > >> > > >> /Restoring client configuration files/ > > >> > > >> /nscd daemon is not installed, skip configuration/ > > >> > > >> /nslcd daemon is not installed, skip configuration/ > > >> > > >> /Client uninstall complete./ > > >> > > >> /---------------------------------------------------------------/ > > >> > > >> Gady > > >> > > >> > > >> > > > Hello, > > > > > > IMO you have an old invalid keytab on that machine. Can you > manually > > > remove it and try to reinstall client? (Of course only if you are > sure > > > that keytab there is not needed) > > > > > > The keytab should be located here /etc/krb5.keytab > > That or /etc/krb5.conf is messed up in some way. > > rob > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Apr 20 19:52:24 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Apr 2016 15:52:24 -0400 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <0984AB34E553F54B8705D776686863E70ABF6EC0@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> <5717C35D.3030905@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70ABF6E2E@cd-exchange01.CD-PRD.candeal.ca> <5717D500.4040800@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6EC0@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <5717DDF8.5080508@redhat.com> Gady Notrica wrote: > Please find below the kr5.conf. Still has with original content. > > [root at prddb1]# ipa-client-install > > Discovery was successful! > > ... > > Continue to configure the system with these values? [no]: yes > > .... > > Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library > > Installation failed. Rolling back changes. > > Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit > status 255 > > Disabling client Kerberos and LDAP configurations > > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted > > .... > > Client uninstall complete. > > [root at prddb1]# cat /etc/krb5.conf > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > > dns_lookup_realm = false > > ticket_lifetime = 24h > > renew_lifetime = 7d > > forwardable = true > > rdns = false > > # default_realm = EXAMPLE.COM > > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > > # EXAMPLE.COM = { > > # kdc = kerberos.example.com > > # admin_server = kerberos.example.com > > # } > > [domain_realm] > > # .example.com = EXAMPLE.COM > > # example.com = EXAMPLE.COM > > [root at prddb1]# Ok, I agree with the others then, we need to see the full ipaclient-install.log. This file looks fine which means the temporary one that is configured must be bad in some way. The log will tell how. rob > > Gady > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: April 20, 2016 3:14 PM > To: Gady Notrica; Martin Basti; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-client-install errors > > Gady Notrica wrote: > > > Thank you guys for your help. > > > > > > Still can't enroll the client. Any suggestion on the errors below? > > > > > > /Kerberos authentication failed: kinit: Improper format of Kerberos > > > configuration file while initializing Kerberos 5 library/ > > What does /etc/krb5.conf look like? > > > Installation failed. Rolling back changes. > > > > > > /Failed to list certificates in /etc/ipa/nssdb: Command > > > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > > > exit status 255/ > > This is unrelated to the enrollment problem. > > rob > > > > > > Disabling client Kerberos and LDAP configurations > > > > > > Gady Notrica > > > > > > -----Original Message----- > > > From: freeipa-users-bounces at redhat.com > > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > > > Sent: April 20, 2016 2:12 PM > > > To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com > > > > Subject: Re: [Freeipa-users] ipa-client-install errors > > > > > > Any specific command in particular to remove that keytab? > > > > > > Since these don't work > > > > > > [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > > > Kerberos context initialization failed > > > > > > [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k > > > /etc/krb5.keytab Kerberos context initialization failed > > > > > > [root at cprddb1 /]# > > > > > > Gady > > > > > > -----Original Message----- > > > > > > From: Rob Crittenden [mailto:rcritten at redhat.com] > > > > > > Sent: April 20, 2016 1:59 PM > > > > > > To: Martin Basti; Gady Notrica; freeipa-users at redhat.com > > > > > > > > > > Subject: Re: [Freeipa-users] ipa-client-install errors > > > > > > Martin Basti wrote: > > > > > > > > > > > > > > > > > > > > > On 20.04.2016 18:00, Gady Notrica wrote: > > > > > > >> > > > > > > >> Hello World, > > > > > > >> > > > > > > >> I am having these errors trying to install ipa-client-install. > > > Every > > > > > > >> other machine is fine and they IPA servers are functioning > > > perfectly > > > > > > >> > > > > > > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > > > > > >> > > > > > > >> Kerberos authentication failed: kinit: Improper format of Kerberos > > > > > > >> configuration file while initializing Kerberos 5 library > > > > > > >> > > > > > > >> Then I have "/Installation failed. Rolling back changes."/ > > > > > > >> > > > > > > >> I have tried everything I know with no luck. Any idea on how to > > > FIX > > > > > > >> this? Below is the full log. > > > > > > >> > > > > > > >> ----------------------------------------------------------- > > > > > > >> > > > > > > >> /Continue to configure the system with these values? [no]: yes/ > > > > > > >> > > > > > > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ > > > > > > >> > > > > > > >> /Skipping synchronizing time with NTP server./ > > > > > > >> > > > > > > >> /User authorized to enroll computers: admin/ > > > > > > >> > > > > > > >> /Password for admin at IPA.DOMAIN.COM:/ > > > > > > > > > >> > > > > > > >> /Please make sure the following ports are opened in the firewall > > > > > > >> settings:/ > > > > > > >> > > > > > > >> /TCP: 80, 88, 389/ > > > > > > >> > > > > > > >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ > > > > > > >> > > > > > > >> /Also note that following ports are necessary for ipa-client > > > working > > > > > > >> properly after enrollment:/ > > > > > > >> > > > > > > >> /TCP: 464/ > > > > > > >> > > > > > > >> /UDP: 464, 123 (if NTP enabled)/ > > > > > > >> > > > > > > >> /Kerberos authentication failed: kinit: Improper format of > > > Kerberos > > > > > > >> configuration file while initializing Kerberos 5 library/ > > > > > > >> > > > > > > >> // > > > > > > >> > > > > > > >> /Installation failed. Rolling back changes./ > > > > > > >> > > > > > > >> /Failed to list certificates in /etc/ipa/nssdb: Command > > > > > > >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > > > > > > >> exit status 255/ > > > > > > >> > > > > > > >> /Disabling client Kerberos and LDAP configurations/ > > > > > > >> > > > > > > >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved > > > to > > > > > > >> /etc/sssd/sssd.conf.deleted/ > > > > > > >> > > > > > > >> /Restoring client configuration files/ > > > > > > >> > > > > > > >> /nscd daemon is not installed, skip configuration/ > > > > > > >> > > > > > > >> /nslcd daemon is not installed, skip configuration/ > > > > > > >> > > > > > > >> /Client uninstall complete./ > > > > > > >> > > > > > > >> /---------------------------------------------------------------/ > > > > > > >> > > > > > > >> Gady > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > > Hello, > > > > > > > > > > > > > > IMO you have an old invalid keytab on that machine. Can you > > > manually > > > > > > > remove it and try to reinstall client? (Of course only if you are > > > sure > > > > > > > that keytab there is not needed) > > > > > > > > > > > > > > The keytab should be located here /etc/krb5.keytab > > > > > > That or /etc/krb5.conf is messed up in some way. > > > > > > rob > > > > > > -- > > > > > > Manage your subscription for the Freeipa-users mailing list: > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > Go to http://freeipa.org for more info on the project > > > > From gnotrica at candeal.com Wed Apr 20 19:59:23 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 20 Apr 2016 19:59:23 +0000 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <5717DDF8.5080508@redhat.com> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> <5717C35D.3030905@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70ABF6E2E@cd-exchange01.CD-PRD.candeal.ca> <5717D500.4040800@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6EC0@cd-exchange01.CD-PRD.candeal.ca> <5717DDF8.5080508@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70ABF6F50@cd-exchange01.CD-PRD.candeal.ca> Original file attached - no changes to the file Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 20, 2016 3:52 PM To: Gady Notrica; Martin Basti; freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote: > Please find below the kr5.conf. Still has with original content. > > [root at prddb1]# ipa-client-install > > Discovery was successful! > > ... > > Continue to configure the system with these values? [no]: yes > > .... > > Kerberos authentication failed: kinit: Improper format of Kerberos > configuration file while initializing Kerberos 5 library > > Installation failed. Rolling back changes. > > Failed to list certificates in /etc/ipa/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > exit status 255 > > Disabling client Kerberos and LDAP configurations > > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted > > .... > > Client uninstall complete. > > [root at prddb1]# cat /etc/krb5.conf > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > > dns_lookup_realm = false > > ticket_lifetime = 24h > > renew_lifetime = 7d > > forwardable = true > > rdns = false > > # default_realm = EXAMPLE.COM > > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > > # EXAMPLE.COM = { > > # kdc = kerberos.example.com > > # admin_server = kerberos.example.com > > # } > > [domain_realm] > > # .example.com = EXAMPLE.COM > > # example.com = EXAMPLE.COM > > [root at prddb1]# Ok, I agree with the others then, we need to see the full ipaclient-install.log. This file looks fine which means the temporary one that is configured must be bad in some way. The log will tell how. rob > > Gady > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: April 20, 2016 3:14 PM > To: Gady Notrica; Martin Basti; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ipa-client-install errors > > Gady Notrica wrote: > > > Thank you guys for your help. > > > > > > Still can't enroll the client. Any suggestion on the errors below? > > > > > > /Kerberos authentication failed: kinit: Improper format of Kerberos > > > configuration file while initializing Kerberos 5 library/ > > What does /etc/krb5.conf look like? > > > Installation failed. Rolling back changes. > > > > > > /Failed to list certificates in /etc/ipa/nssdb: Command > > > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero > > > exit status 255/ > > This is unrelated to the enrollment problem. > > rob > > > > > > Disabling client Kerberos and LDAP configurations > > > > > > Gady Notrica > > > > > > -----Original Message----- > > > From: freeipa-users-bounces at redhat.com > > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > > > Sent: April 20, 2016 2:12 PM > > > To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com > > > > Subject: Re: [Freeipa-users] ipa-client-install errors > > > > > > Any specific command in particular to remove that keytab? > > > > > > Since these don't work > > > > > > [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > > > Kerberos context initialization failed > > > > > > [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k > > > /etc/krb5.keytab Kerberos context initialization failed > > > > > > [root at cprddb1 /]# > > > > > > Gady > > > > > > -----Original Message----- > > > > > > From: Rob Crittenden [mailto:rcritten at redhat.com] > > > > > > Sent: April 20, 2016 1:59 PM > > > > > > To: Martin Basti; Gady Notrica; freeipa-users at redhat.com > > > > > > > > > > Subject: Re: [Freeipa-users] ipa-client-install errors > > > > > > Martin Basti wrote: > > > > > > > > > > > > > > > > > > > > > On 20.04.2016 18:00, Gady Notrica wrote: > > > > > > >> > > > > > > >> Hello World, > > > > > > >> > > > > > > >> I am having these errors trying to install ipa-client-install. > > > Every > > > > > > >> other machine is fine and they IPA servers are functioning > > > perfectly > > > > > > >> > > > > > > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 > > > > > > >> > > > > > > >> Kerberos authentication failed: kinit: Improper format of > Kerberos > > > > > > >> configuration file while initializing Kerberos 5 library > > > > > > >> > > > > > > >> Then I have "/Installation failed. Rolling back changes."/ > > > > > > >> > > > > > > >> I have tried everything I know with no luck. Any idea on how to > > > FIX > > > > > > >> this? Below is the full log. > > > > > > >> > > > > > > >> ----------------------------------------------------------- > > > > > > >> > > > > > > >> /Continue to configure the system with these values? [no]: yes/ > > > > > > >> > > > > > > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned > 1/ > > > > > > >> > > > > > > >> /Skipping synchronizing time with NTP server./ > > > > > > >> > > > > > > >> /User authorized to enroll computers: admin/ > > > > > > >> > > > > > > >> /Password for admin at IPA.DOMAIN.COM:/ > > > > > > > > > > >> > > > > > > >> /Please make sure the following ports are opened in the > firewall > > > > > > >> settings:/ > > > > > > >> > > > > > > >> /TCP: 80, 88, 389/ > > > > > > >> > > > > > > >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ > > > > > > >> > > > > > > >> /Also note that following ports are necessary for ipa-client > > > working > > > > > > >> properly after enrollment:/ > > > > > > >> > > > > > > >> /TCP: 464/ > > > > > > >> > > > > > > >> /UDP: 464, 123 (if NTP enabled)/ > > > > > > >> > > > > > > >> /Kerberos authentication failed: kinit: Improper format of > > > Kerberos > > > > > > >> configuration file while initializing Kerberos 5 library/ > > > > > > >> > > > > > > >> // > > > > > > >> > > > > > > >> /Installation failed. Rolling back changes./ > > > > > > >> > > > > > > >> /Failed to list certificates in /etc/ipa/nssdb: Command > > > > > > >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned > non-zero > > > > > > >> exit status 255/ > > > > > > >> > > > > > > >> /Disabling client Kerberos and LDAP configurations/ > > > > > > >> > > > > > > >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was > moved > > > to > > > > > > >> /etc/sssd/sssd.conf.deleted/ > > > > > > >> > > > > > > >> /Restoring client configuration files/ > > > > > > >> > > > > > > >> /nscd daemon is not installed, skip configuration/ > > > > > > >> > > > > > > >> /nslcd daemon is not installed, skip configuration/ > > > > > > >> > > > > > > >> /Client uninstall complete./ > > > > > > >> > > > > > > >> > /---------------------------------------------------------------/ > > > > > > >> > > > > > > >> Gady > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > > Hello, > > > > > > > > > > > > > > IMO you have an old invalid keytab on that machine. Can you > > > manually > > > > > > > remove it and try to reinstall client? (Of course only if you > are > > > sure > > > > > > > that keytab there is not needed) > > > > > > > > > > > > > > The keytab should be located here /etc/krb5.keytab > > > > > > That or /etc/krb5.conf is messed up in some way. > > > > > > rob > > > > > > -- > > > > > > Manage your subscription for the Freeipa-users mailing list: > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > Go to http://freeipa.org for more info on the project > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: ipaclient-install.log Type: application/octet-stream Size: 46436 bytes Desc: ipaclient-install.log URL: From rcritten at redhat.com Wed Apr 20 20:04:01 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 20 Apr 2016 16:04:01 -0400 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <5717DDF8.5080508@redhat.com> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> <5717C35D.3030905@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70ABF6E2E@cd-exchange01.CD-PRD.candeal.ca> <5717D500.4040800@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6EC0@cd-exchange01.CD-PRD.candeal.ca> <5717DDF8.5080508@redhat.com> Message-ID: <5717E0B1.3070803@redhat.com> Ok, Gady sent the complete file out-of-band and the temporary krb5.conf the client installer creates looks ok. It does include files from /var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files in there and if so, what the contents are? BTW, what distro and release of ipa-client is this? thanks rob Rob Crittenden wrote: > Gady Notrica wrote: >> Please find below the kr5.conf. Still has with original content. >> >> [root at prddb1]# ipa-client-install >> >> Discovery was successful! >> >> ... >> >> Continue to configure the system with these values? [no]: yes >> >> .... >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Installation failed. Rolling back changes. >> >> Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit >> status 255 >> >> Disabling client Kerberos and LDAP configurations >> >> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted >> >> .... >> >> Client uninstall complete. >> >> [root at prddb1]# cat /etc/krb5.conf >> >> [logging] >> >> default = FILE:/var/log/krb5libs.log >> >> kdc = FILE:/var/log/krb5kdc.log >> >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> >> dns_lookup_realm = false >> >> ticket_lifetime = 24h >> >> renew_lifetime = 7d >> >> forwardable = true >> >> rdns = false >> >> # default_realm = EXAMPLE.COM >> >> default_ccache_name = KEYRING:persistent:%{uid} >> >> [realms] >> >> # EXAMPLE.COM = { >> >> # kdc = kerberos.example.com >> >> # admin_server = kerberos.example.com >> >> # } >> >> [domain_realm] >> >> # .example.com = EXAMPLE.COM >> >> # example.com = EXAMPLE.COM >> >> [root at prddb1]# > > Ok, I agree with the others then, we need to see the full > ipaclient-install.log. This file looks fine which means the temporary > one that is configured must be bad in some way. The log will tell how. > > rob > >> >> Gady >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: April 20, 2016 3:14 PM >> To: Gady Notrica; Martin Basti; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] ipa-client-install errors >> >> Gady Notrica wrote: >> >> > Thank you guys for your help. >> >> > >> >> > Still can't enroll the client. Any suggestion on the errors below? >> >> > >> >> > /Kerberos authentication failed: kinit: Improper format of Kerberos >> >> > configuration file while initializing Kerberos 5 library/ >> >> What does /etc/krb5.conf look like? >> >> > Installation failed. Rolling back changes. >> >> > >> >> > /Failed to list certificates in /etc/ipa/nssdb: Command >> >> > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> >> > exit status 255/ >> >> This is unrelated to the enrollment problem. >> >> rob >> >> > >> >> > Disabling client Kerberos and LDAP configurations >> >> > >> >> > Gady Notrica >> >> > >> >> > -----Original Message----- >> >> > From: freeipa-users-bounces at redhat.com >> >> >> > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica >> >> > Sent: April 20, 2016 2:12 PM >> >> > To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com >> >> >> > Subject: Re: [Freeipa-users] ipa-client-install errors >> >> > >> >> > Any specific command in particular to remove that keytab? >> >> > >> >> > Since these don't work >> >> > >> >> > [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab >> >> > Kerberos context initialization failed >> >> > >> >> > [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k >> >> > /etc/krb5.keytab Kerberos context initialization failed >> >> > >> >> > [root at cprddb1 /]# >> >> > >> >> > Gady >> >> > >> >> > -----Original Message----- >> >> > >> >> > From: Rob Crittenden [mailto:rcritten at redhat.com] >> >> > >> >> > Sent: April 20, 2016 1:59 PM >> >> > >> >> > To: Martin Basti; Gady Notrica; freeipa-users at redhat.com >> >> >> > >> >> > >> >> > Subject: Re: [Freeipa-users] ipa-client-install errors >> >> > >> >> > Martin Basti wrote: >> >> > >> >> > > >> >> > >> >> > > >> >> > >> >> > > On 20.04.2016 18:00, Gady Notrica wrote: >> >> > >> >> > >> >> >> > >> >> > >> Hello World, >> >> > >> >> > >> >> >> > >> >> > >> I am having these errors trying to install ipa-client-install. >> >> > Every >> >> > >> >> > >> other machine is fine and they IPA servers are functioning >> >> > perfectly >> >> > >> >> > >> >> >> > >> >> > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 >> >> > >> >> > >> >> >> > >> >> > >> Kerberos authentication failed: kinit: Improper format of Kerberos >> >> > >> >> > >> configuration file while initializing Kerberos 5 library >> >> > >> >> > >> >> >> > >> >> > >> Then I have "/Installation failed. Rolling back changes."/ >> >> > >> >> > >> >> >> > >> >> > >> I have tried everything I know with no luck. Any idea on how to >> >> > FIX >> >> > >> >> > >> this? Below is the full log. >> >> > >> >> > >> >> >> > >> >> > >> ----------------------------------------------------------- >> >> > >> >> > >> >> >> > >> >> > >> /Continue to configure the system with these values? [no]: yes/ >> >> > >> >> > >> >> >> > >> >> > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1/ >> >> > >> >> > >> >> >> > >> >> > >> /Skipping synchronizing time with NTP server./ >> >> > >> >> > >> >> >> > >> >> > >> /User authorized to enroll computers: admin/ >> >> > >> >> > >> >> >> > >> >> > >> /Password for admin at IPA.DOMAIN.COM:/ >> >> >> > >> >> > >> >> > >> >> >> > >> >> > >> /Please make sure the following ports are opened in the firewall >> >> > >> >> > >> settings:/ >> >> > >> >> > >> >> >> > >> >> > >> /TCP: 80, 88, 389/ >> >> > >> >> > >> >> >> > >> >> > >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> > >> >> > >> >> >> > >> >> > >> /Also note that following ports are necessary for ipa-client >> >> > working >> >> > >> >> > >> properly after enrollment:/ >> >> > >> >> > >> >> >> > >> >> > >> /TCP: 464/ >> >> > >> >> > >> >> >> > >> >> > >> /UDP: 464, 123 (if NTP enabled)/ >> >> > >> >> > >> >> >> > >> >> > >> /Kerberos authentication failed: kinit: Improper format of >> >> > Kerberos >> >> > >> >> > >> configuration file while initializing Kerberos 5 library/ >> >> > >> >> > >> >> >> > >> >> > >> // >> >> > >> >> > >> >> >> > >> >> > >> /Installation failed. Rolling back changes./ >> >> > >> >> > >> >> >> > >> >> > >> /Failed to list certificates in /etc/ipa/nssdb: Command >> >> > >> >> > >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> >> > >> >> > >> exit status 255/ >> >> > >> >> > >> >> >> > >> >> > >> /Disabling client Kerberos and LDAP configurations/ >> >> > >> >> > >> >> >> > >> >> > >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was moved >> >> > to >> >> > >> >> > >> /etc/sssd/sssd.conf.deleted/ >> >> > >> >> > >> >> >> > >> >> > >> /Restoring client configuration files/ >> >> > >> >> > >> >> >> > >> >> > >> /nscd daemon is not installed, skip configuration/ >> >> > >> >> > >> >> >> > >> >> > >> /nslcd daemon is not installed, skip configuration/ >> >> > >> >> > >> >> >> > >> >> > >> /Client uninstall complete./ >> >> > >> >> > >> >> >> > >> >> > >> /---------------------------------------------------------------/ >> >> > >> >> > >> >> >> > >> >> > >> Gady >> >> > >> >> > >> >> >> > >> >> > >> >> >> > >> >> > >> >> >> > >> >> > > Hello, >> >> > >> >> > > >> >> > >> >> > > IMO you have an old invalid keytab on that machine. Can you >> >> > manually >> >> > >> >> > > remove it and try to reinstall client? (Of course only if you are >> >> > sure >> >> > >> >> > > that keytab there is not needed) >> >> > >> >> > > >> >> > >> >> > > The keytab should be located here /etc/krb5.keytab >> >> > >> >> > That or /etc/krb5.conf is messed up in some way. >> >> > >> >> > rob >> >> > >> >> > -- >> >> > >> >> > Manage your subscription for the Freeipa-users mailing list: >> >> > >> >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > >> >> > Go to http://freeipa.org for more info on the project >> >> > >> > From gnotrica at candeal.com Wed Apr 20 20:10:10 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 20 Apr 2016 20:10:10 +0000 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <5717E0B1.3070803@redhat.com> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> <5717C35D.3030905@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70ABF6E2E@cd-exchange01.CD-PRD.candeal.ca> <5717D500.4040800@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6EC0@cd-exchange01.CD-PRD.candeal.ca> <5717DDF8.5080508@redhat.com> <5717E0B1.3070803@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70ABF6F81@cd-exchange01.CD-PRD.candeal.ca> [root at cd-s-prd-db1 krb5.include.d]# ls -l -rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca -rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin [root at cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca # Generated by NetworkManager search ipa.candeal.ca nameserver 172.20.10.40 nameserver 172.20.10.41 [root at cd-s-prd-db1 krb5.include.d]# cat localauth_plugin [domain_realm] .AD.candeal.ca = AD.CANDEAL.CA AD.candeal.ca = AD.CANDEAL.CA [capaths] [root at cd-s-prd-db1 krb5.include.d]# uname -a Linux cd-s-prd-db1.ipa.candeal.ca 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux It's Centos 7. Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 20, 2016 4:04 PM To: Gady Notrica; Martin Basti; freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Ok, Gady sent the complete file out-of-band and the temporary krb5.conf the client installer creates looks ok. It does include files from /var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files in there and if so, what the contents are? BTW, what distro and release of ipa-client is this? thanks rob Rob Crittenden wrote: > Gady Notrica wrote: >> Please find below the kr5.conf. Still has with original content. >> >> [root at prddb1]# ipa-client-install >> >> Discovery was successful! >> >> ... >> >> Continue to configure the system with these values? [no]: yes >> >> .... >> >> Kerberos authentication failed: kinit: Improper format of Kerberos >> configuration file while initializing Kerberos 5 library >> >> Installation failed. Rolling back changes. >> >> Failed to list certificates in /etc/ipa/nssdb: Command >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> exit status 255 >> >> Disabling client Kerberos and LDAP configurations >> >> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to >> /etc/sssd/sssd.conf.deleted >> >> .... >> >> Client uninstall complete. >> >> [root at prddb1]# cat /etc/krb5.conf >> >> [logging] >> >> default = FILE:/var/log/krb5libs.log >> >> kdc = FILE:/var/log/krb5kdc.log >> >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> >> dns_lookup_realm = false >> >> ticket_lifetime = 24h >> >> renew_lifetime = 7d >> >> forwardable = true >> >> rdns = false >> >> # default_realm = EXAMPLE.COM >> >> default_ccache_name = KEYRING:persistent:%{uid} >> >> [realms] >> >> # EXAMPLE.COM = { >> >> # kdc = kerberos.example.com >> >> # admin_server = kerberos.example.com >> >> # } >> >> [domain_realm] >> >> # .example.com = EXAMPLE.COM >> >> # example.com = EXAMPLE.COM >> >> [root at prddb1]# > > Ok, I agree with the others then, we need to see the full > ipaclient-install.log. This file looks fine which means the temporary > one that is configured must be bad in some way. The log will tell how. > > rob > >> >> Gady >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: April 20, 2016 3:14 PM >> To: Gady Notrica; Martin Basti; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] ipa-client-install errors >> >> Gady Notrica wrote: >> >> > Thank you guys for your help. >> >> > >> >> > Still can't enroll the client. Any suggestion on the errors below? >> >> > >> >> > /Kerberos authentication failed: kinit: Improper format of >> Kerberos >> >> > configuration file while initializing Kerberos 5 library/ >> >> What does /etc/krb5.conf look like? >> >> > Installation failed. Rolling back changes. >> >> > >> >> > /Failed to list certificates in /etc/ipa/nssdb: Command >> >> > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> >> > exit status 255/ >> >> This is unrelated to the enrollment problem. >> >> rob >> >> > >> >> > Disabling client Kerberos and LDAP configurations >> >> > >> >> > Gady Notrica >> >> > >> >> > -----Original Message----- >> >> > From: freeipa-users-bounces at redhat.com >> >> >> > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady >> Notrica >> >> > Sent: April 20, 2016 2:12 PM >> >> > To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com >> >> >> > Subject: Re: [Freeipa-users] ipa-client-install errors >> >> > >> >> > Any specific command in particular to remove that keytab? >> >> > >> >> > Since these don't work >> >> > >> >> > [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab >> >> > Kerberos context initialization failed >> >> > >> >> > [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k >> >> > /etc/krb5.keytab Kerberos context initialization failed >> >> > >> >> > [root at cprddb1 /]# >> >> > >> >> > Gady >> >> > >> >> > -----Original Message----- >> >> > >> >> > From: Rob Crittenden [mailto:rcritten at redhat.com] >> >> > >> >> > Sent: April 20, 2016 1:59 PM >> >> > >> >> > To: Martin Basti; Gady Notrica; freeipa-users at redhat.com >> >> >> > >> >> > >> >> > Subject: Re: [Freeipa-users] ipa-client-install errors >> >> > >> >> > Martin Basti wrote: >> >> > >> >> > > >> >> > >> >> > > >> >> > >> >> > > On 20.04.2016 18:00, Gady Notrica wrote: >> >> > >> >> > >> >> >> > >> >> > >> Hello World, >> >> > >> >> > >> >> >> > >> >> > >> I am having these errors trying to install ipa-client-install. >> >> > Every >> >> > >> >> > >> other machine is fine and they IPA servers are functioning >> >> > perfectly >> >> > >> >> > >> >> >> > >> >> > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned >> 1 >> >> > >> >> > >> >> >> > >> >> > >> Kerberos authentication failed: kinit: Improper format of >> Kerberos >> >> > >> >> > >> configuration file while initializing Kerberos 5 library >> >> > >> >> > >> >> >> > >> >> > >> Then I have "/Installation failed. Rolling back changes."/ >> >> > >> >> > >> >> >> > >> >> > >> I have tried everything I know with no luck. Any idea on how >> to >> >> > FIX >> >> > >> >> > >> this? Below is the full log. >> >> > >> >> > >> >> >> > >> >> > >> ----------------------------------------------------------- >> >> > >> >> > >> >> >> > >> >> > >> /Continue to configure the system with these values? [no]: >> yes/ >> >> > >> >> > >> >> >> > >> >> > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned >> 1/ >> >> > >> >> > >> >> >> > >> >> > >> /Skipping synchronizing time with NTP server./ >> >> > >> >> > >> >> >> > >> >> > >> /User authorized to enroll computers: admin/ >> >> > >> >> > >> >> >> > >> >> > >> /Password for admin at IPA.DOMAIN.COM:/ >> >> >> > >> >> > >> >> > >> >> >> > >> >> > >> /Please make sure the following ports are opened in the >> firewall >> >> > >> >> > >> settings:/ >> >> > >> >> > >> >> >> > >> >> > >> /TCP: 80, 88, 389/ >> >> > >> >> > >> >> >> > >> >> > >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/ >> >> > >> >> > >> >> >> > >> >> > >> /Also note that following ports are necessary for ipa-client >> >> > working >> >> > >> >> > >> properly after enrollment:/ >> >> > >> >> > >> >> >> > >> >> > >> /TCP: 464/ >> >> > >> >> > >> >> >> > >> >> > >> /UDP: 464, 123 (if NTP enabled)/ >> >> > >> >> > >> >> >> > >> >> > >> /Kerberos authentication failed: kinit: Improper format of >> >> > Kerberos >> >> > >> >> > >> configuration file while initializing Kerberos 5 library/ >> >> > >> >> > >> >> >> > >> >> > >> // >> >> > >> >> > >> >> >> > >> >> > >> /Installation failed. Rolling back changes./ >> >> > >> >> > >> >> >> > >> >> > >> /Failed to list certificates in /etc/ipa/nssdb: Command >> >> > >> >> > >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned >> non-zero >> >> > >> >> > >> exit status 255/ >> >> > >> >> > >> >> >> > >> >> > >> /Disabling client Kerberos and LDAP configurations/ >> >> > >> >> > >> >> >> > >> >> > >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was >> moved >> >> > to >> >> > >> >> > >> /etc/sssd/sssd.conf.deleted/ >> >> > >> >> > >> >> >> > >> >> > >> /Restoring client configuration files/ >> >> > >> >> > >> >> >> > >> >> > >> /nscd daemon is not installed, skip configuration/ >> >> > >> >> > >> >> >> > >> >> > >> /nslcd daemon is not installed, skip configuration/ >> >> > >> >> > >> >> >> > >> >> > >> /Client uninstall complete./ >> >> > >> >> > >> >> >> > >> >> > >> >> /---------------------------------------------------------------/ >> >> > >> >> > >> >> >> > >> >> > >> Gady >> >> > >> >> > >> >> >> > >> >> > >> >> >> > >> >> > >> >> >> > >> >> > > Hello, >> >> > >> >> > > >> >> > >> >> > > IMO you have an old invalid keytab on that machine. Can you >> >> > manually >> >> > >> >> > > remove it and try to reinstall client? (Of course only if you >> are >> >> > sure >> >> > >> >> > > that keytab there is not needed) >> >> > >> >> > > >> >> > >> >> > > The keytab should be located here /etc/krb5.keytab >> >> > >> >> > That or /etc/krb5.conf is messed up in some way. >> >> > >> >> > rob >> >> > >> >> > -- >> >> > >> >> > Manage your subscription for the Freeipa-users mailing list: >> >> > >> >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > >> >> > Go to http://freeipa.org for more info on the project >> >> > >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Wed Apr 20 20:16:22 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 20 Apr 2016 22:16:22 +0200 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <0984AB34E553F54B8705D776686863E70ABF6F81@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> <5717C35D.3030905@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70ABF6E2E@cd-exchange01.CD-PRD.candeal.ca> <5717D500.4040800@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6EC0@cd-exchange01.CD-PRD.candeal.ca> <5717DDF8.5080508@redhat.com> <5717E0B1.3070803@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6F81@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <20160420201621.GF30829@10.4.128.1> On (20/04/16 20:10), Gady Notrica wrote: >[root at cd-s-prd-db1 krb5.include.d]# ls -l > >-rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca > >-rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin > > > >[root at cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca > ># Generated by NetworkManager > >search ipa.candeal.ca > >nameserver 172.20.10.40 > >nameserver 172.20.10.41 This should be content of /etc/resolv.conf and not domain_realm_ipa_candeal_ca > > > >[root at cd-s-prd-db1 krb5.include.d]# cat localauth_plugin > >[domain_realm] > >.AD.candeal.ca = AD.CANDEAL.CA > >AD.candeal.ca = AD.CANDEAL.CA > >[capaths] > This should be content of domain_realm_ipa_candeal_ca and not localauth_plugin Remove both files. It is safe. They will be created by sssd after start. LS From gnotrica at candeal.com Wed Apr 20 20:27:37 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 20 Apr 2016 20:27:37 +0000 Subject: [Freeipa-users] ipa-client-install errors In-Reply-To: <20160420201621.GF30829@10.4.128.1> References: <0984AB34E553F54B8705D776686863E70ABF67D5@cd-exchange01.CD-PRD.candeal.ca> <5717B325.3080708@redhat.com> <5717C35D.3030905@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6D3B@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70ABF6E2E@cd-exchange01.CD-PRD.candeal.ca> <5717D500.4040800@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6EC0@cd-exchange01.CD-PRD.candeal.ca> <5717DDF8.5080508@redhat.com> <5717E0B1.3070803@redhat.com> <0984AB34E553F54B8705D776686863E70ABF6F81@cd-exchange01.CD-PRD.candeal.ca> <20160420201621.GF30829@10.4.128.1> Message-ID: <0984AB34E553F54B8705D776686863E70ABF6FEF@cd-exchange01.CD-PRD.candeal.ca> You guys are awesome!!!! # ipa-client-install --enable-dns-updates --mkhomedir --no-ntp Discovery was successful! ? Continue to configure the system with these values? [no]: yes ? Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf ?. Systemwide CA database updated. Added CA certificates to the default NSS database. ? Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub ?. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring ipa.candeal.ca as NIS domain. Client configuration complete. Gady -----Original Message----- From: Lukas Slebodnik [mailto:lslebodn at redhat.com] Sent: April 20, 2016 4:16 PM To: Gady Notrica Cc: Rob Crittenden; Martin Basti; freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On (20/04/16 20:10), Gady Notrica wrote: >[root at cd-s-prd-db1 krb5.include.d]# ls -l > >-rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca > >-rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin > > > >[root at cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca > ># Generated by NetworkManager > >search ipa.candeal.ca > >nameserver 172.20.10.40 > >nameserver 172.20.10.41 This should be content of /etc/resolv.conf and not domain_realm_ipa_candeal_ca > > > >[root at cd-s-prd-db1 krb5.include.d]# cat localauth_plugin > >[domain_realm] > >.AD.candeal.ca = AD.CANDEAL.CA > >AD.candeal.ca = AD.CANDEAL.CA > >[capaths] > This should be content of domain_realm_ipa_candeal_ca and not localauth_plugin Remove both files. It is safe. They will be created by sssd after start. LS -------------- next part -------------- An HTML attachment was scrubbed... URL: From anthony.wan.cheng at gmail.com Wed Apr 20 22:21:59 2016 From: anthony.wan.cheng at gmail.com (Anthony Cheng) Date: Wed, 20 Apr 2016 22:21:59 +0000 Subject: [Freeipa-users] (no subject) Message-ID: Hi list, This is an re-occurring subject; the dreaded expired certificate. I am following the renew here http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and testing on a clone VM and I am able to get to the step where the serial number is being replaced: ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password However, the database was hosted on another machine so dirsrv/slapd is not running So is there anyway for to renew the certificate in this situation other than setting up and mounting that database as well? Anthony -- Thanks, Anthony -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu Apr 21 07:59:20 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 21 Apr 2016 09:59:20 +0200 Subject: [Freeipa-users] FreeIPA and PWM In-Reply-To: References: Message-ID: <57188858.8020505@redhat.com> On 04/20/2016 05:23 PM, Tiemen Ruiten wrote: > Hello, > > I'm trying to set up a self-service page for a new IPA domain and I'm trying to > use PWM for that. > > When I try to bind to FreeIPA from within PWM, with the configured "LDAP Proxy > User", I get the following error: > > error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636 > ': unable to create connection: unable to > bind to ldaps://polonium.ipa.rdmedia.com:636 > as > cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason: [LDAP: > error code 48 - Inappropriate Authentication] > > In /var/log/krb5kdc.log I see: > > Apr 20 17:12:29 polonium.ipa.rdmedia.com > krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33 > : NEEDED_PREAUTH: > host/protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM > for > krbtgt/IPA.RDMEDIA.COM at IPA.RDMEDIA.COM , > Additional pre-authentication required > Apr 20 17:12:29 polonium.ipa.rdmedia.com > krb5kdc[25760](info): closing down fd 12 > Apr 20 17:12:29 polonium.ipa.rdmedia.com > krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33 > : ISSUE: authtime 1461165149, etypes {rep=18 tkt=18 > ses=18}, host/protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM > for > krbtgt/IPA.RDMEDIA.COM at IPA.RDMEDIA.COM > Apr 20 17:12:29 polonium.ipa.rdmedia.com > krb5kdc[25760](info): closing down fd 12 > Apr 20 17:12:29 polonium.ipa.rdmedia.com > krb5kdc[25760](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33 > : ISSUE: authtime 1461165149, etypes {rep=18 tkt=18 > ses=18}, host/protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM > for > ldap/polonium.ipa.rdmedia.com at IPA.RDMEDIA.COM > > Apr 20 17:12:29 polonium.ipa.rdmedia.com > krb5kdc[25760](info): closing down fd 12 > > What is going on? What can I do to debug this more? > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media Hello Tiemen, Just for the record, in FreeIPA we have been also working on our own version of the Community Portal that could be useful for the registration and is already well integrated with FreeIPA: https://github.com/freeipa/freeipa-community-portal http://freeipa-community-portal.readthedocs.org/en/latest/ CCing Christian who currently owns the project. HTH, Martin From quenode at gmail.com Thu Apr 21 09:22:11 2016 From: quenode at gmail.com (Branko Quenode) Date: Thu, 21 Apr 2016 11:22:11 +0200 Subject: [Freeipa-users] Let's Encrypt SSL pkscs 12 problem notes anyone. CENTOS 7 FreeIPA install Message-ID: Hi , I am trying to install freeipa with centos and Let's Encrypt SSL. I create lets-encrypt with webroot option. Then i did cat privkey.pem fullchain.pem > /root/key.pem openssl pkcs12 -export -in /root/key.pem -out ipa.pkcs12 -name " ipa.somedomain.com" ipa-server-install --ip-address= --http_pkcs12=/etc/letsencrypt/live/ ipa.somedomein.com/ipa.pkcs12 --dirsrv_pkcs12=/etc/letsencrypt/live/ ipa.somedomain.com/ipa.pkcs12 --root-ca-file=/etc/letsencrypt/live/ ipa.somedomain.com/fullchain.pem I got error ipa.ipapython.install.cli.install_tool(Server): ERROR The full certificate chain is not present in /etc/letsencrypt/live/ ipa.somedomain.com/ipa.pkcs12 What I am missing intermediate.crt maybe ? Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Thu Apr 21 09:22:50 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 21 Apr 2016 11:22:50 +0200 Subject: [Freeipa-users] [Freeipa-devel] CentOS 7 COPR repository with ipa 4.3.1 available for testing In-Reply-To: <5703E9B9.8060008@redhat.com> References: <5703E9B9.8060008@redhat.com> Message-ID: <20160421092250.GS1601@redhat.com> On Tue, Apr 05, 2016 at 06:37:13PM +0200, Petr Vobornik wrote: > Hello everyone, > > Copr repository @freeipa/freeipa-4-3-centos-7 is available for testing > of Freeipa 4.3.1[1] on CentOS 7. > > https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ If you'd like to try FreeIPA 4.3.1 on CentOS 7 in container, use branch centos-7-upstream of https://github.com/adelton/docker-freeipa to built locally, or pull image adelton/freeipa-server:centos-7-upstream from Docker hub registry. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From t.ruiten at rdmedia.com Thu Apr 21 10:57:33 2016 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Thu, 21 Apr 2016 12:57:33 +0200 Subject: [Freeipa-users] FreeIPA and PWM In-Reply-To: <57188858.8020505@redhat.com> References: <57188858.8020505@redhat.com> Message-ID: Hello Martin, Thanks that does help, I didn't know about this project. I will try this approach first. Seems like it will be better integrated with FreeIPA and in general more maintainable than PWM. On 21 April 2016 at 09:59, Martin Kosek wrote: > On 04/20/2016 05:23 PM, Tiemen Ruiten wrote: > > Hello, > > > > I'm trying to set up a self-service page for a new IPA domain and I'm > trying to > > use PWM for that. > > > > When I try to bind to FreeIPA from within PWM, with the configured "LDAP > Proxy > > User", I get the following error: > > > > error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636 > > ': unable to create connection: > unable to > > bind to ldaps://polonium.ipa.rdmedia.com:636 > > as > > cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason: > [LDAP: > > error code 48 - Inappropriate Authentication] > > > > In /var/log/krb5kdc.log I see: > > > > Apr 20 17:12:29 polonium.ipa.rdmedia.com < > http://polonium.ipa.rdmedia.com> > > krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33 > > : NEEDED_PREAUTH: > > host/protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM > > for > > krbtgt/IPA.RDMEDIA.COM at IPA.RDMEDIA.COM IPA.RDMEDIA.COM at IPA.RDMEDIA.COM>, > > Additional pre-authentication required > > Apr 20 17:12:29 polonium.ipa.rdmedia.com < > http://polonium.ipa.rdmedia.com> > > krb5kdc[25760](info): closing down fd 12 > > Apr 20 17:12:29 polonium.ipa.rdmedia.com < > http://polonium.ipa.rdmedia.com> > > krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33 > > : ISSUE: authtime 1461165149, etypes {rep=18 > tkt=18 > > ses=18}, host/protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM > > for > > krbtgt/IPA.RDMEDIA.COM at IPA.RDMEDIA.COM IPA.RDMEDIA.COM at IPA.RDMEDIA.COM> > > Apr 20 17:12:29 polonium.ipa.rdmedia.com < > http://polonium.ipa.rdmedia.com> > > krb5kdc[25760](info): closing down fd 12 > > Apr 20 17:12:29 polonium.ipa.rdmedia.com < > http://polonium.ipa.rdmedia.com> > > krb5kdc[25760](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) > 192.168.50.33 > > : ISSUE: authtime 1461165149, etypes {rep=18 > tkt=18 > > ses=18}, host/protactinium.ipa.rdmedia.com at IPA.RDMEDIA.COM > > for > > ldap/polonium.ipa.rdmedia.com at IPA.RDMEDIA.COM > > > > Apr 20 17:12:29 polonium.ipa.rdmedia.com < > http://polonium.ipa.rdmedia.com> > > krb5kdc[25760](info): closing down fd 12 > > > > What is going on? What can I do to debug this more? > > > > > > -- > > Tiemen Ruiten > > Systems Engineer > > R&D Media > > Hello Tiemen, > > Just for the record, in FreeIPA we have been also working on our own > version of > the Community Portal that could be useful for the registration and is > already > well integrated with FreeIPA: > > https://github.com/freeipa/freeipa-community-portal > http://freeipa-community-portal.readthedocs.org/en/latest/ > > CCing Christian who currently owns the project. > > HTH, > Martin > -- Tiemen Ruiten Systems Engineer R&D Media -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Thu Apr 21 11:47:04 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 21 Apr 2016 13:47:04 +0200 Subject: [Freeipa-users] Servers intermittently losing connection to IPA In-Reply-To: References: <20160415071441.GD16887@p.redhat.com> <20160418145834.GB14060@p.redhat.com> Message-ID: <20160421114704.GG11731@p.redhat.com> On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote: > Sumit, > > Raised the debug level to 10 and let it run for about 24 hours. Uploading > the last 2000~ lines of the sssd_domain.com.log. Thanks for your help! Can you send the related krb5_child log file as well? bye, Sumit > > https://pastebin.com/MD6N1Dj7 > > Jeff Hallyburton > Strategic Systems Engineer > Bloomip Inc. > Web: http://www.bloomip.com > > Engineering Support: support at bloomip.com > Billing Support: billing at bloomip.com > Customer Support Portal: https://my.bloomip.com > > On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton < > jeff.hallyburton at bloomip.com> wrote: > > > Sumit, > > > > Raised the debug level to 10 and let it run for about 24 hours. Uploading > > the full sssd_domain.com.log. Thanks for your help! > > > > Jeff > > > > Jeff Hallyburton > > Strategic Systems Engineer > > Bloomip Inc. > > Web: http://www.bloomip.com > > > > Engineering Support: support at bloomip.com > > Billing Support: billing at bloomip.com > > Customer Support Portal: https://my.bloomip.com > > > > On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose wrote: > > > >> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote: > >> > After setting debug_level=8, this is what I see in the sssd_domain_log: > >> > >> Unfortunately the domain log and the krb5_child log do not relate to > >> each other. > >> > >> > > >> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]] > >> [child_handler_setup] > >> > (0x2000): Setting up signal handler up for pid [32382] > >> > > >> > >> .... > >> > >> > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] [k5c_setup_fast] > >> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > >> > jump02.west-2.production.example.com at EXAMPLE.COM] > >> > > >> > >> ... > >> > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] > >> [get_and_save_tgt] > >> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during > >> > pre-auth. > >> > > >> > > >> > Can you shed any light on this? > >> > > >> > >> In the domain log the child with the pid 32382 is started to run a > >> pre-authentication request. The request is needed to find out which kind > >> of authentication types are available for the user, e.g. password or > >> 2-factor authentication with the OTP token. The request in the child > >> with the PID 32731 looks like a real authentication request with returns > >> with an error code -1765328324 which just means 'Generic error' but > >> might have cause SSSD to go offline. > >> > >> I would like to ask you to run the test again with debug_level=10 in the > >> [domain/...] section of sssd.conf which would enable some low level > >> Kerberos tracing messages which might help to understand what kind of > >> 'Generic error' was hit here. Additionally I would like ask you to send > >> the full log files as attachment or in an archive which would hep be to > >> better navigate through them. > >> > >> bye, > >> Sumit > >> > > > > From ian.harper at vaisala.com Thu Apr 21 13:09:05 2016 From: ian.harper at vaisala.com (ian.harper at vaisala.com) Date: Thu, 21 Apr 2016 13:09:05 +0000 Subject: [Freeipa-users] Freeipa Synchronisation with AD server issues Message-ID: <538b45f099bd4218b90fd7d99c43d0d4@HEL-EXCH-02.corp.vaisala.com> I am following the various Fedora guides for installing Freeipa with sync of users/passwords from AD server. https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-sync-agmt.html Hoiwever the documentation says "Active Directory CA certificate needs to be imported into the FreeIPA database" my windows colleague at head office says: There is no CA in XXXXXX domain, so I can't provide any certificates to you from there. This seems to be a LDAPS connection, and it will work if we use certificate that is trusted by both of the servers. I can sign the server with our internal CA and provide this to you. or We can sign both servers with Vaisala CA, and use these certificates. To use this setup, I'll need a CSR from IPA Also, you have to download and install our root and intermediate CA's to IPA server, so it will trust certificates signed by those. Not being that familiar with certs and with FreeIPA I have got a bit stuck on what I should do in order to resolve this and get the FreeIPA up and syncronised to one of our AD servers, can anyone offer some suggestions please ? he has sent me the ROOT and Intermediate Certs for the domain server. Thanks Ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeff.hallyburton at bloomip.com Thu Apr 21 13:44:47 2016 From: jeff.hallyburton at bloomip.com (Jeff Hallyburton) Date: Thu, 21 Apr 2016 09:44:47 -0400 Subject: [Freeipa-users] Servers intermittently losing connection to IPA In-Reply-To: <20160421114704.GG11731@p.redhat.com> References: <20160415071441.GD16887@p.redhat.com> <20160418145834.GB14060@p.redhat.com> <20160421114704.GG11731@p.redhat.com> Message-ID: Sumit, We found a resolution for this and I'm dropping it here for posterity. After some digging, it turns out that our ipa server and ipa replica were returning different IPs for systems in the environment in DNS requests (one returned internal results, one returned external results). After resolving this our intermittent connectivity issue went away. So it seems that in some cases, the incorrect IP was being returned for LDAP requests. One additional item found here, it seems that the timeout to resolve an address (from the sssd logs) is 6 seconds. Can this be raised? Thanks, Jeff Jeff Hallyburton Strategic Systems Engineer Bloomip Inc. Web: http://www.bloomip.com Engineering Support: support at bloomip.com Billing Support: billing at bloomip.com Customer Support Portal: https://my.bloomip.com On Thu, Apr 21, 2016 at 7:47 AM, Sumit Bose wrote: > On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote: > > Sumit, > > > > Raised the debug level to 10 and let it run for about 24 hours. > Uploading > > the last 2000~ lines of the sssd_domain.com.log. Thanks for your help! > > Can you send the related krb5_child log file as well? > > bye, > Sumit > > > > > https://pastebin.com/MD6N1Dj7 > > > > Jeff Hallyburton > > Strategic Systems Engineer > > Bloomip Inc. > > Web: http://www.bloomip.com > > > > Engineering Support: support at bloomip.com > > Billing Support: billing at bloomip.com > > Customer Support Portal: https://my.bloomip.com > > > > > On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton < > > jeff.hallyburton at bloomip.com> wrote: > > > > > Sumit, > > > > > > Raised the debug level to 10 and let it run for about 24 hours. > Uploading > > > the full sssd_domain.com.log. Thanks for your help! > > > > > > Jeff > > > > > > Jeff Hallyburton > > > Strategic Systems Engineer > > > Bloomip Inc. > > > Web: http://www.bloomip.com > > > > > > Engineering Support: support at bloomip.com > > > Billing Support: billing at bloomip.com > > > Customer Support Portal: https://my.bloomip.com < > http://my.bloomip.com/> > > > > > > On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose wrote: > > > > > >> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote: > > >> > After setting debug_level=8, this is what I see in the > sssd_domain_log: > > >> > > >> Unfortunately the domain log and the krb5_child log do not relate to > > >> each other. > > >> > > >> > > > >> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]] > > >> [child_handler_setup] > > >> > (0x2000): Setting up signal handler up for pid [32382] > > >> > > > >> > > >> .... > > >> > > >> > > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] > [k5c_setup_fast] > > >> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > > >> > jump02.west-2.production.example.com at EXAMPLE.COM] > > >> > > > >> > > >> ... > > >> > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] > > >> [get_and_save_tgt] > > >> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during > > >> > pre-auth. > > >> > > > >> > > > >> > Can you shed any light on this? > > >> > > > >> > > >> In the domain log the child with the pid 32382 is started to run a > > >> pre-authentication request. The request is needed to find out which > kind > > >> of authentication types are available for the user, e.g. password or > > >> 2-factor authentication with the OTP token. The request in the child > > >> with the PID 32731 looks like a real authentication request with > returns > > >> with an error code -1765328324 which just means 'Generic error' but > > >> might have cause SSSD to go offline. > > >> > > >> I would like to ask you to run the test again with debug_level=10 in > the > > >> [domain/...] section of sssd.conf which would enable some low level > > >> Kerberos tracing messages which might help to understand what kind of > > >> 'Generic error' was hit here. Additionally I would like ask you to > send > > >> the full log files as attachment or in an archive which would hep be > to > > >> better navigate through them. > > >> > > >> bye, > > >> Sumit > > >> > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Thu Apr 21 14:03:57 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 21 Apr 2016 16:03:57 +0200 Subject: [Freeipa-users] Servers intermittently losing connection to IPA In-Reply-To: References: <20160415071441.GD16887@p.redhat.com> <20160418145834.GB14060@p.redhat.com> <20160421114704.GG11731@p.redhat.com> Message-ID: <20160421140357.GA27140@10.4.128.1> On (21/04/16 09:44), Jeff Hallyburton wrote: >Sumit, > >We found a resolution for this and I'm dropping it here for posterity. >After some digging, it turns out that our ipa server and ipa replica were >returning different IPs for systems in the environment in DNS requests (one >returned internal results, one returned external results). > >After resolving this our intermittent connectivity issue went away. So it >seems that in some cases, the incorrect IP was being returned for LDAP >requests. > >One additional item found here, it seems that the timeout to resolve an >address (from the sssd logs) is 6 seconds. Can this be raised? > man sssd.conf -> dns_resolver_timeout LS From mrorourke at earthlink.net Thu Apr 21 14:07:11 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Thu, 21 Apr 2016 10:07:11 -0400 (EDT) Subject: [Freeipa-users] FreeIPA and PWM Message-ID: <7448641.1461247631992.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Thu Apr 21 14:53:36 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 21 Apr 2016 16:53:36 +0200 Subject: [Freeipa-users] Problem with ipa-getkeytab ? Message-ID: <5258909.fOTCpBiGFk@techz> Hello, I found a HowTO on FreeIPA to install a HA Version for a Mailsystem. Now I have a Problem to get the Keytab on the second Server On the first Server I run. kinit admin ipa-getkeytab -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/ dovecot.keytab This is working but on the second Server when I start kinit admin ipa-getkeytab -r -s ipa.example.com -p imap/mail.example.com -k /etc/ dovecot/dovecot.keytab for the same keytab, I become a Error with not access is possible ? is this a Bug or a mistake from me ? -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From mkosek at redhat.com Thu Apr 21 14:56:30 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 21 Apr 2016 16:56:30 +0200 Subject: [Freeipa-users] Let's Encrypt SSL pkscs 12 problem notes anyone. CENTOS 7 FreeIPA install In-Reply-To: References: Message-ID: <5718EA1E.3050709@redhat.com> On 04/21/2016 11:22 AM, Branko Quenode wrote: > Hi , > > I am trying to install freeipa with centos and Let's Encrypt SSL. > > I create lets-encrypt with webroot option. > > Then i did > > cat privkey.pem fullchain.pem > /root/key.pem > > openssl pkcs12 -export -in /root/key.pem -out ipa.pkcs12 -name > "ipa.somedomain.com " > > > ipa-server-install --ip-address= > --http_pkcs12=/etc/letsencrypt/live/ipa.somedomein.com/ipa.pkcs12 > > --dirsrv_pkcs12=/etc/letsencrypt/live/ipa.somedomain.com/ipa.pkcs12 > > --root-ca-file=/etc/letsencrypt/live/ipa.somedomain.com/fullchain.pem > > > I got error > ipa.ipapython.install.cli.install_tool(Server): ERROR The full certificate > chain is not present in /etc/letsencrypt/live/ipa.somedomain.com/ipa.pkcs12 > > > > What I am missing intermediate.crt maybe ? Probably. Sounds like https://www.redhat.com/archives/freeipa-users/2016-April/msg00161.html Martin From pspacek at redhat.com Thu Apr 21 15:05:09 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 21 Apr 2016 17:05:09 +0200 Subject: [Freeipa-users] Servers intermittently losing connection to IPA In-Reply-To: References: <20160415071441.GD16887@p.redhat.com> <20160418145834.GB14060@p.redhat.com> <20160421114704.GG11731@p.redhat.com> Message-ID: <5718EC25.6040506@redhat.com> On 21.4.2016 15:44, Jeff Hallyburton wrote: > Sumit, > > We found a resolution for this and I'm dropping it here for posterity. > After some digging, it turns out that our ipa server and ipa replica were > returning different IPs for systems in the environment in DNS requests (one > returned internal results, one returned external results). > > After resolving this our intermittent connectivity issue went away. So it > seems that in some cases, the incorrect IP was being returned for LDAP > requests. It would be interesting to see logs from named daemon running on these servers (around the time of failure). I hope it helps. Petr^2 Spacek > > One additional item found here, it seems that the timeout to resolve an > address (from the sssd logs) is 6 seconds. Can this be raised? > > Thanks, > > Jeff > > Jeff Hallyburton > Strategic Systems Engineer > Bloomip Inc. > Web: http://www.bloomip.com > > Engineering Support: support at bloomip.com > Billing Support: billing at bloomip.com > Customer Support Portal: https://my.bloomip.com > > On Thu, Apr 21, 2016 at 7:47 AM, Sumit Bose wrote: > >> On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote: >>> Sumit, >>> >>> Raised the debug level to 10 and let it run for about 24 hours. >> Uploading >>> the last 2000~ lines of the sssd_domain.com.log. Thanks for your help! >> >> Can you send the related krb5_child log file as well? >> >> bye, >> Sumit >> >>> >>> https://pastebin.com/MD6N1Dj7 >>> >>> Jeff Hallyburton >>> Strategic Systems Engineer >>> Bloomip Inc. >>> Web: http://www.bloomip.com >>> >>> Engineering Support: support at bloomip.com >>> Billing Support: billing at bloomip.com >>> Customer Support Portal: https://my.bloomip.com >> >>> >>> On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton < >>> jeff.hallyburton at bloomip.com> wrote: >>> >>>> Sumit, >>>> >>>> Raised the debug level to 10 and let it run for about 24 hours. >> Uploading >>>> the full sssd_domain.com.log. Thanks for your help! >>>> >>>> Jeff >>>> >>>> Jeff Hallyburton >>>> Strategic Systems Engineer >>>> Bloomip Inc. >>>> Web: http://www.bloomip.com >>>> >>>> Engineering Support: support at bloomip.com >>>> Billing Support: billing at bloomip.com >>>> Customer Support Portal: https://my.bloomip.com < >> http://my.bloomip.com/> >>>> >>>> On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose wrote: >>>> >>>>> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote: >>>>>> After setting debug_level=8, this is what I see in the >> sssd_domain_log: >>>>> >>>>> Unfortunately the domain log and the krb5_child log do not relate to >>>>> each other. >>>>> >>>>>> >>>>>> (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]] >>>>> [child_handler_setup] >>>>>> (0x2000): Setting up signal handler up for pid [32382] >>>>>> >>>>> >>>>> .... >>>>> >>>>>> >>>>>> (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] >> [k5c_setup_fast] >>>>>> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ >>>>>> jump02.west-2.production.example.com at EXAMPLE.COM] >>>>>> >>>>> >>>>> ... >>>>> >>>>>> (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] >>>>> [get_and_save_tgt] >>>>>> (0x0400): krb5_get_init_creds_password returned [-1765328324} during >>>>>> pre-auth. >>>>>> >>>>>> >>>>>> Can you shed any light on this? >>>>>> >>>>> >>>>> In the domain log the child with the pid 32382 is started to run a >>>>> pre-authentication request. The request is needed to find out which >> kind >>>>> of authentication types are available for the user, e.g. password or >>>>> 2-factor authentication with the OTP token. The request in the child >>>>> with the PID 32731 looks like a real authentication request with >> returns >>>>> with an error code -1765328324 which just means 'Generic error' but >>>>> might have cause SSSD to go offline. >>>>> >>>>> I would like to ask you to run the test again with debug_level=10 in >> the >>>>> [domain/...] section of sssd.conf which would enable some low level >>>>> Kerberos tracing messages which might help to understand what kind of >>>>> 'Generic error' was hit here. Additionally I would like ask you to >> send >>>>> the full log files as attachment or in an archive which would hep be >> to >>>>> better navigate through them. >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>> >>>> >> > > > -- Petr^2 Spacek From sbose at redhat.com Thu Apr 21 15:17:18 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 21 Apr 2016 17:17:18 +0200 Subject: [Freeipa-users] Servers intermittently losing connection to IPA In-Reply-To: References: <20160415071441.GD16887@p.redhat.com> <20160418145834.GB14060@p.redhat.com> <20160421114704.GG11731@p.redhat.com> Message-ID: <20160421151718.GH11731@p.redhat.com> On Thu, Apr 21, 2016 at 09:44:47AM -0400, Jeff Hallyburton wrote: > Sumit, > > We found a resolution for this and I'm dropping it here for posterity. > After some digging, it turns out that our ipa server and ipa replica were > returning different IPs for systems in the environment in DNS requests (one > returned internal results, one returned external results). > > After resolving this our intermittent connectivity issue went away. So it > seems that in some cases, the incorrect IP was being returned for LDAP > requests. Thank you for the feedback. bye, Sumit > > One additional item found here, it seems that the timeout to resolve an > address (from the sssd logs) is 6 seconds. Can this be raised? > > Thanks, > > Jeff > > Jeff Hallyburton > Strategic Systems Engineer > Bloomip Inc. > Web: http://www.bloomip.com > > Engineering Support: support at bloomip.com > Billing Support: billing at bloomip.com > Customer Support Portal: https://my.bloomip.com > > On Thu, Apr 21, 2016 at 7:47 AM, Sumit Bose wrote: > > > On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote: > > > Sumit, > > > > > > Raised the debug level to 10 and let it run for about 24 hours. > > Uploading > > > the last 2000~ lines of the sssd_domain.com.log. Thanks for your help! > > > > Can you send the related krb5_child log file as well? > > > > bye, > > Sumit > > > > > > > > https://pastebin.com/MD6N1Dj7 > > > > > > Jeff Hallyburton > > > Strategic Systems Engineer > > > Bloomip Inc. > > > Web: http://www.bloomip.com > > > > > > Engineering Support: support at bloomip.com > > > Billing Support: billing at bloomip.com > > > Customer Support Portal: https://my.bloomip.com > > > > > > > > On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton < > > > jeff.hallyburton at bloomip.com> wrote: > > > > > > > Sumit, > > > > > > > > Raised the debug level to 10 and let it run for about 24 hours. > > Uploading > > > > the full sssd_domain.com.log. Thanks for your help! > > > > > > > > Jeff > > > > > > > > Jeff Hallyburton > > > > Strategic Systems Engineer > > > > Bloomip Inc. > > > > Web: http://www.bloomip.com > > > > > > > > Engineering Support: support at bloomip.com > > > > Billing Support: billing at bloomip.com > > > > Customer Support Portal: https://my.bloomip.com < > > http://my.bloomip.com/> > > > > > > > > On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose wrote: > > > > > > > >> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote: > > > >> > After setting debug_level=8, this is what I see in the > > sssd_domain_log: > > > >> > > > >> Unfortunately the domain log and the krb5_child log do not relate to > > > >> each other. > > > >> > > > >> > > > > >> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]] > > > >> [child_handler_setup] > > > >> > (0x2000): Setting up signal handler up for pid [32382] > > > >> > > > > >> > > > >> .... > > > >> > > > >> > > > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] > > [k5c_setup_fast] > > > >> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > > > >> > jump02.west-2.production.example.com at EXAMPLE.COM] > > > >> > > > > >> > > > >> ... > > > >> > > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] > > > >> [get_and_save_tgt] > > > >> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during > > > >> > pre-auth. > > > >> > > > > >> > > > > >> > Can you shed any light on this? > > > >> > > > > >> > > > >> In the domain log the child with the pid 32382 is started to run a > > > >> pre-authentication request. The request is needed to find out which > > kind > > > >> of authentication types are available for the user, e.g. password or > > > >> 2-factor authentication with the OTP token. The request in the child > > > >> with the PID 32731 looks like a real authentication request with > > returns > > > >> with an error code -1765328324 which just means 'Generic error' but > > > >> might have cause SSSD to go offline. > > > >> > > > >> I would like to ask you to run the test again with debug_level=10 in > > the > > > >> [domain/...] section of sssd.conf which would enable some low level > > > >> Kerberos tracing messages which might help to understand what kind of > > > >> 'Generic error' was hit here. Additionally I would like ask you to > > send > > > >> the full log files as attachment or in an archive which would hep be > > to > > > >> better navigate through them. > > > >> > > > >> bye, > > > >> Sumit > > > >> > > > > > > > > > > From jochen at jochen.org Thu Apr 21 15:42:33 2016 From: jochen at jochen.org (Jochen Hein) Date: Thu, 21 Apr 2016 17:42:33 +0200 Subject: [Freeipa-users] Problem with ipa-getkeytab ? In-Reply-To: <5258909.fOTCpBiGFk@techz> (=?utf-8?Q?=22G=C3=BCnther?= J. Niederwimmer"'s message of "Thu, 21 Apr 2016 16:53:36 +0200") References: <5258909.fOTCpBiGFk@techz> Message-ID: <8337qf9dee.fsf@jochen.org> G?nther J. Niederwimmer writes: > but on the second Server when I start > > kinit admin > ipa-getkeytab -r -s ipa.example.com -p imap/mail.example.com -k /etc/ > dovecot/dovecot.keytab > > for the same keytab, > I become a Error with not access is possible ? You need special authorization to retrieve a keytab, AFAIK. Please have a look at http://www.freeipa.org/page/V4/Keytab_Retrieval_Management and http://www.freeipa.org/page/V4/Keytab_Retrieval Hope that helps, Jochen -- The only problem with troubleshooting is that the trouble shoots back. From mbabinsk at redhat.com Thu Apr 21 15:48:35 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 21 Apr 2016 17:48:35 +0200 Subject: [Freeipa-users] Problem with ipa-getkeytab ? In-Reply-To: <5258909.fOTCpBiGFk@techz> References: <5258909.fOTCpBiGFk@techz> Message-ID: <5718F653.3090504@redhat.com> On 04/21/2016 04:53 PM, G?nther J. Niederwimmer wrote: > Hello, > > I found a HowTO on FreeIPA to install a HA Version for a Mailsystem. > > Now I have a Problem to get the Keytab on the second Server > > On the first Server I run. > > kinit admin > ipa-getkeytab -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/ > dovecot.keytab > > This is working > > but on the second Server when I start > > kinit admin > ipa-getkeytab -r -s ipa.example.com -p imap/mail.example.com -k /etc/ > dovecot/dovecot.keytab > > for the same keytab, > I become a Error with not access is possible ? > > is this a Bug or a mistake from me ? > AFAIK reading Kerberos keys is a protected operation reserved for root/directory manager only, so you will have to use your Directory manager credentials for that: """ ipa-getkeytab -r -s ipa.example.com -p imap/mail.example.com -k /etc/dovecot/dovecot.keytab -D 'cn=directory manager' -w $DM_PASSWORD """ alternatively you can permit your admin user to retrieve the keytab using the following command: """ ipa service-allow-retrieve-keytab imap/mail.example.com --users admin """ and then run ipa-getkeytab as admin -- Martin^3 Babinsky From gjn at gjn.priv.at Thu Apr 21 15:55:47 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 21 Apr 2016 17:55:47 +0200 Subject: [Freeipa-users] Problem with ipa-getkeytab ? In-Reply-To: <5258909.fOTCpBiGFk@techz> References: <5258909.fOTCpBiGFk@techz> Message-ID: <17398495.cYuNhbsCj3@techz> Hello List, Am Donnerstag, 21. April 2016, 16:53:36 CEST schrieb G?nther J. Niederwimmer: Thank's for the answer ;-) I hope this helps. Thank you -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From oguzyarimtepe at gmail.com Thu Apr 21 16:46:54 2016 From: oguzyarimtepe at gmail.com (=?UTF-8?B?T8SfdXogWWFyxLFtdGVwZQ==?=) Date: Thu, 21 Apr 2016 19:46:54 +0300 Subject: [Freeipa-users] concurrent requests to ipalib app giving network error Message-ID: Hi, I have a REST API that is using the ipalib and written with Falcon. Below is the code or you can check it online here: http://paste.ubuntu.com/15966308/ from __future__ import print_function from bson import json_util import json import falcon from ipalib import api as ipaapi from api.utils.utils import parse_json, check_connection from api import settings class Calls(object): #@falcon.before(check_connection) def on_post(self, req, resp): result_json = parse_json(req) command_name = result_json["command_name"] params = result_json["params"] if not hasattr(ipaapi.env, "conf"): #TODO: add kinit oguz for exceptional case ipaapi.bootstrap_with_global_options(context='satcloud_api') ipaapi.finalize() if ipaapi.env.in_server: ipaapi.Backend.ldap2.connect() else: ipaapi.Backend.rpcclient.connect() #import ipdb #ipdb.set_trace() command=ipaapi.Command command_result=getattr(command,command_name) #resp.set_cookie('api_status_cookie', 'True') if not params: resp.body = json.dumps(command_result()) resp.status = falcon.HTTP_200 else: if type(params) == dict: arguments = [] kwargs = dict() for key, value in params.iteritems(): if "arg" in key: arguments.append(value) else: kwargs[key]=value try: #for datetime serialization problems better to use bson dump = command_result(*arguments, **kwargs) resp.body = json.dumps(dump, default=json_util.default) #resp.body = json.dumps(command_result(*arguments, **kwargs)) resp.status = falcon.HTTP_200 except UnicodeDecodeError: resp.body = json.dumps(dump, default=json_util.default, encoding='latin1') resp.status = falcon.HTTP_200 except Exception as e: resp.status = falcon.HTTP_BAD_REQUEST resp.body = json.dumps({"description": e.message, "title": "Dublicate entry"}) #raise falcon.HTTPBadRequest(title="Dublicate entry", # description=e, # href=settings.__docs__) else: dump = command_result(params) resp.body = json.dumps(dump, default=json_util.default) #resp.body = json.dumps(command_result(params)) resp.status = falcon.HTTP_200 Basically i am making concurrent calls to this rest api and i am getting Network error: http://paste.ubuntu.com/15966347/ ipa: INFO: Forwarding 'user_find' to json server ' https://ipa.foo.com/ipa/json' ipa: INFO: Forwarding 'netgroup_find' to json server ' https://ipa.foo.com/ipa/json' [pid: 5450|app: 0|req: 9/14] 10.102.235.77 () {34 vars in 463 bytes} [Thu Apr 21 17:43:22 2016] POST /v1/ipa/calls => generated 2324 bytes in 227 msecs (HTTP/1.1 200) 8 headers in 459 bytes (1 switches on core 0) Traceback (most recent call last): File "falcon/api.py", line 213, in falcon.api.API.__call__ (falcon/api.c:2521) File "falcon/api.py", line 182, in falcon.api.API.__call__ (falcon/api.c:2118) File "./api/resources/ipa/calls.py", line 38, in on_post resp.body = json.dumps(command_result()) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 761, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 935, in forward raise NetworkError(uri=server, error=e.errmsg) ipalib.errors.NetworkError: cannot connect to 'https://ipa.foo.com/ipa/json': Internal Server Error [pid: 5451|app: 0|req: 3/15] 10.102.235.77 () {34 vars in 463 bytes} [Thu Apr 21 17:43:22 2016] POST /v1/ipa/calls => generated 0 bytes in 1421 msecs (HTTP/1.1 500) 0 headers in 0 bytes (0 switches on core 0) This is how a concurrent request is being sent: #!/usr/bin/env python from multiprocessing import Process, Pool import time import urllib2 def millis(): return int(round(time.time() * 1000)) def http_get(url): start_time = millis() request = urllib2.Request(url, headers={"Content-Type": "application/json", "Origin": "http://ipa.foo.com", "Authorization": "{'token': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzcnYiOiJpcGEuc2F0Y2xvdWQuY29tLnRyIiwic3ViIjoiMGU1ZGZkNDc3N2I2NmNhOTU3ZTc4ZmJhZjMxNjYxMmEifQ.cr8cNy7zgQkY-q7UUyTCNPCjGlmz-LCCzUYSUV9P694'}"}) result = {"url": url, "data": urllib2.urlopen(request, timeout=10).read()[:100]} #result = {"url": url, "data": urllib2.urlopen(request, timeout=5).read()} print url + " took " + str(millis() - start_time) + " ms" return result urls = ['http://api.foo.com:8888/v1/users', ' http://api.foo.com:8888/v1/organizations'] pool = Pool(processes=2) start_time = millis() results = pool.map(http_get, urls) print "\nTotal took " + str(millis() - start_time) + " ms\n" for result in results: print result I am confused about the reason of the error. Any idea? -- O?uz Yar?mtepe http://about.me/oguzy -------------- next part -------------- An HTML attachment was scrubbed... URL: From huston at astro.princeton.edu Thu Apr 21 17:26:19 2016 From: huston at astro.princeton.edu (Steve Huston) Date: Thu, 21 Apr 2016 13:26:19 -0400 Subject: [Freeipa-users] Account/password expirations In-Reply-To: <20160419155704.GC14903@hendrix> References: <20160419155704.GC14903@hendrix> Message-ID: On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek wrote: > Did you test that this actually fails with id_provider=ipa? I would > assume the IPA KDC would kick you out and prompt for a new password.. If you're using a password, yes it kicks back and requires you to change it. The problem is if you're not using a password to authenticate, but instead using an SSH key, then it appears there's no hooks to check with IPA if the password (or the principal itself) is expired and the user is allowed to continue to login. The "recommended" way to do this in RHEL6 is to set access_provider to ldap in sssd, but that doesn't seem to cover all cases and doesn't play well with other IPA things (like HBAC) from what I can tell. -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' From tjaalton at ubuntu.com Thu Apr 21 19:01:20 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Thu, 21 Apr 2016 22:01:20 +0300 Subject: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1 Message-ID: <57192380.4090400@ubuntu.com> Howdy! Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1! The biggest feature of this version is that it also supports replication by client promotion to replica master. IPA on Debian/Ubuntu has been a single-master thing until now.. FreeIPA is in the community-supported section of the package archive called "universe". What this means is that it's not officially supported by Canonical, but the community. While I and some others have tried to poke it from every angle we can, it might still have hidden bugs that need fixing, so feel free to try it out and report any issues you might find on Launchpad! ps. Debian unstable will have 4.3.1 once the package has gone through the NEW queue because the packaging got split in certain ways -- t From simo at redhat.com Thu Apr 21 19:24:14 2016 From: simo at redhat.com (Simo Sorce) Date: Thu, 21 Apr 2016 15:24:14 -0400 Subject: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1 In-Reply-To: <57192380.4090400@ubuntu.com> References: <57192380.4090400@ubuntu.com> Message-ID: <1461266654.30315.104.camel@redhat.com> On Thu, 2016-04-21 at 22:01 +0300, Timo Aaltonen wrote: > Howdy! > > Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1! > The biggest feature of this version is that it also supports replication > by client promotion to replica master. IPA on Debian/Ubuntu has been a > single-master thing until now.. > > FreeIPA is in the community-supported section of the package archive > called "universe". What this means is that it's not officially supported > by Canonical, but the community. While I and some others have tried to > poke it from every angle we can, it might still have hidden bugs that > need fixing, so feel free to try it out and report any issues you might > find on Launchpad! > > > ps. Debian unstable will have 4.3.1 once the package has gone through > the NEW queue because the packaging got split in certain ways Thanks Timo, this is awesome! Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Thu Apr 21 19:37:13 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 21 Apr 2016 22:37:13 +0300 Subject: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1 In-Reply-To: <57192380.4090400@ubuntu.com> References: <57192380.4090400@ubuntu.com> Message-ID: <20160421193713.GP24892@redhat.com> On Thu, 21 Apr 2016, Timo Aaltonen wrote: > > Howdy! > > Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1! >The biggest feature of this version is that it also supports replication >by client promotion to replica master. IPA on Debian/Ubuntu has been a >single-master thing until now.. > >FreeIPA is in the community-supported section of the package archive >called "universe". What this means is that it's not officially supported >by Canonical, but the community. While I and some others have tried to >poke it from every angle we can, it might still have hidden bugs that >need fixing, so feel free to try it out and report any issues you might >find on Launchpad! > > >ps. Debian unstable will have 4.3.1 once the package has gone through >the NEW queue because the packaging got split in certain ways This is really exciting news! Thanks Timo and everyone who made it possible! -- / Alexander Bokovoy From jhrozek at redhat.com Thu Apr 21 19:37:26 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 21 Apr 2016 21:37:26 +0200 Subject: [Freeipa-users] Account/password expirations In-Reply-To: References: <20160419155704.GC14903@hendrix> Message-ID: <20160421193726.GB4262@hendrix> On Thu, Apr 21, 2016 at 01:26:19PM -0400, Steve Huston wrote: > On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek wrote: > > Did you test that this actually fails with id_provider=ipa? I would > > assume the IPA KDC would kick you out and prompt for a new password.. > > If you're using a password, yes it kicks back and requires you to > change it. The problem is if you're not using a password to > authenticate, but instead using an SSH key, then it appears there's no > hooks to check with IPA if the password (or the principal itself) is > expired and the user is allowed to continue to login. The > "recommended" way to do this in RHEL6 is to set access_provider to > ldap in sssd, but that doesn't seem to cover all cases and doesn't > play well with other IPA things (like HBAC) from what I can tell. Then in my opinion SSSD is behaving correctly there. It wouldn't let in a locked user (it would check the nsaccountlock attribute), but I'm not sure it would be correct to check krbPasswordExpiration if you're using a completely different method to authenticate.. Moreover, if you login through an SSH key, you don't get a ticket on login and you can't kinit, so you can't access any network resources anyway.. But to be honest, this is something we discussed even among IPA developers and we're not in total agreement here either, so maybe others will overrule me :) From askstack at yahoo.com Thu Apr 21 21:14:37 2016 From: askstack at yahoo.com (Ask Stack) Date: Thu, 21 Apr 2016 21:14:37 +0000 (UTC) Subject: [Freeipa-users] Client enrolled but failed to obtain host TGT. References: <1533484586.5088917.1461273277355.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1533484586.5088917.1461273277355.JavaMail.yahoo@mail.yahoo.com> Half the time ipa-client-install will fail at getting the TGT. ?Google showed posts like,?Bug 845691 ? ipa-client-install Failed to obtain host TGT. I reduced?_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' to one server entry only. But it didn't help to reduce the failure rate. Thanks for your help. cleintipa-client-3.0.0-47.el6_7.2.x86_64 serveripa-server-3.0.0-47.el6_7.1.x86_64 ipa-client-install --hostname=client1.example.com --server=ipa-server.example.com --domain=example.com -N --mkhomedir --unattended -p ipaadd at EXAMPLE.COM -w 'password1' --ca-cert-file=/etc/ipa/ca.crt -d......Enrolled in IPA realm EXAMPLE.COMargs=kdestroystdout=stderr=args=/usr/bin/kinit -k -t /etc/krb5.keytab host/client1.example.com at EXAMPLE.COMstdout=stderr=kinit: Generic preauthentication failure while getting initial credentials args=/usr/bin/kinit -k -t /etc/krb5.keytab host/client1.example.com at EXAMPLE.COMstdout=stderr=kinit: Generic preauthentication failure while getting initial credentials args=/usr/bin/kinit -k -t /etc/krb5.keytab host/client1.example.com at EXAMPLE.COMstdout=stderr=kinit: Generic preauthentication failure while getting initial credentials args=/usr/bin/kinit -k -t /etc/krb5.keytab host/client1.example.com at EXAMPLE.COMstdout=stderr=kinit: Generic preauthentication failure while getting initial credentials args=/usr/bin/kinit -k -t /etc/krb5.keytab host/client1.example.com at EXAMPLE.COMstdout=stderr=kinit: Generic preauthentication failure while getting initial credentials Failed to obtain host TGT. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abrook at bsd.uchicago.edu Thu Apr 21 21:44:37 2016 From: abrook at bsd.uchicago.edu (Brook, Andy [CRI]) Date: Thu, 21 Apr 2016 21:44:37 +0000 Subject: [Freeipa-users] Username attribute in trusted domain In-Reply-To: <20160418150618.GP3050@hendrix.redhat.com> References: <16461940-31FA-402A-B759-A69F290AF68D@bsd.uchicago.edu> <20160418100341.GJ3050@hendrix.redhat.com> <0432C6AD-92A9-482F-8410-A9D67950DF7B@bsd.uchicago.edu> <20160418150618.GP3050@hendrix.redhat.com> Message-ID: <80048CA8-D6A7-42A1-B964-9258E09993E3@bsd.uchicago.edu> On 4/18/16, 10:06 AM, "Jakub Hrozek" wrote: >On Mon, Apr 18, 2016 at 01:47:04PM +0000, Brook, Andy [CRI] wrote: >> >> On 4/18/16, 5:03 AM, "freeipa-users-bounces at redhat.com on behalf of Jakub Hrozek" wrote: >> >> >On Fri, Apr 15, 2016 at 08:01:06PM +0000, Brook, Andy [CRI] wrote: >> >> We?re trying to setup FreeIPA to be a good provider of UIDs and GIDs for our mostly RHEL systems. Overall, that works great. The issue I?m running into is that we need to have the same consistent UIDs and GIDs for our Isilon system which serves up both CIFS and NFS. Each user of the Isilon needs to have a UID so that the files are owned properly. The Isilon has a way of getting information from both Active Directory and an associated LDAP server. It gets its list of users and groups from AD, a list of users, UIDs, groups and GIDs from LDAP, and combine accounts that are the same. i.e. ADTEST.LOCAL\abrook and abrook from LDAP will the same user. However, FreeIPA will show abrook(as it sees through the Trust relationship with ADTEST.LOCAL) as abrook at adtest.local instead of abrook, so the Isilon will see them as distinct accounts and won?t merge the information in them. I can?t, as far as I can tell right now, tell the Isilon to see users with @adtest.local as the same user without the domain. I can tell the Isilon to look at a different LDAP attribute as its username, but there is no attribute that has only the username. >> >> >> >> I noticed in the documentation that if I were to do a sync with Active Directory (which isn?t something I want to do), I would get the ntDomainUserID attribute that is the same as the samAccountName. This doesn?t happen with a trust. Is there a way to get that in place with a custom attribute or pull more LDAP attributes from AD? >> >> >> >> Has anyone else run into a situation like this? If so, were you able to rectify that? If so, how? >> >> >> >> We have a ticket open with EMC for the Isilon as well, but want to make sure we?re coming at this from all the angles we can. >> > >> >I'm sorry, but currently overriding the attribute names for AD trusted >> >domains is not possible. We are working to make it possible for the next >> >version, but it's a bit of a stretch goal already, so chances it won't >> >be ready only for the version after the next one. >> > >> >What might perhaps help you is that starting with upstream SSSD 1.14 >> >(upstream 7.3), it should be possible to configure SSSD to only print >> >the shortname and not qualify the users in trusted domains. >> > >> >> Thank you. In your suggestion, are you talking about SSSD on the IPA >> Servers? My understanding of how SSSD on the IPA servers interacts with >> the servers that talk to them is pretty limited. If I upgrade SSSD on >> these servers, I might be able to get LDAP to not print the qualifying >> domain during ldapsearch? > >Depends on how you want to query the information, whether with "getent >passwd $user" or ldapsearch. SSSD itself doesn't provide any data to >ldapsearch, but provides NSS, PAM and D-Bus interfaces. > >And you'd have to upgrade SSSD on both clients and servers. For the issue that I?m having, it?s not actually something with an SSSD client. The Isilon isn?t a server that SSSD is or can be installed on. It?s a storage appliance that is provided from EMC. It can, however, search LDAP for accounts and groups as well as connect to Active Directory. > >> >> I?m not really asking about overriding attribute names, but rather >> adding a new attribute that only has the shortname. Is there a way to >> do that may through a custom NIS mapping or something like that? Maybe >> a dynamic schema extension? I?ve tried reading through extending the >> schema, but am currently confused as to how to go about it. > >It sounds like the new attribute would be added on the AD side, but at >the moment, SSSD's attribute map for the trusted domains is hardcoded. > >The only way would be to query the attribute through our d-bus API. Okay, so it?s looking like there?s no good way to do what I?m looking for. Essentially the issue is that the Isilon can?t quantify the domain that the user is logging in with, i.e. it can?t turn LDAPTEST.LOCAL\user into user at ldaptest.local to know that what it?s seeing from LDAP is the same as what it got from its active directory login. We?re working on another way to do what we need, but still use IPA server. Can you answer when IPA provisions a UID for a user in the trusted domain? If I were to do a ?ldapsearch cn=users,cn=compat,dc=tst,dc=ipaexample,dc=com? (where tst.ipaexample.com trusts ldaptest.local) would I see all the ldaptest.local users/groups with their associated generated UIDs/GIDs? Essentially, if we can get a list of users, groups and their associated UIDs/GIDs, we can create the correct association within the Isilon. We just need to make sure we can get the correct UIDs before a user has ever touched the IPA environment. Andy Brook Sr. Systems Administrator | Center for Research Informatics | University of Chicago T: 773-834-0458 | http://cri.uchicago.edu ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From mbasti at redhat.com Fri Apr 22 06:44:27 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 22 Apr 2016 08:44:27 +0200 Subject: [Freeipa-users] concurrent requests to ipalib app giving network error In-Reply-To: References: Message-ID: <5719C84B.9080506@redhat.com> On 21.04.2016 18:46, O?uz Yar?mtepe wrote: > Hi, > > I have a REST API that is using the ipalib and written with Falcon. > Below is the code or you can check it online here: > http://paste.ubuntu.com/15966308/ > > from __future__ import print_function > from bson import json_util > import json > import falcon > > from ipalib import api as ipaapi > from api.utils.utils import parse_json, check_connection > from api import settings > > class Calls(object): > > #@falcon.before(check_connection) > def on_post(self, req, resp): > > result_json = parse_json(req) > command_name = result_json["command_name"] > params = result_json["params"] > > if not hasattr(ipaapi.env, "conf"): > #TODO: add kinit oguz for exceptional case > ipaapi.bootstrap_with_global_options(context='satcloud_api') > ipaapi.finalize() > > if ipaapi.env.in_server: > ipaapi.Backend.ldap2.connect() > else: > ipaapi.Backend.rpcclient.connect() > > #import ipdb > #ipdb.set_trace() > > command=ipaapi.Command > command_result=getattr(command,command_name) > > #resp.set_cookie('api_status_cookie', 'True') > if not params: > resp.body = json.dumps(command_result()) > resp.status = falcon.HTTP_200 > else: > if type(params) == dict: > arguments = [] > kwargs = dict() > for key, value in params.iteritems(): > if "arg" in key: > arguments.append(value) > else: > kwargs[key]=value > try: > #for datetime serialization problems better to use > bson > dump = command_result(*arguments, **kwargs) > resp.body = json.dumps(dump, > default=json_util.default) > #resp.body = json.dumps(command_result(*arguments, > **kwargs)) > resp.status = falcon.HTTP_200 > except UnicodeDecodeError: > resp.body = json.dumps(dump, > default=json_util.default, encoding='latin1') > resp.status = falcon.HTTP_200 > except Exception as e: > resp.status = falcon.HTTP_BAD_REQUEST > resp.body = json.dumps({"description": e.message, > "title": "Dublicate entry"}) > #raise > falcon.HTTPBadRequest(title="Dublicate entry", > # description=e, > # href=settings.__docs__) > else: > dump = command_result(params) > resp.body = json.dumps(dump, default=json_util.default) > #resp.body = json.dumps(command_result(params)) > resp.status = falcon.HTTP_200 > > > Basically i am making concurrent calls to this rest api and i am getting > > Network error: http://paste.ubuntu.com/15966347/ > > ipa: INFO: Forwarding 'user_find' to json server > 'https://ipa.foo.com/ipa/json' > ipa: INFO: Forwarding 'netgroup_find' to json server > 'https://ipa.foo.com/ipa/json' > [pid: 5450|app: 0|req: 9/14] 10.102.235.77 () {34 vars in 463 bytes} > [Thu Apr 21 17:43:22 2016] POST /v1/ipa/calls => generated 2324 bytes > in 227 msecs (HTTP/1.1 200) 8 headers in 459 bytes (1 switches on core 0) > Traceback (most recent call last): > File "falcon/api.py", line 213, in falcon.api.API.__call__ > (falcon/api.c:2521) > File "falcon/api.py", line 182, in falcon.api.API.__call__ > (falcon/api.c:2118) > File "./api/resources/ipa/calls.py", line 38, in on_post > resp.body = json.dumps(command_result()) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line > 443, in __call__ > ret = self.run(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line > 761, in run > return self.forward(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line > 782, in forward > return self.Backend.rpcclient.forward(self.name > , *args, **kw) > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 935, in > forward > raise NetworkError(uri=server, error=e.errmsg) > ipalib.errors.NetworkError: cannot connect to > 'https://ipa.foo.com/ipa/json': Internal Server Error > [pid: 5451|app: 0|req: 3/15] 10.102.235.77 () {34 vars in 463 bytes} > [Thu Apr 21 17:43:22 2016] POST /v1/ipa/calls => generated 0 bytes in > 1421 msecs (HTTP/1.1 500) 0 headers in 0 bytes (0 switches on core 0) > > > This is how a concurrent request is being sent: > #!/usr/bin/env python > > from multiprocessing import Process, Pool > import time > import urllib2 > > def millis(): > return int(round(time.time() * 1000)) > > def http_get(url): > start_time = millis() > request = urllib2.Request(url, headers={"Content-Type": > "application/json", "Origin": "http://ipa.foo.com", "Authorization": > "{'token': > 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzcnYiOiJpcGEuc2F0Y2xvdWQuY29tLnRyIiwic3ViIjoiMGU1ZGZkNDc3N2I2NmNhOTU3ZTc4ZmJhZjMxNjYxMmEifQ.cr8cNy7zgQkY-q7UUyTCNPCjGlmz-LCCzUYSUV9P694'}"}) > result = {"url": url, "data": urllib2.urlopen(request, > timeout=10).read()[:100]} > #result = {"url": url, "data": urllib2.urlopen(request, > timeout=5).read()} > print url + " took " + str(millis() - start_time) + " ms" > return result > > > urls = ['http://api.foo.com:8888/v1/users', > 'http://api.foo.com:8888/v1/organizations'] > > pool = Pool(processes=2) > > start_time = millis() > results = pool.map(http_get, urls) > > print "\nTotal took " + str(millis() - start_time) + " ms\n" > > for result in results: > print result > > I am confused about the reason of the error. Any idea? > > > -- > O?uz Yar?mtepe > http://about.me/oguzy > > > Hello, could you check /var/logs/httpd/error_log if there is any info about Internal server error? It looks like there is no session cookie set (but not sure). IMO because the parallel processing you may need to use local instances of API instead the global one for each thread/process. From top of my head: api = create_api(mode=None) api.bootstrap() api.finalize() But I'm not sure what is the exact problem, you need try :) Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Fri Apr 22 06:55:32 2016 From: prashant at apigee.com (Prashant Bapat) Date: Fri, 22 Apr 2016 12:25:32 +0530 Subject: [Freeipa-users] OTP and time step size Message-ID: Hi, We have been using the OTP feature of FreeIPA extensively for users to login to the web UI. Now we are rolling out an external service using the LDAP authentication based on FreeIPA and OTP. End users typically login rarely to the web UI. Only to update their SSH keys once in 90 days. However to the new service based on FreeIPA's LDAP they would be logging in multiple times daily. Here is an observation: FreeIPA's OTP mechanism is very stringent in requiring the current token to be inside the 30 second window. Because of this there might be a sizable percentage of users who will have to retry login. Obviously, this is a bad user experience. As per the RFC-6238 section 5.2, we could allow 1 time step and make the user experience better. Can this be done by changing a config or does it involve a patch/code-change. Any pointers to this appreciated. Thanks. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Fri Apr 22 07:09:47 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 22 Apr 2016 09:09:47 +0200 Subject: [Freeipa-users] Client enrolled but failed to obtain host TGT. In-Reply-To: <1533484586.5088917.1461273277355.JavaMail.yahoo@mail.yahoo.com> References: <1533484586.5088917.1461273277355.JavaMail.yahoo.ref@mail.yahoo.com> <1533484586.5088917.1461273277355.JavaMail.yahoo@mail.yahoo.com> Message-ID: <5719CE3B.90404@redhat.com> On 04/21/2016 11:14 PM, Ask Stack wrote: > Half the time ipa-client-install will fail at getting the TGT. Google > showed posts like, Bug 845691 ? ipa-client-install Failed to obtain host > TGT . I reduced > _kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' > '_kerberos._udp' to one server entry only. But it didn't help to reduce > the failure rate. Thanks for your help. > > > cleint > ipa-client-3.0.0-47.el6_7.2.x86_64 > > server > ipa-server-3.0.0-47.el6_7.1.x86_64 > > ipa-client-install --hostname=client1.example.com > --server=ipa-server.example.com --domain=example.com -N --mkhomedir > --unattended -p ipaadd at EXAMPLE.COM -w 'password1' > --ca-cert-file=/etc/ipa/ca.crt -d > ... > ... > Enrolled in IPA realm EXAMPLE.COM > args=kdestroy > stdout= > stderr= > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example.com at EXAMPLE.COM > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example.com at EXAMPLE.COM > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example.com at EXAMPLE.COM > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example.com at EXAMPLE.COM > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example.com at EXAMPLE.COM > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > Failed to obtain host TGT. > > > > > > Hello, can you please provide KDC log from the server you are enrolling against? IIRC it should be in /var/log/krb5kdc.log -- Martin^3 Babinsky From gnotrica at candeal.com Fri Apr 22 14:00:00 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Fri, 22 Apr 2016 14:00:00 +0000 Subject: [Freeipa-users] RoundRobin - Cname - 2 servers with same services Message-ID: <0984AB34E553F54B8705D776686863E70ABF9342@cd-exchange01.CD-PRD.candeal.ca> Hello World, I am trying to enable roundrobin on freeipa. I have 2 servers providing same service (http). I am trying to give it a friendly name so that when user what to access it, they can land on any one of the 2 servers. But IPA dns doesn't want to let me create CName that has the same name but 2 different destination. How do I go around this? Thanks, Gady -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Apr 22 14:41:58 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 22 Apr 2016 16:41:58 +0200 Subject: [Freeipa-users] RoundRobin - Cname - 2 servers with same services In-Reply-To: <0984AB34E553F54B8705D776686863E70ABF9342@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70ABF9342@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <571A3836.9090505@redhat.com> On 22.04.2016 16:00, Gady Notrica wrote: > > Hello World, > > I am trying to enable roundrobin on freeipa. I have 2 servers > providing same service (http). I am trying to give it a friendly name > so that when user what to access it, they can land on any one of the 2 > servers. > > But IPA dns doesn?t want to let me create CName that has the same name > but 2 different destination. > > How do I go around this? > > Thanks, > > Gady > > > Hello, you don't, ldapschema limits CNAME to just one value in IPA It is possible with BIND9.1+ to have multiple CNAMEs ? http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_07.htm Anyway this is violation of RFC. You should use for load balancing A records. Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From rakesh.rajasekharan at gmail.com Fri Apr 22 14:59:06 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Fri, 22 Apr 2016 20:29:06 +0530 Subject: [Freeipa-users] ipa-client password authentication failed Message-ID: Hi There, I have successfully set up and running freeipa in my environment. I am running a freeipa master 4.2.x and my ipa clients are at 3.0.0-47 This set up works fine for majority of servers. But just on one host I am unable to authenticate the users. it gives me password denied Below is the error from /var/log/secure Apr 22 14:25:26 localhost sshd[18785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.13 user=q-testuser Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.213 user=q-testuser Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): received for user q-testuser: 4 (System error) and in my krb5_child.log, i see the below lines, (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x0400): krb5_child started. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer] (0x1000): total buffer size: [171] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer] (0x0100): cmd [241] uid [1142000001] gid [1142000001] validate [true] enterprise principal [false] offline [false] UPN [q-testuser at XYZ.COM] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1142000001_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_1142000001_RjJBN2] keytab: [/etc/krb5.keytab] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [switch_creds] (0x0200): Switch user to [1142000001][1142000001]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_1142000001_RjJBN2] and is not active and TGT is valid. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.2.2.15 at XYZ.COM] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ 10.2.2.15 at XYZ.COM in keytab. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [match_principal] (0x1000): Principal matched to the sample (host/10.2.2.15 at XYZ.COM). (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [become_user] (0x0200): Trying to become user [1142000001][1142000001]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x2000): Running as [1142000001][1142000001]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_setup] (0x2000): Running as [1142000001][1142000001]. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x0400): Will perform online auth (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [XYZ.COM] (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127643: Getting initial credentials for q-testuser at XYZ.COM (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127715: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127767: Retrieving host/10.2.2.15 at XYZ.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/XYZ.COM \@XYZ.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM with result: -1765328243/Matching credential not found (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127832: Sending request (185 bytes) to XYZ.COM (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.128056: Initiating TCP connection to stream 10.0.4.175:88 (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.129419: Sending TCP request to stream 10. krb5_child.log (END) can someone please advice , what seems to go wrong here. Thanks, Rakesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Apr 22 15:16:51 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 22 Apr 2016 17:16:51 +0200 Subject: [Freeipa-users] ipa-client password authentication failed In-Reply-To: References: Message-ID: <20160422151651.GH620@hendrix> On Fri, Apr 22, 2016 at 08:29:06PM +0530, Rakesh Rajasekharan wrote: > Hi There, > > I have successfully set up and running freeipa in my environment. > > I am running a freeipa master 4.2.x and my ipa clients are at 3.0.0-47 > > This set up works fine for majority of servers. But just on one host I am > unable to authenticate the users. > > it gives me password denied > > Below is the error from /var/log/secure > > Apr 22 14:25:26 localhost sshd[18785]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.13 > user=q-testuser > Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.2.5.213 > user=q-testuser > Apr 22 14:25:27 localhost sshd[18785]: pam_sss(sshd:auth): received for > user q-testuser: 4 (System error) > > > and in my krb5_child.log, i see the below lines, > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x0400): > krb5_child started. > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer] > (0x1000): total buffer size: [171] > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer] > (0x0100): cmd [241] uid [1142000001] gid [1142000001] validate [true] > enterprise principal [false] offline [false] UPN [q-testuser at XYZ.COM] > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_1142000001_XXXXXX] old_ccname: > [FILE:/tmp/krb5cc_1142000001_RjJBN2] keytab: [/etc/krb5.keytab] > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [switch_creds] > (0x0200): Switch user to [1142000001][1142000001]. > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [sss_krb5_cc_verify_ccache] (0x2000): TGT not found or expired. > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [switch_creds] > (0x0200): Switch user to [0][0]. > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [k5c_check_old_ccache] (0x4000): Ccache_file is > [FILE:/tmp/krb5cc_1142000001_RjJBN2] and is not active and TGT is valid. > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [k5c_precreate_ccache] (0x4000): Recreating ccache > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_setup_fast] > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/10.2.2.15 at XYZ.COM] > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [find_principal_in_keytab] (0x4000): Trying to find principal host/ > 10.2.2.15 at XYZ.COM in keytab. > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [match_principal] > (0x1000): Principal matched to the sample (host/10.2.2.15 at XYZ.COM). > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [check_fast_ccache] > (0x0200): FAST TGT is still valid. > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [become_user] > (0x0200): Trying to become user [1142000001][1142000001]. > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x2000): > Running as [1142000001][1142000001]. > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [k5c_setup] > (0x2000): Running as [1142000001][1142000001]. > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [main] (0x0400): > Will perform online auth > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [XYZ.COM] > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127643: Getting > initial credentials for q-testuser at XYZ.COM > > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127715: FAST armor > ccache: MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM > > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127767: Retrieving > host/10.2.2.15 at XYZ.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/XYZ.COM > \@XYZ.COM at X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_XYZ.COM with > result: -1765328243/Matching credential not found > > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.127832: Sending > request (185 bytes) to XYZ.COM > > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.128056: Initiating > TCP connection to stream 10.0.4.175:88 > > (Fri Apr 22 14:29:04 2016) [[sssd[krb5_child[19603]]]] > [sss_child_krb5_trace_cb] (0x4000): [19603] 1461335344.129419: Sending TCP > request to stream 10. > krb5_child.log (END) > > > can someone please advice , what seems to go wrong here. Is there really nothing else in the child log? What about the domain log from about the same time? (The system error was received at 14:25:27..) From carlosr at jovenclub.cu Fri Apr 22 18:06:41 2016 From: carlosr at jovenclub.cu (Carlos R Laguna) Date: Fri, 22 Apr 2016 14:06:41 -0400 Subject: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1 In-Reply-To: <20160421193713.GP24892@redhat.com> References: <57192380.4090400@ubuntu.com> <20160421193713.GP24892@redhat.com> Message-ID: <571A6831.7080200@jovenclub.cu> El 21/04/16 a las 15:37, Alexander Bokovoy escribi?: > On Thu, 21 Apr 2016, Timo Aaltonen wrote: >> >> Howdy! >> >> Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1! >> The biggest feature of this version is that it also supports replication >> by client promotion to replica master. IPA on Debian/Ubuntu has been a >> single-master thing until now.. >> >> FreeIPA is in the community-supported section of the package archive >> called "universe". What this means is that it's not officially supported >> by Canonical, but the community. While I and some others have tried to >> poke it from every angle we can, it might still have hidden bugs that >> need fixing, so feel free to try it out and report any issues you might >> find on Launchpad! >> >> >> ps. Debian unstable will have 4.3.1 once the package has gone through >> the NEW queue because the packaging got split in certain ways > This is really exciting news! > > Thanks Timo and everyone who made it possible! > Awesome news From jeremy at ifuzioncorp.com Fri Apr 22 20:40:45 2016 From: jeremy at ifuzioncorp.com (Jeremy Utley) Date: Fri, 22 Apr 2016 15:40:45 -0500 Subject: [Freeipa-users] IPA & Yubikey Message-ID: Hello all! I'm quite close to reaching the ideal point with our new FreeIPA setup, but one thing that is standing in the way is 2FA. I know FreeIPA has support for Google Auth, FreeOTP, and Yubikey. We'd like to go with Yubikeys over the phone-based systems, but a lot of the docs regarding Yubikey seem to either be out-dated, or not real clear (at least to me). So I'd like to ask a few questions to make sure I'm understanding correctly. 1) It looks like the normal setup of a Yubikey is to plug it into a machine and run the "ipa otptoken-add-yubikey" command. This implies that the machine that sets up the Yubikey needs to be part of the FreeIPA domain, which presents somewhat of a problem for us, as our current IPA setup has no desktops, and is in a remote "lights-out" datacenter an hour's drive from our office. I did see a post recently in the archives of someone figuring out how to set up a Yubikey via the web interface ( https://www.redhat.com/archives/freeipa-users/2016-March/msg00114.html) - would this be viable? 2) Does the otptoken-add-yubikey command actually change the programming of the Yubikey, or does it simply read it's configuration? We have some users who are already using a Yubikey for personal stuff, and we'd like to allow those users to continue to use their existing Yubikey to auth to our IPA domain, but if the add command changes the programming of the key, that may not be possible without using the second slot, and if users are already using the second slot, they are out of luck. 3) Does Yubikey auth require talking to the outside world to function? Our IPA setup is within a secure zone, with no direct connectivity to the outside world, so if this is necessary, it would be a possible deal-breaker for these. Thanks for your time in answering these questions! Jeremy -------------- next part -------------- An HTML attachment was scrubbed... URL: From Tuomo.Tikkanen at nokia.com Fri Apr 22 21:18:30 2016 From: Tuomo.Tikkanen at nokia.com (Tikkanen, Tuomo (Nokia - FI/Espoo)) Date: Sat, 23 Apr 2016 00:18:30 +0300 Subject: [Freeipa-users] How to remove bad cert renewal from certmonger? Message-ID: <571A9526.4050708@nokia.com> Hello all, I tried to renew the server HTTP certificates for two freeipa servers so that certs would have Subject Alternative Name (SAN) fields for all the addresses they have (two DNS names and IPs). I won't go to the details why this is required, but I started with ipa2 (slave) and immediately got problems. Some I managed to solve, but there is now problem to which I have not found any solution. How to remove from certmonger a renewal request that has a bad certificate request in it? What I did was: # ipa-getcert resubmit -i "20160212110456" -D "ipa2.lab-public-domain" -D "ipa2.lab-management-domain" -D "10.22.199.253" -D "10.10.1.253" -A "10.22.199.253" -A "10.10.1.253" This led to a problem that ipa2.lab-management-domain server was not as host in the freeipa. Added the needed info: # ipa host-add ipa2.lab-management-domain # ipa service-add HTTP/ipa2.lab-management-domain --force # ipa service-add-host HTTP/lab-management-domain --host ipa2.lab-management-domain Then I ran the above resubmit command again. This time the there was an error related to the -D "10.22.199.253" and -D "10.10.1.253" fields. And because it is not possible to use ipa host-add "10.22.199.253" I decided just to drop the -D fields with IP addresses, but left the -A options. And ran the resubmit command again. Now the error in ipa-getcert list command changed to tell that IP Address is forbidden: # ipa-getcert list -i "20160212110456" ....... Request ID '20160212110456': status: MONITORING ca-error: Server at https://ipa2.lab-public-domain/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Subject alt name type IP Address is forbidden). stuck: no ....... That is the state where I now have stuck. I have tried the ipa-getcert resubmit command without any -D or -A fields but the error stays there. I took the "csr=" value from the file /var/lib/certmonger/requests/20160212110456 and saved it to /tmp/request file. Using openssl I can see that it still contains SAN attribute with IP addresses and two odd fields that probably are there because of those -D "IP" fields I had at the beginning: # openssl req -in /tmp/request -text -noout ......... X509v3 Subject Alternative Name: DNS:ipa2.lab-public-domain, DNS:ipa2.lab-public-domain, othername:, othername:, IP Address:10.22.199.253, IP Address:10.10.1.253 ......... Repetitio est mater studiorum: How I can clean this defective state of certmonger? Second question if/when the above urgent problem is solved: Is there any way to get IP address to SAN field for the IPA Server-Certs? The system is Centos7(.2) with and freeipa is installed from the repository: # cat /etc/centos-release CentOS Linux release 7.2.1511 (Core) # yum list installed | grep ipa ipa-admintools.x86_64 4.2.0-15.el7_2.6 @updates ipa-client.x86_64 4.2.0-15.el7_2.6 @updates ipa-python.x86_64 4.2.0-15.el7_2.6 @updates ipa-server.x86_64 4.2.0-15.el7_2.6 @updates ipa-server-dns.x86_64 4.2.0-15.el7_2.6 @updates libipa_hbac.x86_64 1.13.0-40.el7_2.1 @updates python-iniparse.noarch 0.4-9.el7 @anaconda python-libipa_hbac.x86_64 1.13.0-40.el7_2.1 @updates sssd-ipa.x86_64 1.13.0-40.el7_2.1 @updates BR, -- Tuomo Tikkanen (a) nokia com From askstack at yahoo.com Fri Apr 22 21:15:26 2016 From: askstack at yahoo.com (Ask Stack) Date: Fri, 22 Apr 2016 21:15:26 +0000 (UTC) Subject: [Freeipa-users] Client enrolled but failed to obtain host TGT. In-Reply-To: <5719CE3B.90404@redhat.com> References: <5719CE3B.90404@redhat.com> Message-ID: <1295867332.585613.1461359726091.JavaMail.yahoo@mail.yahoo.com> MartinThanks for the reply. tail -f /var/log/krb5kdc.log | grep client1.example.com ?had nothing during a failed ipa client install and plenty activities during a good install.? And sorry, I missed a big piece of information. Debug log showed?ipa-getkeytab: ../../../libraries/libldap/extended.c:177: ldap_parse_extended_result: Assertion `res != ((void *)0)' failed. Basically /etc/krb5.keytab didn't get created.? I always wonder why we needed "-ca-cert-file=/etc/ipa/ca.crt", so I ran the ipa-client-install without it. I tested install twenty times and no failure.?ca.crt I provide and ipa-client-install downloaded are identical.? On Friday, April 22, 2016 3:09 AM, Martin Babinsky wrote: On 04/21/2016 11:14 PM, Ask Stack wrote: > Half the time ipa-client-install will fail at getting the TGT.? Google > showed posts like, Bug 845691 ? ipa-client-install Failed to obtain host > TGT . I reduced > _kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' > '_kerberos._udp' to one server entry only. But it didn't help to reduce > the failure rate. Thanks for your help. > > > cleint > ipa-client-3.0.0-47.el6_7.2.x86_64 > > server > ipa-server-3.0.0-47.el6_7.1.x86_64 > > ipa-client-install --hostname=client1.example.com > --server=ipa-server.example.com --domain=example.com -N --mkhomedir > --unattended -p ipaadd at EXAMPLE.COM -w 'password1' > --ca-cert-file=/etc/ipa/ca.crt -d > ... > ... > Enrolled in IPA realm EXAMPLE.COM > args=kdestroy > stdout= > stderr= > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example.com at EXAMPLE.COM > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example.com at EXAMPLE.COM > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example.com at EXAMPLE.COM > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example.com at EXAMPLE.COM > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > args=/usr/bin/kinit -k -t /etc/krb5.keytab > host/client1.example.com at EXAMPLE.COM > stdout= > stderr=kinit: Generic preauthentication failure while getting initial > credentials > > Failed to obtain host TGT. > > > > > > Hello, can you please provide KDC log from the server you are enrolling against? IIRC it should be in /var/log/krb5kdc.log -- Martin^3 Babinsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 22 22:23:22 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 Apr 2016 18:23:22 -0400 Subject: [Freeipa-users] How to remove bad cert renewal from certmonger? In-Reply-To: <571A9526.4050708@nokia.com> References: <571A9526.4050708@nokia.com> Message-ID: <571AA45A.9080808@redhat.com> Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: > Hello all, > > I tried to renew the server HTTP certificates for two freeipa servers so > that certs would have Subject Alternative Name (SAN) fields for all the > addresses they have (two DNS names and IPs). I won't go to the details > why this is required, but I started with ipa2 (slave) and immediately > got problems. Some I managed to solve, but there is now problem to which > I have not found any solution. > > How to remove from certmonger a renewal request that has a bad > certificate request in it? > > What I did was: > > # ipa-getcert resubmit -i "20160212110456" -D "ipa2.lab-public-domain" > -D "ipa2.lab-management-domain" -D "10.22.199.253" -D "10.10.1.253" -A > "10.22.199.253" -A "10.10.1.253" > > This led to a problem that ipa2.lab-management-domain server was not as > host in the freeipa. Added the needed info: > > # ipa host-add ipa2.lab-management-domain > # ipa service-add HTTP/ipa2.lab-management-domain --force > # ipa service-add-host HTTP/lab-management-domain --host > ipa2.lab-management-domain > > Then I ran the above resubmit command again. > > This time the there was an error related to the -D "10.22.199.253" and > -D "10.10.1.253" fields. And because it is not possible to use ipa > host-add "10.22.199.253" I decided just to drop the -D fields with IP > addresses, but left the -A options. And ran the resubmit command again. > > Now the error in ipa-getcert list command changed to tell that IP > Address is forbidden: > > # ipa-getcert list -i "20160212110456" > ....... > Request ID '20160212110456': > status: MONITORING > ca-error: Server at https://ipa2.lab-public-domain/ipa/xml > denied our request, giving up: 2100 (RPC failed at server. Insufficient > access: Subject alt name type IP Address is forbidden). > stuck: no > ....... > > That is the state where I now have stuck. I have tried the ipa-getcert > resubmit command without any -D or -A fields but the error stays there. > > I took the "csr=" value from the file > /var/lib/certmonger/requests/20160212110456 and saved it to /tmp/request > file. Using openssl I can see that it still contains SAN attribute with > IP addresses and two odd fields that probably are there because of those > -D "IP" fields I had at the beginning: > > # openssl req -in /tmp/request -text -noout > ......... > X509v3 Subject Alternative Name: > DNS:ipa2.lab-public-domain, DNS:ipa2.lab-public-domain, > othername:, othername:, IP > Address:10.22.199.253, IP Address:10.10.1.253 > ......... > > Repetitio est mater studiorum: > > How I can clean this defective state of certmonger? # ipa-getcert stop-tracking -i 20160212110456 > > Second question if/when the above urgent problem is solved: > > Is there any way to get IP address to SAN field for the IPA Server-Certs? Not without changing code. IP address SAN are explicitly forbidden: Subject alt name type IP Address is forbidden rob From anthonyclarka2 at gmail.com Sun Apr 24 02:46:13 2016 From: anthonyclarka2 at gmail.com (Anthony Clark) Date: Sat, 23 Apr 2016 22:46:13 -0400 Subject: [Freeipa-users] Best practice for requesting a certificate in Kickstart? Message-ID: Hello All, TL;DR: what's the best way to grab a SSL cert and key during kickstart? (this is all using CentOS 7.2 latest) I'm using Foreman to manage my kickstart and Puppet services, and its built-in FreeIPA client enrollment works just fine. However I'd like to also request a certificate and key for a Puppet client to use to authenticate to the Foreman-controlled Puppet server. If I manually set up a puppet client then it works just fine. I use something like this: # ipa-getcert request -w -r -f /var/lib/puppet/ssl/certs/<%= @host.name %>.pem -k /var/lib/puppet/ssl/private_keys/<%= @host.name %>.pem # cp /etc/ipa/ca.crt /var/lib/puppet/ssl/certs/ca.pem (then setting the correct paths and settings in /etc/puppet/puppet.conf) I tried to make that work inside the Kickstart process, but as those commands are running inside a kickstart chroot the certmonger service won't start. Is there a better method to grab a SSL cert and key for the host during kickstart? Or should I just wait until firstboot and perform the steps at that point? Many Thanks and FreeIPA is really amazing! Anthony Clark -------------- next part -------------- An HTML attachment was scrubbed... URL: From duncan.lists at gmail.com Sun Apr 24 10:27:43 2016 From: duncan.lists at gmail.com (Duncan Gibb) Date: Sun, 24 Apr 2016 11:27:43 +0100 Subject: [Freeipa-users] ipa-ca-install failure - id ranges overflow? Message-ID: Hello I'm trying to re-install one of six FreeIPA 4.2.0 servers in my domain. Normally I would do an install as one step with ipa-replica-install --setup-ca --no-ntp --setup-dns --forwarder A.B.C.D --forwarder E.F.G.H /var/lib/ipa/replica-info-ipa-a2.my.domain.dom.gpg but this fails in the CA setup. So instead I broke it into an ipa-replica-install, an ipa-dns-install and an ipa-ca-install. The first two steps succeed and look OK, but the ipa-ca-install fails. I think the problem is with the CA range allocations (details below). Can anyone help me figure our how to: * re-use or free CA id ranges which have been taken by replicas but never used? * change the size of future range allocations so this doesn't happen again? Many thanks. Duncan Detail: On the failing server, ipa-a2, /var/log/pki/pki-tomcat/ca/debug contains: [22/Apr/2016:14:26:31][localhost-startStop-1]: DBSubsystem: getEntryAttribute: dn=ou=certificateRepository, ou=ca, o=ipaca attr=description:; [22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository: getLastSerialNumberInRange mEnableRandomSerialNumbers=false mMinRandomBitLength=4 CollisionRecovery=3,10 [22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository: getLastSerialNumberInRange modeChange=false enableRsnAtConfig=false mForceModeChange=false mode= [22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository: getLastSerialNumberInRange mEnableRandomSerialNumbers=false [22/Apr/2016:14:26:31][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [22/Apr/2016:14:26:31][localhost-startStop-1]: masterConn is connected: true [22/Apr/2016:14:26:31][localhost-startStop-1]: getConn: conn is connected true [22/Apr/2016:14:26:31][localhost-startStop-1]: getConn: mNumConns now 2 [22/Apr/2016:14:26:31][localhost-startStop-1]: In findCertRecordsInList with Jumpto 1610416128 [22/Apr/2016:14:26:31][localhost-startStop-1]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (certStatus=*) attrs: null pageSize -5 startFrom 101610416128 [22/Apr/2016:14:26:31][localhost-startStop-1]: returnConn: mNumConns now 3 [22/Apr/2016:14:26:31][localhost-startStop-1]: getEntries returning 6 [22/Apr/2016:14:26:31][localhost-startStop-1]: mTop 48 [22/Apr/2016:14:26:31][localhost-startStop-1]: Getting Virtual List size: 61 [22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository:getLastSerialNumberInRange: recList size 61 [22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository:getLastSerialNumberInRange: ltSize 54 [22/Apr/2016:14:26:31][localhost-startStop-1]: getElementAt: 0 mTop 48 [22/Apr/2016:14:26:31][localhost-startStop-1]: reverse direction getting index 5 [22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: serialno 1878982657 [22/Apr/2016:14:26:31][localhost-startStop-1]: getElementAt: 1 mTop 48 [22/Apr/2016:14:26:31][localhost-startStop-1]: reverse direction getting index 4 [22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: serialno 805175300 [22/Apr/2016:14:26:31][localhost-startStop-1]: getElementAt: 2 mTop 48 [22/Apr/2016:14:26:31][localhost-startStop-1]: reverse direction getting index 3 [22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: serialno 805175299 [22/Apr/2016:14:26:31][localhost-startStop-1]: getElementAt: 3 mTop 48 [22/Apr/2016:14:26:31][localhost-startStop-1]: reverse direction getting index 2 [22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: serialno 805175298 [22/Apr/2016:14:26:31][localhost-startStop-1]: getElementAt: 4 mTop 48 [22/Apr/2016:14:26:31][localhost-startStop-1]: reverse direction getting index 1 [22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: serialno 805175297 [22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: returning 1610350592 [22/Apr/2016:14:26:31][localhost-startStop-1]: Repository: mLastSerialNo: 1610350592 [22/Apr/2016:14:26:31][localhost-startStop-1]: Serial numbers left in range: 65536 [22/Apr/2016:14:26:31][localhost-startStop-1]: Last Serial Number: 1610350592 [22/Apr/2016:14:26:31][localhost-startStop-1]: Serial Numbers available: 65536 [22/Apr/2016:14:26:31][localhost-startStop-1]: Low water mark reached. Requesting next range [22/Apr/2016:14:26:31][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [22/Apr/2016:14:26:31][localhost-startStop-1]: masterConn is connected: true [22/Apr/2016:14:26:31][localhost-startStop-1]: getConn: conn is connected true [22/Apr/2016:14:26:31][localhost-startStop-1]: getConn: mNumConns now 2 [22/Apr/2016:14:26:31][localhost-startStop-1]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68) [22/Apr/2016:14:26:31][localhost-startStop-1]: Releasing ldap connection [22/Apr/2016:14:26:31][localhost-startStop-1]: returnConn: mNumConns now 3 java.lang.NullPointerException at java.math.BigInteger.(BigInteger.java:406) at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:500) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1167) at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) For comparison the same log for server ipa-b1 re-installed a few days earlier says: [19/Apr/2016:03:40:26][localhost-startStop-1]: DBSubsystem: getEntryAttribute: dn=ou=certificateRepository, ou=ca, o=ipaca attr=description:; [19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository: getLastSerialNumberInRange mEnableRandomSerialNumbers=false mMinRandomBitLength=4 CollisionRecovery=3,10 [19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository: getLastSerialNumberInRange modeChange=false enableRsnAtConfig=false mForceModeChange=false mode= [19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository: getLastSerialNumberInRange mEnableRandomSerialNumbers=false [19/Apr/2016:03:40:26][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [19/Apr/2016:03:40:26][localhost-startStop-1]: masterConn is connected: true [19/Apr/2016:03:40:26][localhost-startStop-1]: getConn: conn is connected true [19/Apr/2016:03:40:26][localhost-startStop-1]: getConn: mNumConns now 2 [19/Apr/2016:03:40:26][localhost-startStop-1]: In findCertRecordsInList with Jumpto 2147418112 [19/Apr/2016:03:40:26][localhost-startStop-1]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (certStatus=*) attrs: null pageSize -5 startFrom 102147418112 [19/Apr/2016:03:40:26][localhost-startStop-1]: returnConn: mNumConns now 3 [19/Apr/2016:03:40:26][localhost-startStop-1]: getEntries returning 6 [19/Apr/2016:03:40:26][localhost-startStop-1]: mTop 46 [19/Apr/2016:03:40:26][localhost-startStop-1]: Getting Virtual List size: 52 [19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository:getLastSerialNumberInRange: recList size 52 [19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository:getLastSerialNumberInRange: ltSize 52 [19/Apr/2016:03:40:26][localhost-startStop-1]: getElementAt: 0 mTop 46 [19/Apr/2016:03:40:26][localhost-startStop-1]: reverse direction getting index 5 [19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: serialno 1878982664 [19/Apr/2016:03:40:26][localhost-startStop-1]: getElementAt: 1 mTop 46 [19/Apr/2016:03:40:26][localhost-startStop-1]: reverse direction getting index 4 [19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: serialno 1878982663 [19/Apr/2016:03:40:26][localhost-startStop-1]: getElementAt: 2 mTop 46 [19/Apr/2016:03:40:26][localhost-startStop-1]: reverse direction getting index 3 [19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: serialno 1878982662 [19/Apr/2016:03:40:26][localhost-startStop-1]: getElementAt: 3 mTop 46 [19/Apr/2016:03:40:26][localhost-startStop-1]: reverse direction getting index 2 [19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: serialno 1878982661 [19/Apr/2016:03:40:26][localhost-startStop-1]: getElementAt: 4 mTop 46 [19/Apr/2016:03:40:26][localhost-startStop-1]: reverse direction getting index 1 [19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: serialno 1878982660 [19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: returning 2147352576 [19/Apr/2016:03:40:26][localhost-startStop-1]: Repository: mLastSerialNo: 2147352576 [19/Apr/2016:03:40:26][localhost-startStop-1]: Serial numbers left in range: 65536 [19/Apr/2016:03:40:26][localhost-startStop-1]: Last Serial Number: 2147352576 [19/Apr/2016:03:40:26][localhost-startStop-1]: Serial Numbers available: 65536 [19/Apr/2016:03:40:26][localhost-startStop-1]: Low water mark reached. Requesting next range [19/Apr/2016:03:40:26][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [19/Apr/2016:03:40:26][localhost-startStop-1]: masterConn is connected: true [19/Apr/2016:03:40:26][localhost-startStop-1]: getConn: conn is connected true [19/Apr/2016:03:40:26][localhost-startStop-1]: getConn: mNumConns now 2 [19/Apr/2016:03:40:26][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 110000001 - 120000000 [19/Apr/2016:03:40:26][localhost-startStop-1]: Releasing ldap connection [19/Apr/2016:03:40:26][localhost-startStop-1]: returnConn: mNumConns now 3 [19/Apr/2016:03:40:26][localhost-startStop-1]: nNextMinSerialNo has been set to 110000001 [19/Apr/2016:03:40:26][localhost-startStop-1]: DBSubsystem: Setting next min certs number: 110000001 [19/Apr/2016:03:40:26][localhost-startStop-1]: DBSubsystem: Setting next max certs number: 120000000 [19/Apr/2016:03:40:26][localhost-startStop-1]: Checking for a range conflict [19/Apr/2016:03:40:26][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [19/Apr/2016:03:40:26][localhost-startStop-1]: masterConn is connected: true [19/Apr/2016:03:40:26][localhost-startStop-1]: getConn: conn is connected true [19/Apr/2016:03:40:26][localhost-startStop-1]: getConn: mNumConns now 2 [19/Apr/2016:03:40:26][localhost-startStop-1]: Releasing ldap connection [19/Apr/2016:03:40:26][localhost-startStop-1]: returnConn: mNumConns now 3 [19/Apr/2016:03:40:27][http-bio-8443-exec-2]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. [19/Apr/2016:03:40:27][http-bio-8443-exec-2]: CMSServlet:service() uri = /ca/admin/ca/getStatus [19/Apr/2016:03:40:27][http-bio-8443-exec-2]: CMSServlet: caGetStatus start to service. [19/Apr/2016:03:40:27][http-bio-8443-exec-2]: CMSServlet: curDate=Tue Apr 19 03:40:27 CDT 2016 id=caGetStatus time=24 [19/Apr/2016:03:40:27][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caGetCertChain is LDAP based, not XML {1}, use default authz mgr: {2}. [19/Apr/2016:03:40:27][http-bio-8080-exec-2]: CMSServlet:service() uri = /ca/ee/ca/getCertChain [19/Apr/2016:03:40:27][http-bio-8080-exec-2]: CMSServlet: caGetCertChain start to service. [19/Apr/2016:03:40:27][http-bio-8080-exec-2]: CMSServlet: curDate=Tue Apr 19 03:40:27 CDT 2016 id=caGetCertChain time=7 [19/Apr/2016:03:40:28][http-bio-8080-exec-4]: according to ccMode, authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. [19/Apr/2016:03:40:28][http-bio-8080-exec-4]: according to ccMode, authorization for servlet: caProfileList is LDAP based, not XML {1}, use default authz mgr: {2}. [19/Apr/2016:03:40:28][http-bio-8080-exec-4]: CMSServlet:service() uri = /ca/ee/ca/profileList [19/Apr/2016:03:40:28][http-bio-8080-exec-4]: CMSServlet::service() param name='xml' value='true' [19/Apr/2016:03:40:28][http-bio-8080-exec-4]: CMSServlet: caProfileList start to service. I haven't found the relevant source code for this operation yet, but it looks suspiciously like the CA serial number range is being treated as a signed 32-bit integer somewhere and it's overflowed. There are a bunch of what appear to be config options for the range allocation behaviour in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg dbs.beginReplicaNumber=1381 dbs.beginRequestNumber=59960001 dbs.beginSerialNumber=5ffc0001 dbs.enableRandomSerialNumbers=false dbs.enableSerialManagement=true dbs.endReplicaNumber=1384 dbs.endRequestNumber=59970000 dbs.endSerialNumber=5ffd0000 dbs.ldap=internaldb dbs.newSchemaEntryAdded=true dbs.nextBeginRequestNumber=120000001 dbs.nextEndRequestNumber=130000000 dbs.randomSerialNumberCounter=-1 dbs.replicaCloneTransferNumber=5 dbs.replicaDN=ou=replica dbs.replicaIncrement=100 dbs.replicaLowWaterMark=20 dbs.replicaRangeDN=ou=replica, ou=ranges dbs.requestCloneTransferNumber=10000 dbs.requestDN=ou=ca, ou=requests dbs.requestIncrement=10000000 dbs.requestLowWaterMark=2000000 dbs.requestRangeDN=ou=requests, ou=ranges dbs.serialCloneTransferNumber=10000 dbs.serialDN=ou=certificateRepository, ou=ca dbs.serialIncrement=10000000 dbs.serialLowWaterMark=2000000 dbs.serialRangeDN=ou=certificateRepository, ou=ranges (some values are different on each box - above is from ipa-a2). Could someone help me find docs for exactly what these mean? Is there any logic as to which are decimal and which are hex? In LDAP I have a whole pile of pkiRange objects: dn: ou=replica,o=ipaca objectClass: top objectClass: repository nextRange: 1400 ou: replica serialno: 010 dn: ou=ranges,o=ipaca objectClass: top objectClass: organizationalUnit ou: ranges dn: ou=replica,ou=ranges,o=ipaca objectClass: top objectClass: organizationalUnit ou: replica dn: cn=1000,ou=replica,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 1000 cn: 1000 endRange: 1099 host: ipa-b2.my.domain.dom SecurePort: 443 dn: cn=1100,ou=replica,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 1100 cn: 1100 endRange: 1199 host: ipa-a2.my.domain.dom SecurePort: 443 dn: cn=1200,ou=replica,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 1200 cn: 1200 endRange: 1299 host: ipa-c2.my.domain.dom SecurePort: 443 dn: cn=1300,ou=replica,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 1300 cn: 1300 endRange: 1399 host: ipa-c1.my.domain.dom SecurePort: 443 dn: cn=1300+nsuniqueid=1b461b25-eb9211e5-b84091d6-4ee1ae2e,ou=replica,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 1300 cn: 1300 endRange: 1399 host: ipa-b2.my.domain.dom SecurePort: 443 dn: ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: organizationalUnit ou: requests dn: cn=10000001,ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 10000001 cn: 10000001 endRange: 20000000 host: ipa-a2.my.domain.dom SecurePort: 443 dn: cn=20000001,ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 20000001 cn: 20000001 endRange: 30000000 host: ipa-b2.my.domain.dom SecurePort: 443 dn: cn=30000001,ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 30000001 cn: 30000001 endRange: 40000000 host: ipa-b1.my.domain.dom SecurePort: 443 dn: cn=40000001,ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 40000001 cn: 40000001 endRange: 50000000 host: ipa-b1.my.domain.dom SecurePort: 443 dn: cn=50000001,ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 50000001 cn: 50000001 endRange: 60000000 host: ipa-c1.my.domain.dom SecurePort: 443 dn: cn=60000001,ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 60000001 cn: 60000001 endRange: 70000000 host: ipa-c2.my.domain.dom SecurePort: 443 dn: cn=70000001,ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 70000001 cn: 70000001 endRange: 80000000 host: ipa-b2.my.domain.dom SecurePort: 443 dn: cn=80000001,ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 80000001 cn: 80000001 endRange: 90000000 host: ipa-a2.my.domain.dom SecurePort: 443 dn: cn=90000001,ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 90000001 cn: 90000001 endRange: 100000000 host: ipa-a2.my.domain.dom SecurePort: 443 dn: cn=100000001,ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 100000001 cn: 100000001 endRange: 110000000 host: ipa-b1.my.domain.dom SecurePort: 443 dn: cn=110000001,ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 110000001 cn: 110000001 endRange: 120000000 host: ipa-b1.my.domain.dom SecurePort: 443 dn: cn=120000001,ou=requests,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 120000001 cn: 120000001 endRange: 130000000 host: ipa-a2.my.domain.dom SecurePort: 443 dn: ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: organizationalUnit ou: certificateRepository dn: cn=10000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 10000001 cn: 10000001 endRange: 20000000 host: ipa-a2.my.domain.dom SecurePort: 443 dn: cn=20000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 20000001 cn: 20000001 endRange: 30000000 host: ipa-b2.my.domain.dom SecurePort: 443 dn: cn=30000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 30000001 cn: 30000001 endRange: 40000000 host: ipa-b1.my.domain.dom SecurePort: 443 dn: cn=40000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 40000001 cn: 40000001 endRange: 50000000 host: ipa-b1.my.domain.dom SecurePort: 443 dn: cn=50000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 50000001 cn: 50000001 endRange: 60000000 host: ipa-c1.my.domain.dom SecurePort: 443 dn: cn=60000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 60000001 cn: 60000001 endRange: 70000000 host: ipa-c2.my.domain.dom SecurePort: 443 dn: cn=70000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 70000001 cn: 70000001 endRange: 80000000 host: ipa-b2.my.domain.dom SecurePort: 443 dn: cn=80000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 80000001 cn: 80000001 endRange: 90000000 host: ipa-a2.my.domain.dom SecurePort: 443 dn: cn=90000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 90000001 cn: 90000001 endRange: 100000000 host: ipa-a2.my.domain.dom SecurePort: 443 dn: cn=100000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 100000001 cn: 100000001 endRange: 110000000 host: ipa-b1.my.domain.dom SecurePort: 443 dn: cn=110000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 110000001 cn: 110000001 endRange: 120000000 host: ipa-b1.my.domain.dom SecurePort: 443 Obviously some of these are dupes caused by re-installation and/or upgrades of servers. Is it safe to delete ones related to ranges where there are no certs issued? If I can make a range of, say 10000000 ids available, how do I carve that up into sensible-sized chunks and get IPA to hand them out to future replicas? Thanks again. Duncan From david at kreitschmann.de Sun Apr 24 11:06:12 2016 From: david at kreitschmann.de (David Kreitschmann) Date: Sun, 24 Apr 2016 13:06:12 +0200 Subject: [Freeipa-users] IPA & Yubikey In-Reply-To: References: Message-ID: <6A8D185D-DC54-4DAC-A440-0FEC402A93E1@kreitschmann.de> Hi Jeremy, > Am 22.04.2016 um 22:40 schrieb Jeremy Utley : > > Hello all! > > I'm quite close to reaching the ideal point with our new FreeIPA setup, but one thing that is standing in the way is 2FA. I know FreeIPA has support for Google Auth, FreeOTP, and Yubikey. We'd like to go with Yubikeys over the phone-based systems, but a lot of the docs regarding Yubikey seem to either be out-dated, or not real clear (at least to me). So I'd like to ask a few questions to make sure I'm understanding correctly. > > 1) It looks like the normal setup of a Yubikey is to plug it into a machine and run the "ipa otptoken-add-yubikey" command. This implies that the machine that sets up the Yubikey needs to be part of the FreeIPA domain, which presents somewhat of a problem for us, as our current IPA setup has no desktops, and is in a remote "lights-out" datacenter an hour's drive from our office. I did see a post recently in the archives of someone figuring out how to set up a Yubikey via the web interface (https://www.redhat.com/archives/freeipa-users/2016-March/msg00114.html) - would this be viable? Sure, but you shouldn?t use online base32 converters for that. You can use the yubikey personalization tools and the webinterface/API to enroll yubikeys manually. > > 2) Does the otptoken-add-yubikey command actually change the programming of the Yubikey, or does it simply read it's configuration? We have some users who are already using a Yubikey for personal stuff, and we'd like to allow those users to continue to use their existing Yubikey to auth to our IPA domain, but if the add command changes the programming of the key, that may not be possible without using the second slot, and if users are already using the second slot, they are out of luck. HOTP/TOTP depend on a shared secret between the token and FreeIPA. This needs to be stored in one of the two slots of the yubikey. > 3) Does Yubikey auth require talking to the outside world to function? Our IPA setup is within a secure zone, with no direct connectivity to the outside world, so if this is necessary, it would be a possible deal-breaker for these. No, this would only be needed if you would use the factory programmed yubico key in slot 1, which is not supported by FreeIPA anyway. David -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jhrozek at redhat.com Sun Apr 24 11:31:36 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 24 Apr 2016 13:31:36 +0200 Subject: [Freeipa-users] ipa-client password authentication failed In-Reply-To: References: <20160422151651.GH620@hendrix> Message-ID: <70BBF132-4288-4550-B875-D774ED73FB20@redhat.com> > On 22 Apr 2016, at 19:21, Rakesh Rajasekharan wrote: > > Hi Jakub > > > the child only had that much info.. > > from the domain logs. it looks that it was able to resolve the master . However, the ldap results say found nothing. > > I was earlier running an openldap client on this host and then migrated to IPA. > > /etc/openldap/ldap.conf was still pointing to the older ldap master.. > > #File modified by ipa-client-install > > URI ldaps://older-ldap-master.com:636/ > BASE dc=xyz,dc=com > TLS_CACERT /etc/ipa/ca.crt > > TLS_CACERTDIR /etc/openldap/cacerts] > > I corrected that to point to IPA and noticed that getent passwd now successfully lists all the users. > However, the authentication does not work yet. ( ldapsearch -x though shows all the users ). > > I re-tested it now... > below is the domain log > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): start ldb transaction (nesting: 3) > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x118fab0 > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x11925f0 > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Running timer event 0x118fab0 "ltdb_callback" > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Destroying timer event 0x11925f0 "ltdb_timeout" > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Ending timer event 0x118fab0 "ltdb_callback" > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_save_users] (0x4000): User 0 processed! > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_get_users_done] (0x4000): Saving 1 Users - Done > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_id_op_done] (0x4000): releasing operation connection > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x118fd20 > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1182770 > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Running timer event 0x118fd20 "ltdb_callback" > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Destroying timer event 0x1182770 "ltdb_timeout" > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Ending timer event 0x118fd20 "ltdb_callback" > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:xyz.com:8c7e86dc-0536-11e6-94f8-0e49bd988575))]. > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_print_server] (0x2000): Searching 10.0.4.175 > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:xyz.com:8c7e86dc-0536-11e6-94f8-0e49bd988575))][cn=Default Trust View,cn=views,cn=accounts,dc=xyz,dc=com]. > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 105 > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x1173050], connected[1], ops[0x115c810], ldap[0x1164b30] > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_process_result] (0x2000): Trace: sh[0x1173050], connected[1], ops[0x115c810], ldap[0x1164b30 > This log snippet is again completely unrelated to login. It just says there are no overrides applicable for this user. Please run: date; ssh $user@$host; date; and attach all logs between the two date outputs. From duncan.lists at gmail.com Sun Apr 24 20:31:52 2016 From: duncan.lists at gmail.com (Duncan Gibb) Date: Sun, 24 Apr 2016 21:31:52 +0100 Subject: [Freeipa-users] ipa-ca-install failure - id ranges overflow? In-Reply-To: References: Message-ID: On 24 April 2016 at 11:27, Duncan Gibb wrote: DG> ipa-ca-install fails. DG> I haven't found the relevant source code for this operation yet, Found it here: https://git.fedorahosted.org/cgit/pki.git/tree/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java?id=10502e34a10fb3b672aef1161cc271003c7806ba&h=DOGTAG_10_2_6_BRANCH#n400 DG> but it looks suspiciously like the CA serial number range is being DG> treated as a signed 32-bit integer somewhere and it's overflowed. I was wrong; it's just coincidence that the previous box got a range around 0x7ffe0001 The exception - LDAP error 68 - is "object already exists", presumably trying to add this again: > dn: cn=120000001,ou=requests,ou=ranges,o=ipaca > objectClass: top > objectClass: pkiRange > beginRange: 120000001 > cn: 120000001 > endRange: 130000000 > host: ipa-a2.my.domain.dom > SecurePort: 443 Magically, without me actually making any manual changes, just restarting the CA twice with: systemctl restart pki-tomcatd at pki-tomcat.service this error went away and a new object appeared: dn: cn=120000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 120000001 cn: 120000001 endRange: 130000000 host: ipa-a2.my.domain.dom SecurePort: 443 ipa-ca-install says the CA replica is "already installed", but that just seems to mean the config files are present. ipa cert-show commands work (although I don't know that they didn't before). I'm slightly distrusting of installs that seem to break then seem to fix themselves. Is there a good way to validate that all is well? Cheers Duncan From john.obaterspok at gmail.com Mon Apr 25 07:25:23 2016 From: john.obaterspok at gmail.com (John Obaterspok) Date: Mon, 25 Apr 2016 09:25:23 +0200 Subject: [Freeipa-users] nss unrecognized name alert with SAN name In-Reply-To: <20160211003408.GL12524@dhcp-40-8.bne.redhat.com> References: <56B673CD.1080507@redhat.com> <20160211003408.GL12524@dhcp-40-8.bne.redhat.com> Message-ID: 2016-02-11 1:34 GMT+01:00 Fraser Tweedale : > On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote: > > 2016-02-06 23:29 GMT+01:00 Rob Crittenden : > > > > > John Obaterspok wrote: > > > > > >> Hi, > > >> > > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to > ipa.my.lan > > >> > > >> I recently started to get nss error "SSL peer has no certificate for > the > > >> requested DNS name." when I'm accesing my https://gitserver.my.lan > > >> > > >> Previously this worked fine if I had set "git config --global > > >> http.sslVerify false" according to > > >> > https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html > > >> > > >> Now I tried to solve this by adding a SubjectAltName to the > > >> HTTP/ipa.my.lan certitficate like this: > > >> > > >> status: MONITORING > > >> stuck: no > > >> key pair storage: > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > >> certificate: > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > >> Certificate DB' > > >> CA: IPA > > >> issuer: CN=Certificate Authority,O=MY.LAN > > >> subject: CN=ipa.my.lan,O=MY.LAN > > >> expires: 2018-02-06 19:24:52 UTC > > >> dns: gitserver.my.lan,ipa.my.lan > > >> principal name: http/ipa.my.lan at MY.LAN > > >> key usage: > > >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > >> eku: id-kp-serverAuth,id-kp-clientAuth > > >> pre-save command: > > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > >> track: yes > > >> auto-renew: yes > > >> > > >> But I still get the below error: > > >> > > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT) > > >> * SSL peer has no certificate for the requested DNS name > > >> > > > > > > What version of mod_nss? It recently added support for SNI. You can try > > > turning it off by adding NSSSNI off to /etc/httpd/conf.d/nss.conf but > I'd > > > imagine you were already relying on it. > > > > > > > > Hi, > > > > Turning it off didn't help > > > > I'm on F23 with latest updates so I have mod_nss-1.0.12-1 > > I noticed it worked if I set "ServerName gitserver.my.lan" in > > gitserver.conf, but then I got the NAME ALERT when accessing ipa.my.lan. > > > > I then tried to put ipa.conf in but then I got error > > about SSL_ERROR_RX_RECORD_TOO_LONG > > > > gitserver.conf has this: > > > > > > DocumentRoot /opt/wwwgit > > SetEnv GIT_PROJECT_ROOT /opt/wwwgit > > SetEnv GIT_HTTP_EXPORT_ALL > > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER > > ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ > > > > ServerName gitserver.my.lan > > > > > > Options Indexes > > AllowOverride None > > Require all granted > > > > > > > > Options Indexes > > AllowOverride None > > Require all granted > > > > > > > > #SSLRequireSSL > > AuthType Kerberos > > AuthName "Kerberos Login" > > KrbAuthRealm MY.LAN > > Krb5KeyTab /etc/httpd/conf/ipa.keytab > > KrbMethodNegotiate on > > KrbMethodK5Passwd off # Set to on to query for pwd if > negotiation > > failed due to no ticket available > > KrbSaveCredentials on > > KrbVerifyKDC on > > KrbServiceName HTTP/ipa.my.lan at MY.LAN > > > > AuthLDAPUrl ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName > > AuthLDAPBindDN > "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan" > > AuthLDAPBindPassword "secret123abc" > > Require ldap-group > cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan > > > > > > > > > > > > Any more ideas what I do wrong? > > It was suggested that this may be due to the certificate not being > compliant with RFC 2818. This is likely true, but I think it is not > likely to be the problem. You can use `openssl s_client` to confirm > what certificate the server is sending: > > openssl s_client -showcerts \ > -servername gitserver.my.lan -connect gitserver.my.lan:443 > > This will dump the certificates (in PEM format), which you can copy > to a file examine with `opeenssl x509 -text < cert.pem`. > > Feel free to reply with the output; I am happy to have a closer > look. > > Hi Fraser, *cough*, I didn't see this until now :) Anyway, [admin at ipa ~]$ openssl s_client -showcerts -servername gitserver.my.lan -connect gitserver.my.lan:443 CONNECTED(00000003) 140404557162360:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 unrecognized name:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 227 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1461568003 Timeout : 300 (sec) Verify return code: 0 (ok) --- [root at ipa ~]# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20160206184156': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MY-LAN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MY-LAN/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MY-LAN',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=my.lan subject: CN=ipa.my.lan,O=my.lan expires: 2017-12-23 22:50:30 UTC principal name: ldap/ipa.my.lan at my.lan key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv MY-LAN track: yes auto-renew: yes Request ID '20160206192447': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=my.lan subject: CN=ipa.my.lan,O=my.lan expires: 2018-02-06 19:24:52 UTC *dns: gitserver.my.lan,ipa.my.lan* principal name: http/ipa.my.lan at my.lan key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Any ideas? -- john -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Mon Apr 25 08:03:20 2016 From: dkupka at redhat.com (David Kupka) Date: Mon, 25 Apr 2016 10:03:20 +0200 Subject: [Freeipa-users] Best practice for requesting a certificate in Kickstart? In-Reply-To: References: Message-ID: <571DCF48.1080207@redhat.com> On 24/04/16 04:46, Anthony Clark wrote: > Hello All, > > TL;DR: what's the best way to grab a SSL cert and key during kickstart? > > (this is all using CentOS 7.2 latest) > > I'm using Foreman to manage my kickstart and Puppet services, and its built-in > FreeIPA client enrollment works just fine. > > However I'd like to also request a certificate and key for a Puppet client to > use to authenticate to the Foreman-controlled Puppet server. > > If I manually set up a puppet client then it works just fine. I use something > like this: > > # ipa-getcert request -w -r -f /var/lib/puppet/ssl/certs/<%= @host.name > %>.pem -k /var/lib/puppet/ssl/private_keys/<%= @host.name > %>.pem > # cp /etc/ipa/ca.crt /var/lib/puppet/ssl/certs/ca.pem > > (then setting the correct paths and settings in /etc/puppet/puppet.conf) > > I tried to make that work inside the Kickstart process, but as those commands > are running inside a kickstart chroot the certmonger service won't start. > > Is there a better method to grab a SSL cert and key for the host during > kickstart? Or should I just wait until firstboot and perform the steps at that > point? > > Many Thanks and FreeIPA is really amazing! > > Anthony Clark > > > Hello Anthony, TL;DR Set DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null in kickstart chroot environment before calling "ipa-getcert request". The issue is already addressed by BZ1134497 [1]. When getcert detects there is no DBus it starts certmonger and communicates over unix socet. But in Kickstart environment DBus is available but unusable (BZ1271551, [2]). It can be workaround by setting DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null (it is described in Doc Text of [1]). You can also run ipa-client-install with --request-cert and it will also request certificate for the client. And also require the workaround in Kickstart chroot environment. But unlike "ipa-getcert request -w" it won't wait for the certificate to be issued and fetched. The reason is that it can take days for certificate to be issued (some CAs require human approval) so ipa-client-install only submit the request and doesn't wait for certificate. After the installation completes and system is started certmonger periodically query for the certificate and fetch it when available. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1134497 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1271551 HTH, -- David Kupka From pspacek at redhat.com Mon Apr 25 08:36:50 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 25 Apr 2016 10:36:50 +0200 Subject: [Freeipa-users] RoundRobin - Cname - 2 servers with same services In-Reply-To: <571A3836.9090505@redhat.com> References: <0984AB34E553F54B8705D776686863E70ABF9342@cd-exchange01.CD-PRD.candeal.ca> <571A3836.9090505@redhat.com> Message-ID: <571DD722.10500@redhat.com> On 22.4.2016 16:41, Martin Basti wrote: > > > On 22.04.2016 16:00, Gady Notrica wrote: >> >> Hello World, >> >> I am trying to enable roundrobin on freeipa. I have 2 servers providing same >> service (http). I am trying to give it a friendly name so that when user >> what to access it, they can land on any one of the 2 servers. >> >> But IPA dns doesn?t want to let me create CName that has the same name but 2 >> different destination. >> >> How do I go around this? >> >> Thanks, >> >> Gady >> >> >> > Hello, > > you don't, ldapschema limits CNAME to just one value in IPA > > It is possible with BIND9.1+ to have multiple CNAMEs ? > http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_07.htm > > Anyway this is violation of RFC. > > You should use for load balancing A records. To be absolutely sure I tried to put two CNAME records to one node. BIND 9.10 refuses to load the zone and gives following error: zone t1.test/IN: loading from master file t1.db failed: multiple RRs of singleton type zone t1.test/IN: not loaded due to errors. So does IPA. -- Petr^2 Spacek From barrykfl at gmail.com Mon Apr 25 12:10:12 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Mon, 25 Apr 2016 20:10:12 +0800 Subject: [Freeipa-users] 2 servers replicatong if onefail_how_made itreplicate the differential? In-Reply-To: References: Message-ID: Tried.noramlly it replicationg but if one fail and still add new users. The recovered server not syn back. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnotrica at candeal.com Mon Apr 25 14:04:17 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Mon, 25 Apr 2016 14:04:17 +0000 Subject: [Freeipa-users] RoundRobin - Cname - 2 servers with same services In-Reply-To: <571DD722.10500@redhat.com> References: <0984AB34E553F54B8705D776686863E70ABF9342@cd-exchange01.CD-PRD.candeal.ca> <571A3836.9090505@redhat.com> <571DD722.10500@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70ABFBD3B@cd-exchange01.CD-PRD.candeal.ca> Thank you guys. Gady Notrica -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek Sent: April 25, 2016 4:37 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] RoundRobin - Cname - 2 servers with same services On 22.4.2016 16:41, Martin Basti wrote: > > > On 22.04.2016 16:00, Gady Notrica wrote: >> >> Hello World, >> >> I am trying to enable roundrobin on freeipa. I have 2 servers >> providing same service (http). I am trying to give it a friendly name >> so that when user what to access it, they can land on any one of the 2 servers. >> >> But IPA dns doesn't want to let me create CName that has the same >> name but 2 different destination. >> >> How do I go around this? >> >> Thanks, >> >> Gady >> >> >> > Hello, > > you don't, ldapschema limits CNAME to just one value in IPA > > It is possible with BIND9.1+ to have multiple CNAMEs ? > http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_07.htm > > Anyway this is violation of RFC. > > You should use for load balancing A records. To be absolutely sure I tried to put two CNAME records to one node. BIND 9.10 refuses to load the zone and gives following error: zone t1.test/IN: loading from master file t1.db failed: multiple RRs of singleton type zone t1.test/IN: not loaded due to errors. So does IPA. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From Tuomo.Tikkanen at nokia.com Mon Apr 25 14:40:48 2016 From: Tuomo.Tikkanen at nokia.com (Tikkanen, Tuomo (Nokia - FI/Espoo)) Date: Mon, 25 Apr 2016 17:40:48 +0300 Subject: [Freeipa-users] How to remove bad cert renewal from certmonger? In-Reply-To: <571AA45A.9080808@redhat.com> References: <571A9526.4050708@nokia.com> <571AA45A.9080808@redhat.com> Message-ID: <571E2C70.7080508@nokia.com> On 23.4.2016 1:23, EXT Rob Crittenden wrote: > Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: ........ >> Repetitio est mater studiorum: >> >> How I can clean this defective state of certmonger? > > # ipa-getcert stop-tracking -i 20160212110456 > Ah! That was obvious! Thanks a lot Rob. >> >> Second question if/when the above urgent problem is solved: >> >> Is there any way to get IP address to SAN field for the IPA Server-Certs? > > Not without changing code. IP address SAN are explicitly forbidden: > Subject alt name type IP Address is forbidden > > rob Is there any true reason why IP Address is forbidden by certmonger / freeipa? Or is it just "not implemented" kind of restriction? -- Tuomo.Tikkanen at nokia.com From rcritten at redhat.com Mon Apr 25 14:47:34 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Apr 2016 09:47:34 -0500 Subject: [Freeipa-users] nss unrecognized name alert with SAN name In-Reply-To: References: <56B673CD.1080507@redhat.com> <20160211003408.GL12524@dhcp-40-8.bne.redhat.com> Message-ID: <571E2E06.6070400@redhat.com> John Obaterspok wrote: > > 2016-02-11 1:34 GMT+01:00 Fraser Tweedale >: > > On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote: > > 2016-02-06 23:29 GMT+01:00 Rob Crittenden >: > > > > > John Obaterspok wrote: > > > > > >> Hi, > > >> > > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to > ipa.my.lan > > >> > > >> I recently started to get nss error "SSL peer has no > certificate for the > > >> requested DNS name." when I'm accesing my https://gitserver.my.lan > > >> > > >> Previously this worked fine if I had set "git config --global > > >> http.sslVerify false" according to > > >> > https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html > > >> > > >> Now I tried to solve this by adding a SubjectAltName to the > > >> HTTP/ipa.my.lan certitficate like this: > > >> > > >> status: MONITORING > > >> stuck: no > > >> key pair storage: > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > >> certificate: > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > >> Certificate DB' > > >> CA: IPA > > >> issuer: CN=Certificate Authority,O=MY.LAN > > >> subject: CN=ipa.my.lan,O=MY.LAN > > >> expires: 2018-02-06 19:24:52 UTC > > >> dns: gitserver.my.lan,ipa.my.lan > > >> principal name: http/ipa.my.lan at MY.LAN > > >> key usage: > > >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > >> eku: id-kp-serverAuth,id-kp-clientAuth > > >> pre-save command: > > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > >> track: yes > > >> auto-renew: yes > > >> > > >> But I still get the below error: > > >> > > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT) > > >> * SSL peer has no certificate for the requested DNS name > > >> > > > > > > What version of mod_nss? It recently added support for SNI. You > can try > > > turning it off by adding NSSSNI off to > /etc/httpd/conf.d/nss.conf but I'd > > > imagine you were already relying on it. > > > > > > > > Hi, > > > > Turning it off didn't help > > > > I'm on F23 with latest updates so I have mod_nss-1.0.12-1 > > I noticed it worked if I set "ServerName gitserver.my.lan" in > > gitserver.conf, but then I got the NAME ALERT when accessing > ipa.my.lan. > > > > I then tried to put ipa.conf in but then I > got error > > about SSL_ERROR_RX_RECORD_TOO_LONG > > > > gitserver.conf has this: > > > > > > DocumentRoot /opt/wwwgit > > SetEnv GIT_PROJECT_ROOT /opt/wwwgit > > SetEnv GIT_HTTP_EXPORT_ALL > > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER > > ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ > > > > ServerName gitserver.my.lan > > > > > > Options Indexes > > AllowOverride None > > Require all granted > > > > > > > > Options Indexes > > AllowOverride None > > Require all granted > > > > > > > > #SSLRequireSSL > > AuthType Kerberos > > AuthName "Kerberos Login" > > KrbAuthRealm MY.LAN > > Krb5KeyTab /etc/httpd/conf/ipa.keytab > > KrbMethodNegotiate on > > KrbMethodK5Passwd off # Set to on to query for pwd if > negotiation > > failed due to no ticket available > > KrbSaveCredentials on > > KrbVerifyKDC on > > KrbServiceName HTTP/ipa.my.lan at MY.LAN > > > > AuthLDAPUrl > ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName > > AuthLDAPBindDN > "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan" > > AuthLDAPBindPassword "secret123abc" > > Require ldap-group > cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan > > > > > > > > > > > > Any more ideas what I do wrong? > > It was suggested that this may be due to the certificate not being > compliant with RFC 2818. This is likely true, but I think it is not > likely to be the problem. You can use `openssl s_client` to confirm > what certificate the server is sending: > > openssl s_client -showcerts \ > -servername gitserver.my.lan -connect gitserver.my.lan:443 > > This will dump the certificates (in PEM format), which you can copy > to a file examine with `opeenssl x509 -text < cert.pem`. > > Feel free to reply with the output; I am happy to have a closer > look. > > Hi Fraser, > > *cough*, I didn't see this until now :) > > Anyway, > > [admin at ipa ~]$ openssl s_client -showcerts -servername gitserver.my.lan > -connect gitserver.my.lan:443 > CONNECTED(00000003) > 140404557162360:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 > unrecognized name:s23_clnt.c:769: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 227 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1461568003 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > > > [root at ipa ~]# ipa-getcert list > Number of certificates and requests being tracked: 8. > Request ID '20160206184156': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-MY-LAN',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-MY-LAN/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-MY-LAN',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=my.lan > subject: CN=ipa.my.lan,O=my.lan > expires: 2017-12-23 22:50:30 UTC > principal name: ldap/ipa.my.lan at my.lan > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv MY-LAN > track: yes > auto-renew: yes > Request ID '20160206192447': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=my.lan > subject: CN=ipa.my.lan,O=my.lan > expires: 2018-02-06 19:24:52 UTC > *dns: gitserver.my.lan,ipa.my.lan* > principal name: http/ipa.my.lan at my.lan > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > > Any ideas? It's a bug in mod_nss 1.0.12. It shouldn't return a hard failure, it should use the default VH instead (this was fixed in 1.0.13). I filed https://bugzilla.redhat.com/show_bug.cgi?id=133018 rob From rcritten at redhat.com Mon Apr 25 14:53:16 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Apr 2016 09:53:16 -0500 Subject: [Freeipa-users] How to remove bad cert renewal from certmonger? In-Reply-To: <571E2C70.7080508@nokia.com> References: <571A9526.4050708@nokia.com> <571AA45A.9080808@redhat.com> <571E2C70.7080508@nokia.com> Message-ID: <571E2F5C.1060803@redhat.com> Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: > On 23.4.2016 1:23, EXT Rob Crittenden wrote: >> Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: > ........ >>> Repetitio est mater studiorum: >>> >>> How I can clean this defective state of certmonger? >> >> # ipa-getcert stop-tracking -i 20160212110456 >> > > Ah! That was obvious! Thanks a lot Rob. > >>> >>> Second question if/when the above urgent problem is solved: >>> >>> Is there any way to get IP address to SAN field for the IPA >>> Server-Certs? >> >> Not without changing code. IP address SAN are explicitly forbidden: >> Subject alt name type IP Address is forbidden >> >> rob > > Is there any true reason why IP Address is forbidden by certmonger / > freeipa? Or is it just "not implemented" kind of restriction? > It is denied by IPA, not certmonger. IP addresses are frowned upon in certs in general and they are denied by IPA because the access control would be really difficult. Today a host must be granted access to issue certs with additional names in it. You can open a RFE for this on the IPA trac if you really need it. I'm not deeply familiar with the new profile support so perhaps it is possible to do this using the latest version of IPA, I'm not sure. rob From abokovoy at redhat.com Mon Apr 25 15:05:04 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 25 Apr 2016 18:05:04 +0300 Subject: [Freeipa-users] How to remove bad cert renewal from certmonger? In-Reply-To: <571E2F5C.1060803@redhat.com> References: <571A9526.4050708@nokia.com> <571AA45A.9080808@redhat.com> <571E2C70.7080508@nokia.com> <571E2F5C.1060803@redhat.com> Message-ID: <20160425150504.7yjievq6xvo62ry7@redhat.com> On Mon, 25 Apr 2016, Rob Crittenden wrote: >Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: >>On 23.4.2016 1:23, EXT Rob Crittenden wrote: >>>Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: >>........ >>>>Repetitio est mater studiorum: >>>> >>>>How I can clean this defective state of certmonger? >>> >>># ipa-getcert stop-tracking -i 20160212110456 >>> >> >>Ah! That was obvious! Thanks a lot Rob. >> >>>> >>>>Second question if/when the above urgent problem is solved: >>>> >>>>Is there any way to get IP address to SAN field for the IPA >>>>Server-Certs? >>> >>>Not without changing code. IP address SAN are explicitly forbidden: >>>Subject alt name type IP Address is forbidden >>> >>>rob >> >>Is there any true reason why IP Address is forbidden by certmonger / >>freeipa? Or is it just "not implemented" kind of restriction? >> > >It is denied by IPA, not certmonger. > >IP addresses are frowned upon in certs in general and they are denied >by IPA because the access control would be really difficult. Today a >host must be granted access to issue certs with additional names in >it. > >You can open a RFE for this on the IPA trac if you really need it. > >I'm not deeply familiar with the new profile support so perhaps it is >possible to do this using the latest version of IPA, I'm not sure. Correct and no, it is not right now. Certificate profile defines what CA considers possible to grant when issuing a cert. CA doesn't have contextual logic -- that would be provided by an agent approving the cert. IPA framework is sitting in front of CA to put the context in place and could be considered such an agent, so we have logic to cross-check the request for fields that would be conflicting with IPA access controls. As it happens now, IPA framework disallows IP addresses. Adding support for that would need to get proper logic in place to decide which address spaces to allow being managing by a requesting party -- a host in your case as certmonger asks for the cert on behalf of the host. We don't have any system in place for that. -- / Alexander Bokovoy From pvoborni at redhat.com Mon Apr 25 16:18:51 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 25 Apr 2016 18:18:51 +0200 Subject: [Freeipa-users] OTP and time step size In-Reply-To: References: Message-ID: <571E436B.80705@redhat.com> On 04/22/2016 08:55 AM, Prashant Bapat wrote: > Hi, > > We have been using the OTP feature of FreeIPA extensively for users to login to > the web UI. Now we are rolling out an external service using the LDAP > authentication based on FreeIPA and OTP. > > End users typically login rarely to the web UI. Only to update their SSH keys > once in 90 days. > > However to the new service based on FreeIPA's LDAP they would be logging in > multiple times daily. > > Here is an observation: FreeIPA's OTP mechanism is very stringent in requiring > the current token to be inside the 30 second window. Because of this there might > be a sizable percentage of users who will have to retry login. Obviously, this > is a bad user experience. > > As per the RFC-6238 section 5.2, we > could allow 1 time step and make the user experience better. > > Can this be done by changing a config or does it involve a patch/code-change. > Any pointers to this appreciated. > > Thanks. > --Prashant > FreeIPA works with both time based OTP tokens(TOTP) and counter based OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator can set custom clock interval during creation of a token. But self-service Web UI doesn't show this option. Users can still use it in CLI though. Alternative is HOTP which doesn't use time interval and there the UX issue is not there. It can be also created in user self service. -- Petr Vobornik From anthony.wan.cheng at gmail.com Mon Apr 25 17:06:11 2016 From: anthony.wan.cheng at gmail.com (Anthony Cheng) Date: Mon, 25 Apr 2016 17:06:11 +0000 Subject: [Freeipa-users] Migrate FreeIPA data from v2.0. to v4.2.0 Message-ID: Hi list, Currently in the midst of doing a migration of FreeIPA from v3.0.0 to v4.2.0; I have setup the new IPA instances and I am looking at migrate the data. Based on the section under 'Migrating from other FreeIPA to FreeIPA' here ( http://www.freeipa.org/page/Howto/Migration#Migrating_existing_FreeIPA_deployment), it is suggested to run the following sample command: echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://migrated.freeipa.server.test My questions are: 1) Will this work as my new domain has changed (so realm is different) 2) Will this work for migration from 3.0.0 to 4.2.0? 3) Is this command safe to run from a production box? 4) If it fails or is not safe to run, what is the alternative/process? (details would be appreciated) Also on the same link, it mentions that "other objects (SUDO, HBAC, DNS, ...) have to be migrated manually, by exporting the LDIF from old FreeIPA instance, selecting the records to be migrated, updating the attributes in batch (e.g. new realm) and adding the cleaned LDIF to new FreeIPA." I have some idea how to do LDIF import/export but is this process documented anywhere (on the freeipa.org)? Thanks, Anthony -- Thanks, Anthony -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.obaterspok at gmail.com Mon Apr 25 17:26:03 2016 From: john.obaterspok at gmail.com (John Obaterspok) Date: Mon, 25 Apr 2016 19:26:03 +0200 Subject: [Freeipa-users] nss unrecognized name alert with SAN name In-Reply-To: <571E2E06.6070400@redhat.com> References: <56B673CD.1080507@redhat.com> <20160211003408.GL12524@dhcp-40-8.bne.redhat.com> <571E2E06.6070400@redhat.com> Message-ID: Thanks Rob! I rebuilt the mod_nss-1.0.14-1 version from rawhide for my F23 IPA server and it works like a charm. Thanks, john 2016-04-25 16:47 GMT+02:00 Rob Crittenden : > John Obaterspok wrote: > >> >> 2016-02-11 1:34 GMT+01:00 Fraser Tweedale > >: >> >> On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote: >> > 2016-02-06 23:29 GMT+01:00 Rob Crittenden > >: >> >> > >> > > John Obaterspok wrote: >> > > >> > >> Hi, >> > >> >> > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to >> ipa.my.lan >> > >> >> > >> I recently started to get nss error "SSL peer has no >> certificate for the >> > >> requested DNS name." when I'm accesing my >> https://gitserver.my.lan >> > >> >> > >> Previously this worked fine if I had set "git config --global >> > >> http.sslVerify false" according to >> > >> >> >> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html >> > >> >> > >> Now I tried to solve this by adding a SubjectAltName to the >> > >> HTTP/ipa.my.lan certitficate like this: >> > >> >> > >> status: MONITORING >> > >> stuck: no >> > >> key pair storage: >> > >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > >> certificate: >> > >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > >> Certificate DB' >> > >> CA: IPA >> > >> issuer: CN=Certificate Authority,O=MY.LAN >> > >> subject: CN=ipa.my.lan,O=MY.LAN >> > >> expires: 2018-02-06 19:24:52 UTC >> > >> dns: gitserver.my.lan,ipa.my.lan >> > >> principal name: http/ipa.my.lan at MY.LAN >> > >> key usage: >> > >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > >> eku: id-kp-serverAuth,id-kp-clientAuth >> > >> pre-save command: >> > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> > >> track: yes >> > >> auto-renew: yes >> > >> >> > >> But I still get the below error: >> > >> >> > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT) >> > >> * SSL peer has no certificate for the requested DNS name >> > >> >> > > >> > > What version of mod_nss? It recently added support for SNI. You >> can try >> > > turning it off by adding NSSSNI off to >> /etc/httpd/conf.d/nss.conf but I'd >> > > imagine you were already relying on it. >> > > >> > > >> > Hi, >> > >> > Turning it off didn't help >> > >> > I'm on F23 with latest updates so I have mod_nss-1.0.12-1 >> > I noticed it worked if I set "ServerName gitserver.my.lan" in >> > gitserver.conf, but then I got the NAME ALERT when accessing >> ipa.my.lan. >> > >> > I then tried to put ipa.conf in but then I >> got error >> > about SSL_ERROR_RX_RECORD_TOO_LONG >> > >> > gitserver.conf has this: >> > >> > >> > DocumentRoot /opt/wwwgit >> > SetEnv GIT_PROJECT_ROOT /opt/wwwgit >> > SetEnv GIT_HTTP_EXPORT_ALL >> > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER >> > ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ >> > >> > ServerName gitserver.my.lan >> > >> > >> > Options Indexes >> > AllowOverride None >> > Require all granted >> > >> > >> > >> > Options Indexes >> > AllowOverride None >> > Require all granted >> > >> > >> > >> > #SSLRequireSSL >> > AuthType Kerberos >> > AuthName "Kerberos Login" >> > KrbAuthRealm MY.LAN >> > Krb5KeyTab /etc/httpd/conf/ipa.keytab >> > KrbMethodNegotiate on >> > KrbMethodK5Passwd off # Set to on to query for pwd if >> negotiation >> > failed due to no ticket available >> > KrbSaveCredentials on >> > KrbVerifyKDC on >> > KrbServiceName HTTP/ipa.my.lan at MY.LAN >> > >> > AuthLDAPUrl >> ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName >> > AuthLDAPBindDN >> "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan" >> > AuthLDAPBindPassword "secret123abc" >> > Require ldap-group >> cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan >> > >> > >> > >> > >> > >> > Any more ideas what I do wrong? >> >> It was suggested that this may be due to the certificate not being >> compliant with RFC 2818. This is likely true, but I think it is not >> likely to be the problem. You can use `openssl s_client` to confirm >> what certificate the server is sending: >> >> openssl s_client -showcerts \ >> -servername gitserver.my.lan -connect gitserver.my.lan:443 >> >> This will dump the certificates (in PEM format), which you can copy >> to a file examine with `opeenssl x509 -text < cert.pem`. >> >> Feel free to reply with the output; I am happy to have a closer >> look. >> >> Hi Fraser, >> >> *cough*, I didn't see this until now :) >> >> Anyway, >> >> [admin at ipa ~]$ openssl s_client -showcerts -servername gitserver.my.lan >> -connect gitserver.my.lan:443 >> CONNECTED(00000003) >> 140404557162360:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 >> unrecognized name:s23_clnt.c:769: >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 7 bytes and written 227 bytes >> --- >> New, (NONE), Cipher is (NONE) >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> SSL-Session: >> Protocol : TLSv1.2 >> Cipher : 0000 >> Session-ID: >> Session-ID-ctx: >> Master-Key: >> Key-Arg : None >> Krb5 Principal: None >> PSK identity: None >> PSK identity hint: None >> Start Time: 1461568003 >> Timeout : 300 (sec) >> Verify return code: 0 (ok) >> --- >> >> >> [root at ipa ~]# ipa-getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20160206184156': >> status: MONITORING >> stuck: no >> key pair storage: >> >> type=NSSDB,location='/etc/dirsrv/slapd-MY-LAN',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-MY-LAN/pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/dirsrv/slapd-MY-LAN',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=my.lan >> subject: CN=ipa.my.lan,O=my.lan >> expires: 2017-12-23 22:50:30 UTC >> principal name: ldap/ipa.my.lan at my.lan >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >> MY-LAN >> track: yes >> auto-renew: yes >> Request ID '20160206192447': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=my.lan >> subject: CN=ipa.my.lan,O=my.lan >> expires: 2018-02-06 19:24:52 UTC >> *dns: gitserver.my.lan,ipa.my.lan* >> principal name: http/ipa.my.lan at my.lan >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> >> >> Any ideas? >> > > It's a bug in mod_nss 1.0.12. It shouldn't return a hard failure, it > should use the default VH instead (this was fixed in 1.0.13). I filed > https://bugzilla.redhat.com/show_bug.cgi?id=133018 > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zwolfinger at myemma.com Mon Apr 25 18:52:00 2016 From: zwolfinger at myemma.com (Zak Wolfinger) Date: Mon, 25 Apr 2016 13:52:00 -0500 Subject: [Freeipa-users] Add CA server AFTER install? Message-ID: Not having much luck with the docs / Google. Is there a way to add the CA server role to a FreeIPA installation if it wasn?t included at the time of install? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rcritten at redhat.com Mon Apr 25 18:53:27 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Apr 2016 13:53:27 -0500 Subject: [Freeipa-users] Add CA server AFTER install? In-Reply-To: References: Message-ID: <571E67A7.7080600@redhat.com> Zak Wolfinger wrote: > Not having much luck with the docs / Google. Is there a way to add the > CA server role to a FreeIPA installation if it wasn?t included at the > time of install? > > Thanks! > > > ipa-ca-install rob From rcritten at redhat.com Mon Apr 25 18:58:59 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 25 Apr 2016 13:58:59 -0500 Subject: [Freeipa-users] Add CA server AFTER install? In-Reply-To: References: Message-ID: <571E68F3.3000806@redhat.com> Zak Wolfinger wrote: > Not having much luck with the docs / Google. Is there a way to add the > CA server role to a FreeIPA installation if it wasn?t included at the > time of install? Too quick on the draw... It isn't clear what you mean. ipa-ca-install can add a CA to a master installed using ipa-replica-install. If you installed as CA-less then I'd look at http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion It is rather thin on details unfortunately but it looks like you can just run ipa-ca-install in this case as well. rob From anthony.wan.cheng at gmail.com Mon Apr 25 21:33:29 2016 From: anthony.wan.cheng at gmail.com (Anthony Cheng) Date: Mon, 25 Apr 2016 21:33:29 +0000 Subject: [Freeipa-users] Migrate FreeIPA data from v3.0. to v4.2.0 In-Reply-To: References: Message-ID: So I went ahead and ran the migrate-ds command; ran into issue that was described here: https://www.redhat.com/archives/freeipa-users/2015-March/msg00398.html when trying to change password I re-ran migrate-ds option; but I actually don't see the user accounts being migrated at all when I run a "ipa user-show user_name --all" I supposed manual option/script is the only option at this point? Anthony On Mon, Apr 25, 2016 at 1:06 PM Anthony Cheng wrote: > Hi list, > > Currently in the midst of doing a migration of FreeIPA from v3.0.0 to > v4.2.0; I have setup the new IPA instances and I am looking at migrate the > data. > > Based on the section under 'Migrating from other FreeIPA to FreeIPA' here ( > http://www.freeipa.org/page/Howto/Migration#Migrating_existing_FreeIPA_deployment), > it is suggested to run the following sample command: > > echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager" > --user-container=cn=users,cn=accounts > --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup > --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} > --user-ignore-objectclass=mepOriginEntry --with-compat > ldap://migrated.freeipa.server.test > > My questions are: > 1) Will this work as my new domain has changed (so realm is different) > 2) Will this work for migration from 3.0.0 to 4.2.0? > 3) Is this command safe to run from a production box? > 4) If it fails or is not safe to run, what is the alternative/process? > (details would be appreciated) > > Also on the same link, it mentions that "other objects (SUDO, HBAC, DNS, > ...) have to be migrated manually, by exporting the LDIF from old FreeIPA > instance, selecting the records to be migrated, updating the attributes in > batch (e.g. new realm) and adding the cleaned LDIF to new FreeIPA." > > I have some idea how to do LDIF import/export but is this process > documented anywhere (on the freeipa.org)? > > Thanks, Anthony > -- > > Thanks, Anthony > -- Thanks, Anthony -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Tue Apr 26 02:04:23 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Tue, 26 Apr 2016 10:04:23 +0800 Subject: [Freeipa-users] Differential data on cluster syn back to server1 Message-ID: Hi: I have 2 servers clusters replicating ...server1 down server2 take up role running, if server 1 turn on again I found the differential ac/data created on server2 not replicate back to server 1 ...any idea ? Is it possible to syn back the different data manually or force syn? if both servers on , it can be replcationg normally, THX & Regards barry -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue Apr 26 08:02:40 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 26 Apr 2016 10:02:40 +0200 Subject: [Freeipa-users] Migrate FreeIPA data from v3.0. to v4.2.0 In-Reply-To: References: Message-ID: <571F20A0.6080802@redhat.com> On 04/25/2016 11:33 PM, Anthony Cheng wrote: > So I went ahead and ran the migrate-ds command; ran into issue that was > described here: > https://www.redhat.com/archives/freeipa-users/2015-March/msg00398.html when > trying to change password > > I re-ran migrate-ds option; but I actually don't see the user accounts being > migrated at all when I run a "ipa user-show user_name --all" > > I supposed manual option/script is the only option at this point? > > Anthony > > On Mon, Apr 25, 2016 at 1:06 PM Anthony Cheng > wrote: > > Hi list, > > Currently in the midst of doing a migration of FreeIPA from v3.0.0 to > v4.2.0; I have setup the new IPA instances and I am looking at migrate the data. I'd assume that by v3.0.0 you mean RHEL 6.7 and by v 4.2.0 RHEL 7.2. For such migration you can use a method by creating a replica https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc With IPA upgraded from version 2.x, make sure that internal CA users has correct certificates and that all certificates are valid. Details are in thread "7.x replica install from 6.x master fails" Especially: * https://www.redhat.com/archives/freeipa-users/2016-April/msg00046.html * https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html * https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html > > Based on the section under 'Migrating from other FreeIPA to FreeIPA' here > (http://www.freeipa.org/page/Howto/Migration#Migrating_existing_FreeIPA_deployment), > it is suggested to run the following sample command: > > echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager" > --user-container=cn=users,cn=accounts > --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup > --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} > --user-ignore-objectclass=mepOriginEntry --with-compat > ldap://migrated.freeipa.server.test Migrate DS was designed to be used for migration from general LDAP server to IPA but it can be used also for IPA-IPA migration given that IPA has also LDAP server. > > My questions are: > 1) Will this work as my new domain has changed (so realm is different) Yes > 2) Will this work for migration from 3.0.0 to 4.2.0? Yes, but see the link above - it is the recommended method if you want to just "upgrade". > 3) Is this command safe to run from a production box? The command doesn't do any changes on source machine. It's always better to try it first in testing environment. > 4) If it fails or is not safe to run, what is the alternative/process? > (details would be appreciated) Depends how it fails. > > Also on the same link, it mentions that "other objects (SUDO, HBAC, DNS, > ...) have to be migrated manually, by exporting the LDIF from old FreeIPA > instance, selecting the records to be migrated, updating the attributes in > batch (e.g. new realm) and adding the cleaned LDIF to new FreeIPA." Yes, automatic migration of other records than users and groups was not yet implented: we have an RFE for such migration: https://fedorahosted.org/freeipa/ticket/3656 > > I have some idea how to do LDIF import/export but is this process documented > anywhere (on the freeipa.org )? I'm not aware of any such document. -- Petr Vobornik From pvoborni at redhat.com Tue Apr 26 08:05:56 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 26 Apr 2016 10:05:56 +0200 Subject: [Freeipa-users] concurrent requests to ipalib app giving network error In-Reply-To: <5719C84B.9080506@redhat.com> References: <5719C84B.9080506@redhat.com> Message-ID: <571F2164.7090705@redhat.com> On 04/22/2016 08:44 AM, Martin Basti wrote: > > > On 21.04.2016 18:46, O?uz Yar?mtepe wrote: >> Hi, >> >> I have a REST API that is using the ipalib and written with Falcon. >> Below is the code or you can check it online here: >> http://paste.ubuntu.com/15966308/ >> >> from __future__ import print_function >> from bson import json_util >> import json >> import falcon >> >> from ipalib import api as ipaapi >> from api.utils.utils import parse_json, check_connection >> from api import settings >> >> class Calls(object): >> >> #@falcon.before(check_connection) >> def on_post(self, req, resp): >> >> result_json = parse_json(req) >> command_name = result_json["command_name"] >> params = result_json["params"] >> >> if not hasattr(ipaapi.env, "conf"): >> #TODO: add kinit oguz for exceptional case >> ipaapi.bootstrap_with_global_options(context='satcloud_api') >> ipaapi.finalize() >> >> if ipaapi.env.in_server: >> ipaapi.Backend.ldap2.connect() >> else: >> ipaapi.Backend.rpcclient.connect() >> >> #import ipdb >> #ipdb.set_trace() >> >> command=ipaapi.Command >> command_result=getattr(command,command_name) >> >> #resp.set_cookie('api_status_cookie', 'True') >> if not params: >> resp.body = json.dumps(command_result()) >> resp.status = falcon.HTTP_200 >> else: >> if type(params) == dict: >> arguments = [] >> kwargs = dict() >> for key, value in params.iteritems(): >> if "arg" in key: >> arguments.append(value) >> else: >> kwargs[key]=value >> try: >> #for datetime serialization problems better to use bson >> dump = command_result(*arguments, **kwargs) >> resp.body = json.dumps(dump, default=json_util.default) >> #resp.body = json.dumps(command_result(*arguments, **kwargs)) >> resp.status = falcon.HTTP_200 >> except UnicodeDecodeError: >> resp.body = json.dumps(dump, default=json_util.default, >> encoding='latin1') >> resp.status = falcon.HTTP_200 >> except Exception as e: >> resp.status = falcon.HTTP_BAD_REQUEST >> resp.body = json.dumps({"description": e.message, "title": >> "Dublicate entry"}) >> #raise falcon.HTTPBadRequest(title="Dublicate entry", >> # description=e, >> # href=settings.__docs__) >> else: >> dump = command_result(params) >> resp.body = json.dumps(dump, default=json_util.default) >> #resp.body = json.dumps(command_result(params)) >> resp.status = falcon.HTTP_200 >> >> >> Basically i am making concurrent calls to this rest api and i am getting >> >> Network error: http://paste.ubuntu.com/15966347/ >> >> ipa: INFO: Forwarding 'user_find' to json server >> 'https://ipa.foo.com/ipa/json' >> ipa: INFO: Forwarding 'netgroup_find' to json server >> 'https://ipa.foo.com/ipa/json' >> [pid: 5450|app: 0|req: 9/14] 10.102.235.77 () {34 vars in 463 bytes} [Thu Apr >> 21 17:43:22 2016] POST /v1/ipa/calls => generated 2324 bytes in 227 msecs >> (HTTP/1.1 200) 8 headers in 459 bytes (1 switches on core 0) >> Traceback (most recent call last): >> File "falcon/api.py", line 213, in falcon.api.API.__call__ (falcon/api.c:2521) >> File "falcon/api.py", line 182, in falcon.api.API.__call__ (falcon/api.c:2118) >> File "./api/resources/ipa/calls.py", line 38, in on_post >> resp.body = json.dumps(command_result()) >> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443, in >> __call__ >> ret = self.run(*args, **options) >> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 761, in run >> return self.forward(*args, **options) >> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in forward >> return self.Backend.rpcclient.forward(self.name , *args, >> **kw) >> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 935, in forward >> raise NetworkError(uri=server, error=e.errmsg) >> ipalib.errors.NetworkError: cannot connect to >> 'https://ipa.foo.com/ipa/json': Internal Server >> Error >> [pid: 5451|app: 0|req: 3/15] 10.102.235.77 () {34 vars in 463 bytes} [Thu Apr >> 21 17:43:22 2016] POST /v1/ipa/calls => generated 0 bytes in 1421 msecs >> (HTTP/1.1 500) 0 headers in 0 bytes (0 switches on core 0) >> >> >> This is how a concurrent request is being sent: >> #!/usr/bin/env python >> >> from multiprocessing import Process, Pool >> import time >> import urllib2 >> >> def millis(): >> return int(round(time.time() * 1000)) >> >> def http_get(url): >> start_time = millis() >> request = urllib2.Request(url, headers={"Content-Type": "application/json", >> "Origin": "http://ipa.foo.com", "Authorization": "{'token': >> 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzcnYiOiJpcGEuc2F0Y2xvdWQuY29tLnRyIiwic3ViIjoiMGU1ZGZkNDc3N2I2NmNhOTU3ZTc4ZmJhZjMxNjYxMmEifQ.cr8cNy7zgQkY-q7UUyTCNPCjGlmz-LCCzUYSUV9P694'}"}) >> result = {"url": url, "data": urllib2.urlopen(request, timeout=10).read()[:100]} >> #result = {"url": url, "data": urllib2.urlopen(request, timeout=5).read()} >> print url + " took " + str(millis() - start_time) + " ms" >> return result >> >> >> urls = ['http://api.foo.com:8888/v1/users', >> 'http://api.foo.com:8888/v1/organizations'] >> >> pool = Pool(processes=2) >> >> start_time = millis() >> results = pool.map(http_get, urls) >> >> print "\nTotal took " + str(millis() - start_time) + " ms\n" >> >> for result in results: >> print result >> >> I am confused about the reason of the error. Any idea? >> >> >> -- >> O?uz Yar?mtepe >> http://about.me/oguzy >> >> >> > > Hello, could you check /var/logs/httpd/error_log if there is any info about > Internal server error? > > It looks like there is no session cookie set (but not sure). IMO because the > parallel processing you may need to use local instances of API instead the > global one for each thread/process. > > From top of my head: > > api = create_api(mode=None) > api.bootstrap() > api.finalize() > > > But I'm not sure what is the exact problem, you need try :) > > Martin > Maybe you are hitting: https://fedorahosted.org/freeipa/ticket/5653 -- Petr Vobornik From barrykfl at gmail.com Tue Apr 26 11:26:27 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Tue, 26 Apr 2016 19:26:27 +0800 Subject: [Freeipa-users] server 1 cannot syn update to server 2 after restart Message-ID: server 2 can syn update to server 1 but reverse fail Any idea? error below: Can't contact LDAP server [26/Apr/2016:18:40:13 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be added before the CoS Definition. [26/Apr/2016:18:40:19 +0800] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be added before the CoS Definition. [26/Apr/2016:18:40:19 +0800] set_krb5_creds - Could not get initial credentials for principal [ldap/central.ABC.com at ABC.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [26/Apr/2016:18:40:19 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) errno 0 (Success) [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn= meTocentral02.ABC.com" (central02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All Interfaces port 389 for LDAP requests [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket for LDAPI requests [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= meTocentral02.ABC.com" (central02:389): Replication bind with GSSAPI auth resumed [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= meTocentral02.ABC.com" (central02:389): Missing data encountered [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= meTocentral02.ABC.com" (central02:389): Incremental update failed and requires administrator action > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Tue Apr 26 12:14:17 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 26 Apr 2016 08:14:17 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <571F586E.2000302@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> Message-ID: <571F5B99.4060607@damascusgrp.com> I have an IPA server on a private network which has apparently run into certificate issues this morning. It's been running without issue for quite a while, and is on 4.1.4-1 on fedora 21. This morning, the gui started giving: IPA Error 907: NetworkError with description "cannot connect to 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as expired." I dug into the logs and after trying to restart ipa using ipactl, there was a length pause, then: dogtag-ipa-ca-renew-agent-submit: Updated certificate not available certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in database "/etc/httpd/alias" is no longer valid. dogtag-ipa-ca-renew-agent-submit: Updated certificate not available certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. dogtag-ipa-ca-renew-agent-submit: Updated certificate not available. named-pkcs11[3437]: client 192.168.208.205#57832: update '208.168.192.in-addr.arpa/IN' denied and then things start shutting down. I can't start ipa at all using ipactl. So at present, our DNS is down. Authentication should work for a while, but I'd like to get this working again as quickly as possible. Any ideas? I deal with certificates so infrequently (like only when something like this happens) that I'm not sure where to start. Thanks! -- *Bret Wortman* /Coming soon to Kickstarter.../ http://wrapbuddies.co/ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 112446 bytes Desc: not available URL: From BJB at jndata.dk Tue Apr 26 13:04:02 2016 From: BJB at jndata.dk (Bjarne Blichfeldt) Date: Tue, 26 Apr 2016 13:04:02 +0000 Subject: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP Message-ID: <89213DDB84447F44A8E8950A5C2185E048204CC2@SJN01013.jnmain00.corp.jndata.net> This is a follow-up to https://www.redhat.com/archives/freeipa-users/2016-January/msg00023.html From: Jan Cholasta Peter Pakos , freeipa-users redhat com My question is, what is the correct way of installing a 3rd party certificate for HTTP/LDAP that will actually work? 1. Install the CA certificate chain of the issuer of the 3rd party certificate to IPA using "ipa-cacert-manage install" 2. Run "ipa-certupdate" to update CA certificate related IPA configuration. 3. Manually import the server certificate into the /etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in LDAP in the nsSSLPersonalitySSL attribute of cn=RSA,cn=encryption,cn=config and restart DS. 4. Manually import the server certificate into the /etc/httpd/alias NSS database, configure the correct nickname in /etc/httpd/conf.d/nss.conf using the NSSNickname directive and restart httpd. I am in a similar situation and have some follow-up questions: ad1: If I run ipa-cacert-manage install --external-cert-file=/path/to/external_ca_certificate-chain, does this simply add the chain as an extra root ca without destroying the existing ipa-ca? ad3: I assume the import is : certutil -A -d /etc/dirsrv/slapd-REALM. How do I configure the ldap attribute? Is it just a matter of make the change in /etc/dirsrv/ldap*/dse.ldif and restart? Also: Where is the private key in all this? I generate a csr with openssl, send csr to ca, receive certificate, but I don't see any option in certutil to specify the private key. I did find an instruction in importing pkcs12 into nssdb, is this what is meant here? Our setup: 4 ipa servers, rhel7.2, ipa ping ="IPA server version 4.2.0. API version 2.156" mix of rhel6 (ipa-client 3.0.xx) and rhel7.1 (ipa-client 4.1.xx), Regards, Bjarne Blichfeldt [cid:image002.png at 01D19FCC.DE1B7060] JN Data A/S * Havsteensvej 4 * 4000 Roskilde Telefon 63 63 63 63/ Fax 63 63 63 64 www.jndata.dk [cid:image004.png at 01D19FCC.DE1B7060] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 410 bytes Desc: image002.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 5487 bytes Desc: image004.png URL: From gnotrica at candeal.com Tue Apr 26 13:13:04 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Tue, 26 Apr 2016 13:13:04 +0000 Subject: [Freeipa-users] krb5kdc service not starting Message-ID: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> Hello world, I am having issues this morning with my primary IPA. See below the details in the logs and command result. Basically, krb5kdc service not starting - krb5kdc: Server error - while fetching master key. DNS is functioning. See below dig result. I have a trust with Windows AD. Please help?! [root at cd-ipa1 log]# systemctl status krb5kdc.service -l ? krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 EDT; 41min ago Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos 5 KDC... Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: control process exited, code=exited status=1 Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start Kerberos 5 KDC. Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit krb5kdc.service entered failed state. Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. [root at cd-ipa1 log]# Errors in /var/log/krb5kdc.log krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL [root at cd-ipa1 log]# systemctl status httpd -l ? httpd.service - The Apache HTTP Server Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 EDT; 39min ago Docs: man:httpd(8) man:apachectl(8) Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=1/FAILURE) Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in __wait_for_connection Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: wait_for_open_socket(lurl.hostport, timeout) Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200, in wait_for_open_socket Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: raise e Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: error: [Errno 2] No such file or directory Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: ipa : ERROR Unknown error while retrieving setting from ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such file or directory Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: control process exited, code=exited status=1 Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start The Apache HTTP Server. Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service entered failed state. Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. [root at cd-ipa1 log]# DNS Result for dig redhat.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;redhat.com. IN A ;; ANSWER SECTION: redhat.com. 60 IN A 209.132.183.105 ;; AUTHORITY SECTION: . 849 IN NS f.root-servers.net. . 849 IN NS e.root-servers.net. . 849 IN NS k.root-servers.net. . 849 IN NS m.root-servers.net. . 849 IN NS b.root-servers.net. . 849 IN NS g.root-servers.net. . 849 IN NS c.root-servers.net. . 849 IN NS h.root-servers.net. . 849 IN NS l.root-servers.net. . 849 IN NS a.root-servers.net. . 849 IN NS j.root-servers.net. . 849 IN NS i.root-servers.net. . 849 IN NS d.root-servers.net. ;; ADDITIONAL SECTION: j.root-servers.net. 3246 IN A 192.58.128.30 ;; Query time: 79 msec ;; SERVER: 10.20.10.41#53(10.20.10.41) ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 ;; MSG SIZE rcvd: 282 Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 11810 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 11586 bytes Desc: image002.jpg URL: From Tuomo.Tikkanen at nokia.com Tue Apr 26 13:13:43 2016 From: Tuomo.Tikkanen at nokia.com (Tikkanen, Tuomo (Nokia - FI/Espoo)) Date: Tue, 26 Apr 2016 16:13:43 +0300 Subject: [Freeipa-users] SAN with IP address [Was: Re: How to remove bad cert renewal from certmonger?] In-Reply-To: <20160425150504.7yjievq6xvo62ry7@redhat.com> References: <571A9526.4050708@nokia.com> <571AA45A.9080808@redhat.com> <571E2C70.7080508@nokia.com> <571E2F5C.1060803@redhat.com> <20160425150504.7yjievq6xvo62ry7@redhat.com> Message-ID: <571F6987.2050906@nokia.com> On 25.4.2016 18:05, EXT Alexander Bokovoy wrote: > On Mon, 25 Apr 2016, Rob Crittenden wrote: -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<----- ........ -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<----- >> >> It is denied by IPA, not certmonger. >> >> IP addresses are frowned upon in certs in general and they are denied >> by IPA because the access control would be really difficult. Today a >> host must be granted access to issue certs with additional names in it. >> >> You can open a RFE for this on the IPA trac if you really need it. >> >> I'm not deeply familiar with the new profile support so perhaps it is >> possible to do this using the latest version of IPA, I'm not sure. > Correct and no, it is not right now. > Certificate profile defines what CA considers possible to grant when > issuing a cert. CA doesn't have contextual logic -- that would be > provided by an agent approving the cert. IPA framework is sitting in > front of CA to put the context in place and could be considered such an > agent, so we have logic to cross-check the request for fields that would > be conflicting with IPA access controls. > > As it happens now, IPA framework disallows IP addresses. Adding support > for that would need to get proper logic in place to decide which > address spaces to allow being managing by a requesting party -- a host > in your case as certmonger asks for the cert on behalf of the host. We > don't have any system in place for that. > > Because I am not an expert on IPA / cert-business I might over-simplify the case. To me letting to add to SAN an IP address of related FQDN would be quite simple case. When I am requesting cert for ipa2.public.domain and ipa2.management.domain and wanting to have also their IPs in SAN extension of the cert. The logic would be something like; IPA framework checks that related FQDNs and their DNS information is in place in IPA => allow There probably are much more complicated cases though. I understand that to create huge number of exceptions for all the possible cases would be mission impossible. Thus it would be nice if there would be possibility for ipa admin to create this kind of rules to allow local exceptions -- even frowned ones. In my original email I promised not to go details why I'd need the feature, but here we go... In our case the IP in SAN would be needed because our lab has its own DNS space that is not published to intranet side. However there are situations when user needs / wants to connect certain web services in lab also from intranet (to change his password on IPA for example). In such cases he has to give URL with IP address, but browsers tell that the certificate is invalid because the cert is only valid for FQDN. Naturally it is possible to create an exception on browser or add /etc/hots entry for FQDN on intranet computer. However to me IP in SAN would be much more elegant and clean solution. -- Tuomo.Tikkanen at nokia.com From mbabinsk at redhat.com Tue Apr 26 13:17:12 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 26 Apr 2016 15:17:12 +0200 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> On 04/26/2016 03:13 PM, Gady Notrica wrote: > Hello world, > > > > I am having issues this morning with my primary IPA. See below the > details in the logs and command result. Basically, krb5kdc service not > starting - krb5kdc: Server error - while fetching master key. > > > > DNS is functioning. See below dig result. I have a trust with Windows AD. > > > > Please help?! > > > > [root at cd-ipa1 log]# systemctl status krb5kdc.service -l > > ? krb5kdc.service - Kerberos 5 KDC > > Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; > vendor preset: disabled) > > Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 EDT; > 41min ago > > Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid > $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > > > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos 5 > KDC... > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot > initialize realm IPA.DOMAIN.LOCAL- see log file for details > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: > control process exited, code=exited status=1 > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > Kerberos 5 KDC. > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit krb5kdc.service > entered failed state. > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. > > [root at cd-ipa1 log]# > > > > Errors in /var/log/krb5kdc.log > > > > krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL > > krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL > > krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL > > > > [root at cd-ipa1 log]# systemctl status httpd -l > > ? httpd.service - The Apache HTTP Server > > Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor > preset: disabled) > > Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 EDT; > 39min ago > > Docs: man:httpd(8) > > man:apachectl(8) > > Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy > (code=exited, status=1/FAILURE) > > > > Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File > "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in > __wait_for_connection > > Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > wait_for_open_socket(lurl.hostport, timeout) > > Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: File > "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200, in > wait_for_open_socket > > Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: raise e > > Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > error: [Errno 2] No such file or directory > > Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > ipa : ERROR Unknown error while retrieving setting from > ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such > file or directory > > Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: > control process exited, code=exited status=1 > > Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start The > Apache HTTP Server. > > Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service > entered failed state. > > Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. > > [root at cd-ipa1 log]# > > > > > > DNS Result for dig redhat.com > > > > ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;redhat.com. IN A > > > > ;; ANSWER SECTION: > > redhat.com. 60 IN A 209.132.183.105 > > > > ;; AUTHORITY SECTION: > > . 849 IN NS f.root-servers.net. > > . 849 IN NS e.root-servers.net. > > . 849 IN NS k.root-servers.net. > > . 849 IN NS m.root-servers.net. > > . 849 IN NS b.root-servers.net. > > . 849 IN NS g.root-servers.net. > > . 849 IN NS c.root-servers.net. > > . 849 IN NS h.root-servers.net. > > . 849 IN NS l.root-servers.net. > > . 849 IN NS a.root-servers.net. > > . 849 IN NS j.root-servers.net. > > . 849 IN NS i.root-servers.net. > > . 849 IN NS d.root-servers.net. > > > > ;; ADDITIONAL SECTION: > > j.root-servers.net. 3246 IN A 192.58.128.30 > > > > ;; Query time: 79 msec > > ;; SERVER: 10.20.10.41#53(10.20.10.41) > > ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 > > ;; MSG SIZE rcvd: 282 > > > > Gady Notrica| IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. > 416.818.4797 | gnotrica at candeal.com > > CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | > www.candeal.com | Follow us: Description: > Description: cid:image003.jpg at 01CBD419.622CDF90 > *Description: Description: Description: > cid:image002.jpg at 01CBD419.622CDF90* > > > > > > It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-CANDEAL-CA.service'? -- Martin^3 Babinsky From bret.wortman at damascusgrp.com Tue Apr 26 13:24:05 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 26 Apr 2016 09:24:05 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <571F5B99.4060607@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> Message-ID: <571F6BF5.9060801@damascusgrp.com> I rolled the date on the IPA server in question back to April 1 and ran "ipa-cacert-manage renew", which said it completed successfully. I rolled the date back to current and tried restarting ipa using ipactl stop && ipactl start, but no joy. No more ca renewal errors, but right after the pause I see this in /var/log/messages: systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT systemd: Unit kadmin.service entered failed state. systemd: kadmin.service failed. I rebooted the server just in case, and it's still getting stuck at the same place. ipa-otpd doesn't get around to starting. Bret After the several-minutes-long pause after ipactl start outputs "Starting pki-tomcatd Service", I get the On 04/26/2016 08:14 AM, Bret Wortman wrote: > I have an IPA server on a private network which has apparently run > into certificate issues this morning. It's been running without issue > for quite a while, and is on 4.1.4-1 on fedora 21. > > This morning, the gui started giving: > > IPA Error 907: NetworkError with description "cannot connect to > 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': > (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as > expired." > > I dug into the logs and after trying to restart ipa using ipactl, > there was a length pause, then: > > dogtag-ipa-ca-renew-agent-submit: Updated certificate not available > certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" > in database "/etc/httpd/alias" is no longer valid. > dogtag-ipa-ca-renew-agent-submit: Updated certificate not available > certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token > "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no > longer valid. > dogtag-ipa-ca-renew-agent-submit: Updated certificate not available. > named-pkcs11[3437]: client 192.168.208.205#57832: update > '208.168.192.in-addr.arpa/IN' denied > > and then things start shutting down. I can't start ipa at all using > ipactl. > > So at present, our DNS is down. Authentication should work for a > while, but I'd like to get this working again as quickly as possible. > Any ideas? I deal with certificates so infrequently (like only when > something like this happens) that I'm not sure where to start. > > Thanks! > > > -- > *Bret Wortman* > /Coming soon to Kickstarter.../ > > http://wrapbuddies.co/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 112446 bytes Desc: not available URL: From bret.wortman at damascusgrp.com Tue Apr 26 13:26:24 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 26 Apr 2016 09:26:24 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <571F6BF5.9060801@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> Message-ID: <571F6C80.8000006@damascusgrp.com> On our non-CA IPA server, this is happening, in case it's related and illustrative: # ipa host-del zw113.private.net ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. # On 04/26/2016 09:24 AM, Bret Wortman wrote: > I rolled the date on the IPA server in question back to April 1 and > ran "ipa-cacert-manage renew", which said it completed successfully. I > rolled the date back to current and tried restarting ipa using ipactl > stop && ipactl start, but no joy. No more ca renewal errors, but right > after the pause I see this in /var/log/messages: > > systemd: kadmin.service: main process exited, code=exited, > status=2/INVALIDARGUMENT > systemd: Unit kadmin.service entered failed state. > systemd: kadmin.service failed. > > I rebooted the server just in case, and it's still getting stuck at > the same place. ipa-otpd doesn't get around to starting. > > > Bret > > After the several-minutes-long pause after ipactl start outputs > "Starting pki-tomcatd Service", I get the > > On 04/26/2016 08:14 AM, Bret Wortman wrote: >> I have an IPA server on a private network which has apparently run >> into certificate issues this morning. It's been running without issue >> for quite a while, and is on 4.1.4-1 on fedora 21. >> >> This morning, the gui started giving: >> >> IPA Error 907: NetworkError with description "cannot connect to >> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': >> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as >> expired." >> >> I dug into the logs and after trying to restart ipa using ipactl, >> there was a length pause, then: >> >> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >> certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" >> in database "/etc/httpd/alias" is no longer valid. >> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >> certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token >> "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no >> longer valid. >> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available. >> named-pkcs11[3437]: client 192.168.208.205#57832: update >> '208.168.192.in-addr.arpa/IN' denied >> >> and then things start shutting down. I can't start ipa at all using >> ipactl. >> >> So at present, our DNS is down. Authentication should work for a >> while, but I'd like to get this working again as quickly as possible. >> Any ideas? I deal with certificates so infrequently (like only when >> something like this happens) that I'm not sure where to start. >> >> Thanks! >> >> >> -- >> *Bret Wortman* >> /Coming soon to Kickstarter.../ >> >> http://wrapbuddies.co/ >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 112446 bytes Desc: not available URL: From gnotrica at candeal.com Tue Apr 26 13:26:39 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Tue, 26 Apr 2016 13:26:39 +0000 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> Here... [root at cd-p-ipa1 log]# ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services ipa: INFO: The ipactl command was successful [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service -l ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [root at cd-p-ipa1 log]# Gady -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Babinsky Sent: April 26, 2016 9:17 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 03:13 PM, Gady Notrica wrote: > Hello world, > > > > I am having issues this morning with my primary IPA. See below the > details in the logs and command result. Basically, krb5kdc service not > starting - krb5kdc: Server error - while fetching master key. > > > > DNS is functioning. See below dig result. I have a trust with Windows AD. > > > > Please help?! > > > > [root at cd-ipa1 log]# systemctl status krb5kdc.service -l > > ? krb5kdc.service - Kerberos 5 KDC > > Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; > vendor preset: disabled) > > Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 > EDT; 41min ago > > Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid > $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > > > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos > 5 KDC... > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot > initialize realm IPA.DOMAIN.LOCAL- see log file for details > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: > control process exited, code=exited status=1 > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > Kerberos 5 KDC. > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit > krb5kdc.service entered failed state. > > Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. > > [root at cd-ipa1 log]# > > > > Errors in /var/log/krb5kdc.log > > > > krb5kdc: Server error - while fetching master key K/M for realm > DOMAIN.LOCAL > > krb5kdc: Server error - while fetching master key K/M for realm > DOMAIN.LOCAL > > krb5kdc: Server error - while fetching master key K/M for realm > DOMAIN.LOCAL > > > > [root at cd-ipa1 log]# systemctl status httpd -l > > ? httpd.service - The Apache HTTP Server > > Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor > preset: disabled) > > Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 > EDT; 39min ago > > Docs: man:httpd(8) > > man:apachectl(8) > > Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy > (code=exited, status=1/FAILURE) > > > > Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File > "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in > __wait_for_connection > > Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > wait_for_open_socket(lurl.hostport, timeout) > > Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200, > in wait_for_open_socket > > Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > raise e > > Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > error: [Errno 2] No such file or directory > > Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > ipa : ERROR Unknown error while retrieving setting from > ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such > file or directory > > Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: > control process exited, code=exited status=1 > > Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > The Apache HTTP Server. > > Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service > entered failed state. > > Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. > > [root at cd-ipa1 log]# > > > > > > DNS Result for dig redhat.com > > > > ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;redhat.com. IN A > > > > ;; ANSWER SECTION: > > redhat.com. 60 IN A 209.132.183.105 > > > > ;; AUTHORITY SECTION: > > . 849 IN NS f.root-servers.net. > > . 849 IN NS e.root-servers.net. > > . 849 IN NS k.root-servers.net. > > . 849 IN NS m.root-servers.net. > > . 849 IN NS b.root-servers.net. > > . 849 IN NS g.root-servers.net. > > . 849 IN NS c.root-servers.net. > > . 849 IN NS h.root-servers.net. > > . 849 IN NS l.root-servers.net. > > . 849 IN NS a.root-servers.net. > > . 849 IN NS j.root-servers.net. > > . 849 IN NS i.root-servers.net. > > . 849 IN NS d.root-servers.net. > > > > ;; ADDITIONAL SECTION: > > j.root-servers.net. 3246 IN A 192.58.128.30 > > > > ;; Query time: 79 msec > > ;; SERVER: 10.20.10.41#53(10.20.10.41) > > ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 > > ;; MSG SIZE rcvd: 282 > > > > Gady > > > > > It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-CANDEAL-CA.service'? -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From harald.dunkel at aixigo.de Tue Apr 26 13:52:38 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Tue, 26 Apr 2016 15:52:38 +0200 Subject: [Freeipa-users] ipa -v ping lies about the cert database In-Reply-To: <5714CE39.9030704@ubuntu.com> References: <5710DB60.7070508@redhat.com> <57148953.1070904@redhat.com> <5714CE39.9030704@ubuntu.com> Message-ID: <15ebb4fd-49e1-da66-d0a1-94d13da4e60f@aixigo.de> Hi Timo, On 04/18/2016 02:08 PM, Timo Aaltonen wrote: > > The old package used to create /etc/pki/nssdb on postinst, but with 644 > permissions so I'm not sure why they have 600 here. 4.1.4 in > experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1 > to unstable this week, which should fix this for good. > AFAICS there are just a few pending dependencies for 4.3.1 on Jessie. Would you recommend to backport? I already did it for sssd. Regards Harri From BJB at jndata.dk Tue Apr 26 13:59:29 2016 From: BJB at jndata.dk (Bjarne Blichfeldt) Date: Tue, 26 Apr 2016 13:59:29 +0000 Subject: [Freeipa-users] /var/log/dirsrv/slapd-*/acces: SSL peer cannot verify your certificate Message-ID: <89213DDB84447F44A8E8950A5C2185E048204D78@SJN01013.jnmain00.corp.jndata.net> Ipa server: rhel7.2, ipa ping ="IPA server version 4.2.0. API version 2.156" In order to use ldap through load balancer, I added an alternative dns name to ipa server certificate. ipa-getcert resubmit -i -D newname.differentdomaine.net It all seemed well, the extra name was entered into the certificate, expiration day 2018-04-27 12:20:55 UTC. and I can access ldaps through the load balancer. But in /var/log/dirsrv/slapd-*/acces I see a lot of "SSL peer cannot verify your certificate" and cert operations are gone: idm1:~$ ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) Anybody have an idea of what I missed? Venlig hilsen Bjarne Blichfeldt Infrastructure Services Direkte +4563636119 Mobile +4521593270 BJB at jndata.dk [cid:image002.png at 01D19FD4.9D73F340] JN Data A/S * Havsteensvej 4 * 4000 Roskilde Telefon 63 63 63 63/ Fax 63 63 63 64 www.jndata.dk [cid:image004.png at 01D19FD4.9D73F340] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 410 bytes Desc: image002.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 5487 bytes Desc: image004.png URL: From lkrispen at redhat.com Tue Apr 26 14:01:57 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 26 Apr 2016 16:01:57 +0200 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <571F74D5.1070102@redhat.com> On 04/26/2016 03:26 PM, Gady Notrica wrote: > Here... > > [root at cd-p-ipa1 log]# ipactl status > Directory Service: STOPPED > Directory Service must be running in order to obtain status of other services > ipa: INFO: The ipactl command was successful > > [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service -l > ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. > Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) > Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago > Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) > > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. this says the server doesn't know a syntax oid, but it is a known one. It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? And, did you do any changes to the system before this problem started ? > [root at cd-p-ipa1 log]# > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Babinsky > Sent: April 26, 2016 9:17 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > On 04/26/2016 03:13 PM, Gady Notrica wrote: >> Hello world, >> >> >> >> I am having issues this morning with my primary IPA. See below the >> details in the logs and command result. Basically, krb5kdc service not >> starting - krb5kdc: Server error - while fetching master key. >> >> >> >> DNS is functioning. See below dig result. I have a trust with Windows AD. >> >> >> >> Please help?! >> >> >> >> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l >> >> ? krb5kdc.service - Kerberos 5 KDC >> >> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; >> vendor preset: disabled) >> >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 >> EDT; 41min ago >> >> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid >> $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >> >> >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos >> 5 KDC... >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot >> initialize realm IPA.DOMAIN.LOCAL- see log file for details >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >> control process exited, code=exited status=1 >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >> Kerberos 5 KDC. >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >> krb5kdc.service entered failed state. >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >> >> [root at cd-ipa1 log]# >> >> >> >> Errors in /var/log/krb5kdc.log >> >> >> >> krb5kdc: Server error - while fetching master key K/M for realm >> DOMAIN.LOCAL >> >> krb5kdc: Server error - while fetching master key K/M for realm >> DOMAIN.LOCAL >> >> krb5kdc: Server error - while fetching master key K/M for realm >> DOMAIN.LOCAL >> >> >> >> [root at cd-ipa1 log]# systemctl status httpd -l >> >> ? httpd.service - The Apache HTTP Server >> >> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor >> preset: disabled) >> >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 >> EDT; 39min ago >> >> Docs: man:httpd(8) >> >> man:apachectl(8) >> >> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >> (code=exited, status=1/FAILURE) >> >> >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File >> "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in >> __wait_for_connection >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> wait_for_open_socket(lurl.hostport, timeout) >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200, >> in wait_for_open_socket >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> raise e >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> error: [Errno 2] No such file or directory >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> ipa : ERROR Unknown error while retrieving setting from >> ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such >> file or directory >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >> control process exited, code=exited status=1 >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >> The Apache HTTP Server. >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service >> entered failed state. >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >> >> [root at cd-ipa1 log]# >> >> >> >> >> >> DNS Result for dig redhat.com >> >> >> >> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >> >> ;; global options: +cmd >> >> ;; Got answer: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >> >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2 >> >> >> >> ;; OPT PSEUDOSECTION: >> >> ; EDNS: version: 0, flags:; udp: 4096 >> >> ;; QUESTION SECTION: >> >> ;redhat.com. IN A >> >> >> >> ;; ANSWER SECTION: >> >> redhat.com. 60 IN A 209.132.183.105 >> >> >> >> ;; AUTHORITY SECTION: >> >> . 849 IN NS f.root-servers.net. >> >> . 849 IN NS e.root-servers.net. >> >> . 849 IN NS k.root-servers.net. >> >> . 849 IN NS m.root-servers.net. >> >> . 849 IN NS b.root-servers.net. >> >> . 849 IN NS g.root-servers.net. >> >> . 849 IN NS c.root-servers.net. >> >> . 849 IN NS h.root-servers.net. >> >> . 849 IN NS l.root-servers.net. >> >> . 849 IN NS a.root-servers.net. >> >> . 849 IN NS j.root-servers.net. >> >> . 849 IN NS i.root-servers.net. >> >> . 849 IN NS d.root-servers.net. >> >> >> >> ;; ADDITIONAL SECTION: >> >> j.root-servers.net. 3246 IN A 192.58.128.30 >> >> >> >> ;; Query time: 79 msec >> >> ;; SERVER: 10.20.10.41#53(10.20.10.41) >> >> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >> >> ;; MSG SIZE rcvd: 282 >> >> >> >> Gady >> >> >> >> >> > It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-CANDEAL-CA.service'? > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill From gnotrica at candeal.com Tue Apr 26 14:10:25 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Tue, 26 Apr 2016 14:10:25 +0000 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <571F74D5.1070102@redhat.com> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> No, no changes. Lost connectivity with my VMs during the night (networking issues in datacenter) Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. Gady Notrica -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: April 26, 2016 10:02 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 03:26 PM, Gady Notrica wrote: > Here... > > [root at cd-p-ipa1 log]# ipactl status > Directory Service: STOPPED > Directory Service must be running in order to obtain status of other > services > ipa: INFO: The ipactl command was successful > > [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service > -l ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. > Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) > Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago > Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i > -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid > (code=exited, status=1/FAILURE) > > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. this says the server doesn't know a syntax oid, but it is a known one. It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? And, did you do any changes to the system before this problem started ? > [root at cd-p-ipa1 log]# > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Babinsky > Sent: April 26, 2016 9:17 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > On 04/26/2016 03:13 PM, Gady Notrica wrote: >> Hello world, >> >> >> >> I am having issues this morning with my primary IPA. See below the >> details in the logs and command result. Basically, krb5kdc service >> not starting - krb5kdc: Server error - while fetching master key. >> >> >> >> DNS is functioning. See below dig result. I have a trust with Windows AD. >> >> >> >> Please help?! >> >> >> >> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l >> >> ? krb5kdc.service - Kerberos 5 KDC >> >> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >> disabled; vendor preset: disabled) >> >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 >> EDT; 41min ago >> >> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid >> $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >> >> >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos >> 5 KDC... >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: >> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >> control process exited, code=exited status=1 >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >> Kerberos 5 KDC. >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >> krb5kdc.service entered failed state. >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >> >> [root at cd-ipa1 log]# >> >> >> >> Errors in /var/log/krb5kdc.log >> >> >> >> krb5kdc: Server error - while fetching master key K/M for realm >> DOMAIN.LOCAL >> >> krb5kdc: Server error - while fetching master key K/M for realm >> DOMAIN.LOCAL >> >> krb5kdc: Server error - while fetching master key K/M for realm >> DOMAIN.LOCAL >> >> >> >> [root at cd-ipa1 log]# systemctl status httpd -l >> >> ? httpd.service - The Apache HTTP Server >> >> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; >> vendor >> preset: disabled) >> >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 >> EDT; 39min ago >> >> Docs: man:httpd(8) >> >> man:apachectl(8) >> >> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >> (code=exited, status=1/FAILURE) >> >> >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: >> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line >> 1579, in __wait_for_connection >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> wait_for_open_socket(lurl.hostport, timeout) >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line >> 1200, in wait_for_open_socket >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> raise e >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> error: [Errno 2] No such file or directory >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> ipa : ERROR Unknown error while retrieving setting from >> ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such >> file or directory >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >> control process exited, code=exited status=1 >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >> The Apache HTTP Server. >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit >> httpd.service entered failed state. >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >> >> [root at cd-ipa1 log]# >> >> >> >> >> >> DNS Result for dig redhat.com >> >> >> >> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >> >> ;; global options: +cmd >> >> ;; Got answer: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >> >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2 >> >> >> >> ;; OPT PSEUDOSECTION: >> >> ; EDNS: version: 0, flags:; udp: 4096 >> >> ;; QUESTION SECTION: >> >> ;redhat.com. IN A >> >> >> >> ;; ANSWER SECTION: >> >> redhat.com. 60 IN A 209.132.183.105 >> >> >> >> ;; AUTHORITY SECTION: >> >> . 849 IN NS f.root-servers.net. >> >> . 849 IN NS e.root-servers.net. >> >> . 849 IN NS k.root-servers.net. >> >> . 849 IN NS m.root-servers.net. >> >> . 849 IN NS b.root-servers.net. >> >> . 849 IN NS g.root-servers.net. >> >> . 849 IN NS c.root-servers.net. >> >> . 849 IN NS h.root-servers.net. >> >> . 849 IN NS l.root-servers.net. >> >> . 849 IN NS a.root-servers.net. >> >> . 849 IN NS j.root-servers.net. >> >> . 849 IN NS i.root-servers.net. >> >> . 849 IN NS d.root-servers.net. >> >> >> >> ;; ADDITIONAL SECTION: >> >> j.root-servers.net. 3246 IN A 192.58.128.30 >> >> >> >> ;; Query time: 79 msec >> >> ;; SERVER: 10.20.10.41#53(10.20.10.41) >> >> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >> >> ;; MSG SIZE rcvd: 282 >> >> >> >> Gady >> >> >> >> >> > It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-CANDEAL-CA.service'? > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Tue Apr 26 15:04:20 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 26 Apr 2016 18:04:20 +0300 Subject: [Freeipa-users] SAN with IP address [Was: Re: How to remove bad cert renewal from certmonger?] In-Reply-To: <571F6987.2050906@nokia.com> References: <571A9526.4050708@nokia.com> <571AA45A.9080808@redhat.com> <571E2C70.7080508@nokia.com> <571E2F5C.1060803@redhat.com> <20160425150504.7yjievq6xvo62ry7@redhat.com> <571F6987.2050906@nokia.com> Message-ID: <20160426150420.aktf5c3dvft5kj67@redhat.com> On Tue, 26 Apr 2016, Tikkanen, Tuomo (Nokia - FI/Espoo) wrote: >On 25.4.2016 18:05, EXT Alexander Bokovoy wrote: >>On Mon, 25 Apr 2016, Rob Crittenden wrote: >-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<----- >........ >-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<----- >>> >>>It is denied by IPA, not certmonger. >>> >>>IP addresses are frowned upon in certs in general and they are denied >>>by IPA because the access control would be really difficult. Today a >>>host must be granted access to issue certs with additional names in it. >>> >>>You can open a RFE for this on the IPA trac if you really need it. >>> >>>I'm not deeply familiar with the new profile support so perhaps it is >>>possible to do this using the latest version of IPA, I'm not sure. >>Correct and no, it is not right now. >>Certificate profile defines what CA considers possible to grant when >>issuing a cert. CA doesn't have contextual logic -- that would be >>provided by an agent approving the cert. IPA framework is sitting in >>front of CA to put the context in place and could be considered such an >>agent, so we have logic to cross-check the request for fields that would >>be conflicting with IPA access controls. >> >>As it happens now, IPA framework disallows IP addresses. Adding support >>for that would need to get proper logic in place to decide which >>address spaces to allow being managing by a requesting party -- a host >>in your case as certmonger asks for the cert on behalf of the host. We >>don't have any system in place for that. >> >> >Because I am not an expert on IPA / cert-business I might >over-simplify the case. > >To me letting to add to SAN an IP address of related FQDN would be >quite simple case. When I am requesting cert for ipa2.public.domain >and ipa2.management.domain and wanting to have also their IPs in SAN >extension of the cert. The logic would be something like; IPA >framework checks that related FQDNs and their DNS information is in >place in IPA => allow We don't have for a general case any means to rely on the IP address <-> host name mapping. For cases where there is DNS zone managed by IPA we might add a logic, I agree, but not in general unless there is DNSSEC in place -- because with DNSSEC we could at least be able to verify signatures on the records to see if we could trust the data. >There probably are much more complicated cases though. I understand >that to create huge number of exceptions for all the possible cases >would be mission impossible. Thus it would be nice if there would be >possibility for ipa admin to create this kind of rules to allow local >exceptions -- even frowned ones. > >In my original email I promised not to go details why I'd need the >feature, but here we go... > >In our case the IP in SAN would be needed because our lab has its own >DNS space that is not published to intranet side. However there are >situations when user needs / wants to connect certain web services in >lab also from intranet (to change his password on IPA for example). In >such cases he has to give URL with IP address, but browsers tell that >the certificate is invalid because the cert is only valid for FQDN. > >Naturally it is possible to create an exception on browser or add >/etc/hots entry for FQDN on intranet computer. However to me IP in SAN >would be much more elegant and clean solution. I understand you pain. You can file a ticket with a feature request for that use case. -- / Alexander Bokovoy From tjaalton at ubuntu.com Tue Apr 26 15:29:35 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Tue, 26 Apr 2016 18:29:35 +0300 Subject: [Freeipa-users] ipa -v ping lies about the cert database In-Reply-To: <15ebb4fd-49e1-da66-d0a1-94d13da4e60f@aixigo.de> References: <5710DB60.7070508@redhat.com> <57148953.1070904@redhat.com> <5714CE39.9030704@ubuntu.com> <15ebb4fd-49e1-da66-d0a1-94d13da4e60f@aixigo.de> Message-ID: <571F895F.3060108@ubuntu.com> 26.04.2016, 16:52, Harald Dunkel kirjoitti: > Hi Timo, > > On 04/18/2016 02:08 PM, Timo Aaltonen wrote: >> >> The old package used to create /etc/pki/nssdb on postinst, but with 644 >> permissions so I'm not sure why they have 600 here. 4.1.4 in >> experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1 >> to unstable this week, which should fix this for good. >> > > AFAICS there are just a few pending dependencies for 4.3.1 > on Jessie. Would you recommend to backport? I already did > it for sssd. I guess 4.3.1 would need to be in sid first, and it just got rejected because of the minified javascript (bug #787593). Don't know when that'll get fixed. -- t From pvoborni at redhat.com Tue Apr 26 15:46:26 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 26 Apr 2016 17:46:26 +0200 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <571F6C80.8000006@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> Message-ID: <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> On 04/26/2016 03:26 PM, Bret Wortman wrote: > On our non-CA IPA server, this is happening, in case it's related and illustrative: > > # ipa host-del zw113.private.net > ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The > certificate/key database is in an old, unsupported format. > # I would start with checking on all IPA servers if and what certificates are expired: # getcert list or short version to check if there are any: # getcert list | grep expires When CA cert is renewed, it is not automatically transfered to clients. There one must run: # ipa-certupdate > > On 04/26/2016 09:24 AM, Bret Wortman wrote: >> I rolled the date on the IPA server in question back to April 1 and ran >> "ipa-cacert-manage renew", which said it completed successfully. I rolled the >> date back to current and tried restarting ipa using ipactl stop && ipactl >> start, but no joy. No more ca renewal errors, but right after the pause I see >> this in /var/log/messages: >> >> systemd: kadmin.service: main process exited, code=exited, >> status=2/INVALIDARGUMENT >> systemd: Unit kadmin.service entered failed state. >> systemd: kadmin.service failed. >> >> I rebooted the server just in case, and it's still getting stuck at the same >> place. ipa-otpd doesn't get around to starting. >> >> >> Bret >> >> After the several-minutes-long pause after ipactl start outputs "Starting >> pki-tomcatd Service", I get the >> >> On 04/26/2016 08:14 AM, Bret Wortman wrote: >>> I have an IPA server on a private network which has apparently run into >>> certificate issues this morning. It's been running without issue for quite a >>> while, and is on 4.1.4-1 on fedora 21. >>> >>> This morning, the gui started giving: >>> >>> IPA Error 907: NetworkError with description "cannot connect to >>> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': >>> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as expired." >>> >>> I dug into the logs and after trying to restart ipa using ipactl, there was a >>> length pause, then: >>> >>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>> certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in >>> database "/etc/httpd/alias" is no longer valid. >>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>> certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS >>> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. >>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available. >>> named-pkcs11[3437]: client 192.168.208.205#57832: update >>> '208.168.192.in-addr.arpa/IN' denied >>> >>> and then things start shutting down. I can't start ipa at all using ipactl. >>> >>> So at present, our DNS is down. Authentication should work for a while, but >>> I'd like to get this working again as quickly as possible. Any ideas? I deal >>> with certificates so infrequently (like only when something like this >>> happens) that I'm not sure where to start. >>> >>> Thanks! >>> >>> >>> -- >>> *Bret Wortman* >>> /Coming soon to Kickstarter.../ >>> >>> http://wrapbuddies.co/ >>> -- Petr Vobornik From bret.wortman at damascusgrp.com Tue Apr 26 16:00:18 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 26 Apr 2016 12:00:18 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> Message-ID: <571F9092.7060204@damascusgrp.com> # getcert list | grep expires expires: 2018-04-02 13:04:51 UTC expires: 2018-04-02 13:04:31 UTC expires: unknown expires: 2016-04-17 18:19:19 UTC expires: 2016-04-17 18:19:18 UTC expires: 2016-04-17 18:19:19 UTC expires: 2016-04-01 20:16:39 UTC expires: 2016-04-17 18:19:35 UTC expires: 2016-03-11 13:04:29 UTC expires: unknown # So some got updated and most didn't. Is there a recommended way to update these all? The system is still backdated to 3 April (ntpd disabled) at this point. Bret On 04/26/2016 11:46 AM, Petr Vobornik wrote: > On 04/26/2016 03:26 PM, Bret Wortman wrote: >> On our non-CA IPA server, this is happening, in case it's related and illustrative: >> >> # ipa host-del zw113.private.net >> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The >> certificate/key database is in an old, unsupported format. >> # > I would start with checking on all IPA servers if and what certificates > are expired: > # getcert list > or short version to check if there are any: > # getcert list | grep expires > > When CA cert is renewed, it is not automatically transfered to clients. > There one must run: > # ipa-certupdate > >> On 04/26/2016 09:24 AM, Bret Wortman wrote: >>> I rolled the date on the IPA server in question back to April 1 and ran >>> "ipa-cacert-manage renew", which said it completed successfully. I rolled the >>> date back to current and tried restarting ipa using ipactl stop && ipactl >>> start, but no joy. No more ca renewal errors, but right after the pause I see >>> this in /var/log/messages: >>> >>> systemd: kadmin.service: main process exited, code=exited, >>> status=2/INVALIDARGUMENT >>> systemd: Unit kadmin.service entered failed state. >>> systemd: kadmin.service failed. >>> >>> I rebooted the server just in case, and it's still getting stuck at the same >>> place. ipa-otpd doesn't get around to starting. >>> >>> >>> Bret >>> >>> After the several-minutes-long pause after ipactl start outputs "Starting >>> pki-tomcatd Service", I get the >>> >>> On 04/26/2016 08:14 AM, Bret Wortman wrote: >>>> I have an IPA server on a private network which has apparently run into >>>> certificate issues this morning. It's been running without issue for quite a >>>> while, and is on 4.1.4-1 on fedora 21. >>>> >>>> This morning, the gui started giving: >>>> >>>> IPA Error 907: NetworkError with description "cannot connect to >>>> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': >>>> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as expired." >>>> >>>> I dug into the logs and after trying to restart ipa using ipactl, there was a >>>> length pause, then: >>>> >>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>>> certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in >>>> database "/etc/httpd/alias" is no longer valid. >>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>>> certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS >>>> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. >>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available. >>>> named-pkcs11[3437]: client 192.168.208.205#57832: update >>>> '208.168.192.in-addr.arpa/IN' denied >>>> >>>> and then things start shutting down. I can't start ipa at all using ipactl. >>>> >>>> So at present, our DNS is down. Authentication should work for a while, but >>>> I'd like to get this working again as quickly as possible. Any ideas? I deal >>>> with certificates so infrequently (like only when something like this >>>> happens) that I'm not sure where to start. >>>> >>>> Thanks! >>>> >>>> >>>> -- >>>> *Bret Wortman* >>>> /Coming soon to Kickstarter.../ >>>> >>>> http://wrapbuddies.co/ >>>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue Apr 26 16:40:27 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 26 Apr 2016 18:40:27 +0200 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <571F9092.7060204@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> Message-ID: On 04/26/2016 06:00 PM, Bret Wortman wrote: > # getcert list | grep expires > expires: 2018-04-02 13:04:51 UTC > expires: 2018-04-02 13:04:31 UTC > expires: unknown > expires: 2016-04-17 18:19:19 UTC > expires: 2016-04-17 18:19:18 UTC > expires: 2016-04-17 18:19:19 UTC > expires: 2016-04-01 20:16:39 UTC > expires: 2016-04-17 18:19:35 UTC > expires: 2016-03-11 13:04:29 UTC > expires: unknown > # > > So some got updated and most didn't. Is there a recommended way to update these > all? The system is still backdated to 3 April (ntpd disabled) at this point. It's usually good to start renewing(when it doesn't happen automatically from some reason) with the cert which is about to expired first, i.e. the one with "2016-03-11 13:04:29" The process is: - move date before the cert is about to expired - leave it up to certmonger or manually force resubmit by `getcert resubmit -i $REQUEST_ID`, where request ID is in `getcert list` output. I'm little worried about the fact that CA cert was renewed at date which is after expiration of the other certs. Also the `expires: unknown` doesn't look good. Check `getcert list` output for errors related to the cert. > > > Bret > > > On 04/26/2016 11:46 AM, Petr Vobornik wrote: >> On 04/26/2016 03:26 PM, Bret Wortman wrote: >>> On our non-CA IPA server, this is happening, in case it's related and illustrative: >>> >>> # ipa host-del zw113.private.net >>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The >>> certificate/key database is in an old, unsupported format. >>> # >> I would start with checking on all IPA servers if and what certificates >> are expired: >> # getcert list >> or short version to check if there are any: >> # getcert list | grep expires >> >> When CA cert is renewed, it is not automatically transfered to clients. >> There one must run: >> # ipa-certupdate >> >>> On 04/26/2016 09:24 AM, Bret Wortman wrote: >>>> I rolled the date on the IPA server in question back to April 1 and ran >>>> "ipa-cacert-manage renew", which said it completed successfully. I rolled the >>>> date back to current and tried restarting ipa using ipactl stop && ipactl >>>> start, but no joy. No more ca renewal errors, but right after the pause I see >>>> this in /var/log/messages: >>>> >>>> systemd: kadmin.service: main process exited, code=exited, >>>> status=2/INVALIDARGUMENT >>>> systemd: Unit kadmin.service entered failed state. >>>> systemd: kadmin.service failed. >>>> >>>> I rebooted the server just in case, and it's still getting stuck at the same >>>> place. ipa-otpd doesn't get around to starting. >>>> >>>> >>>> Bret >>>> >>>> After the several-minutes-long pause after ipactl start outputs "Starting >>>> pki-tomcatd Service", I get the >>>> >>>> On 04/26/2016 08:14 AM, Bret Wortman wrote: >>>>> I have an IPA server on a private network which has apparently run into >>>>> certificate issues this morning. It's been running without issue for quite a >>>>> while, and is on 4.1.4-1 on fedora 21. >>>>> >>>>> This morning, the gui started giving: >>>>> >>>>> IPA Error 907: NetworkError with description "cannot connect to >>>>> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': >>>>> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as expired." >>>>> >>>>> I dug into the logs and after trying to restart ipa using ipactl, there was a >>>>> length pause, then: >>>>> >>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>>>> certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in >>>>> database "/etc/httpd/alias" is no longer valid. >>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>>>> certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS >>>>> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. >>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available. >>>>> named-pkcs11[3437]: client 192.168.208.205#57832: update >>>>> '208.168.192.in-addr.arpa/IN' denied >>>>> >>>>> and then things start shutting down. I can't start ipa at all using ipactl. >>>>> >>>>> So at present, our DNS is down. Authentication should work for a while, but >>>>> I'd like to get this working again as quickly as possible. Any ideas? I deal >>>>> with certificates so infrequently (like only when something like this >>>>> happens) that I'm not sure where to start. >>>>> >>>>> Thanks! >>>>> >>>>> >>>>> -- >>>>> *Bret Wortman* >>>>> /Coming soon to Kickstarter.../ >>>>> >>>>> http://wrapbuddies.co/ >>>>> > -- Petr Vobornik From bret.wortman at damascusgrp.com Tue Apr 26 16:57:40 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 26 Apr 2016 12:57:40 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> Message-ID: <571F9E04.2050400@damascusgrp.com> I think I've found a deeper problem, in that I can't update these because IPA simply won't start at all now. I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and 2016-04-01 is actually 2036-04-01. As for the unknowns, the first says status: CA_REJECTED and the error says "hostname in subject of request 'zw198.private.net' does not match principal hostname 'private.net'", with stuck: yes. The second is similar, but for a different host. No idea what's wrong with the rest, or why nothing will start. Near as I can tell, Kerberos is failing to start, which is causing everything else to go toes up. Early in the startup, in /var/log/messages, there's: ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) After that, I get a jar file read pboelm on log4j.jar, then a series of property setting attempts that don't find matching properties. Then some cipher errors, then it looks like named starts up okay, and everything pauses for about 5 minutes before it all comes crashing back down. Bret On 04/26/2016 12:40 PM, Petr Vobornik wrote: > On 04/26/2016 06:00 PM, Bret Wortman wrote: >> # getcert list | grep expires >> expires: 2018-04-02 13:04:51 UTC >> expires: 2018-04-02 13:04:31 UTC >> expires: unknown >> expires: 2016-04-17 18:19:19 UTC >> expires: 2016-04-17 18:19:18 UTC >> expires: 2016-04-17 18:19:19 UTC >> expires: 2016-04-01 20:16:39 UTC >> expires: 2016-04-17 18:19:35 UTC >> expires: 2016-03-11 13:04:29 UTC >> expires: unknown >> # >> >> So some got updated and most didn't. Is there a recommended way to update these >> all? The system is still backdated to 3 April (ntpd disabled) at this point. > It's usually good to start renewing(when it doesn't happen automatically > from some reason) with the cert which is about to expired first, i.e. > the one with "2016-03-11 13:04:29" > > The process is: > - move date before the cert is about to expired > - leave it up to certmonger or manually force resubmit by `getcert > resubmit -i $REQUEST_ID`, where request ID is in `getcert list` output. > > I'm little worried about the fact that CA cert was renewed at date which > is after expiration of the other certs. > > Also the `expires: unknown` doesn't look good. Check `getcert list` > output for errors related to the cert. > > >> >> Bret >> >> >> On 04/26/2016 11:46 AM, Petr Vobornik wrote: >>> On 04/26/2016 03:26 PM, Bret Wortman wrote: >>>> On our non-CA IPA server, this is happening, in case it's related and illustrative: >>>> >>>> # ipa host-del zw113.private.net >>>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The >>>> certificate/key database is in an old, unsupported format. >>>> # >>> I would start with checking on all IPA servers if and what certificates >>> are expired: >>> # getcert list >>> or short version to check if there are any: >>> # getcert list | grep expires >>> >>> When CA cert is renewed, it is not automatically transfered to clients. >>> There one must run: >>> # ipa-certupdate >>> >>>> On 04/26/2016 09:24 AM, Bret Wortman wrote: >>>>> I rolled the date on the IPA server in question back to April 1 and ran >>>>> "ipa-cacert-manage renew", which said it completed successfully. I rolled the >>>>> date back to current and tried restarting ipa using ipactl stop && ipactl >>>>> start, but no joy. No more ca renewal errors, but right after the pause I see >>>>> this in /var/log/messages: >>>>> >>>>> systemd: kadmin.service: main process exited, code=exited, >>>>> status=2/INVALIDARGUMENT >>>>> systemd: Unit kadmin.service entered failed state. >>>>> systemd: kadmin.service failed. >>>>> >>>>> I rebooted the server just in case, and it's still getting stuck at the same >>>>> place. ipa-otpd doesn't get around to starting. >>>>> >>>>> >>>>> Bret >>>>> >>>>> After the several-minutes-long pause after ipactl start outputs "Starting >>>>> pki-tomcatd Service", I get the >>>>> >>>>> On 04/26/2016 08:14 AM, Bret Wortman wrote: >>>>>> I have an IPA server on a private network which has apparently run into >>>>>> certificate issues this morning. It's been running without issue for quite a >>>>>> while, and is on 4.1.4-1 on fedora 21. >>>>>> >>>>>> This morning, the gui started giving: >>>>>> >>>>>> IPA Error 907: NetworkError with description "cannot connect to >>>>>> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': >>>>>> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as expired." >>>>>> >>>>>> I dug into the logs and after trying to restart ipa using ipactl, there was a >>>>>> length pause, then: >>>>>> >>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>>>>> certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in >>>>>> database "/etc/httpd/alias" is no longer valid. >>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>>>>> certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS >>>>>> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. >>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available. >>>>>> named-pkcs11[3437]: client 192.168.208.205#57832: update >>>>>> '208.168.192.in-addr.arpa/IN' denied >>>>>> >>>>>> and then things start shutting down. I can't start ipa at all using ipactl. >>>>>> >>>>>> So at present, our DNS is down. Authentication should work for a while, but >>>>>> I'd like to get this working again as quickly as possible. Any ideas? I deal >>>>>> with certificates so infrequently (like only when something like this >>>>>> happens) that I'm not sure where to start. >>>>>> >>>>>> Thanks! >>>>>> >>>>>> >>>>>> -- >>>>>> *Bret Wortman* >>>>>> /Coming soon to Kickstarter.../ >>>>>> >>>>>> http://wrapbuddies.co/ >>>>>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Tue Apr 26 17:32:33 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 26 Apr 2016 13:32:33 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <571F9E04.2050400@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> Message-ID: <571FA631.1040500@damascusgrp.com> I should also note that /var/log/dirsrv/slapd-PRIVATE-NET/errors ends with a series of "csngen_new_csn - Warning: too much time skew (-2153860 secs). Current seqnum=1" errors. On 04/26/2016 12:57 PM, Bret Wortman wrote: > I think I've found a deeper problem, in that I can't update these > because IPA simply won't start at all now. > > I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and > 2016-04-01 is actually 2036-04-01. > > As for the unknowns, the first says status: CA_REJECTED and the error > says "hostname in subject of request 'zw198.private.net' does not > match principal hostname 'private.net'", with stuck: yes. > > The second is similar, but for a different host. > > No idea what's wrong with the rest, or why nothing will start. Near as > I can tell, Kerberos is failing to start, which is causing everything > else to go toes up. > > Early in the startup, in /var/log/messages, there's: > > ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information (No Kerberos credentials available) > > After that, I get a jar file read pboelm on log4j.jar, then a series > of property setting attempts that don't find matching properties. Then > some cipher errors, then it looks like named starts up okay, and > everything pauses for about 5 minutes before it all comes crashing > back down. > > > Bret > > On 04/26/2016 12:40 PM, Petr Vobornik wrote: >> On 04/26/2016 06:00 PM, Bret Wortman wrote: >>> # getcert list | grep expires >>> expires: 2018-04-02 13:04:51 UTC >>> expires: 2018-04-02 13:04:31 UTC >>> expires: unknown >>> expires: 2016-04-17 18:19:19 UTC >>> expires: 2016-04-17 18:19:18 UTC >>> expires: 2016-04-17 18:19:19 UTC >>> expires: 2016-04-01 20:16:39 UTC >>> expires: 2016-04-17 18:19:35 UTC >>> expires: 2016-03-11 13:04:29 UTC >>> expires: unknown >>> # >>> >>> So some got updated and most didn't. Is there a recommended way to update these >>> all? The system is still backdated to 3 April (ntpd disabled) at this point. >> It's usually good to start renewing(when it doesn't happen automatically >> from some reason) with the cert which is about to expired first, i.e. >> the one with "2016-03-11 13:04:29" >> >> The process is: >> - move date before the cert is about to expired >> - leave it up to certmonger or manually force resubmit by `getcert >> resubmit -i $REQUEST_ID`, where request ID is in `getcert list` output. >> >> I'm little worried about the fact that CA cert was renewed at date which >> is after expiration of the other certs. >> >> Also the `expires: unknown` doesn't look good. Check `getcert list` >> output for errors related to the cert. >> >> >>> Bret >>> >>> >>> On 04/26/2016 11:46 AM, Petr Vobornik wrote: >>>> On 04/26/2016 03:26 PM, Bret Wortman wrote: >>>>> On our non-CA IPA server, this is happening, in case it's related and illustrative: >>>>> >>>>> # ipa host-del zw113.private.net >>>>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The >>>>> certificate/key database is in an old, unsupported format. >>>>> # >>>> I would start with checking on all IPA servers if and what certificates >>>> are expired: >>>> # getcert list >>>> or short version to check if there are any: >>>> # getcert list | grep expires >>>> >>>> When CA cert is renewed, it is not automatically transfered to clients. >>>> There one must run: >>>> # ipa-certupdate >>>> >>>>> On 04/26/2016 09:24 AM, Bret Wortman wrote: >>>>>> I rolled the date on the IPA server in question back to April 1 and ran >>>>>> "ipa-cacert-manage renew", which said it completed successfully. I rolled the >>>>>> date back to current and tried restarting ipa using ipactl stop && ipactl >>>>>> start, but no joy. No more ca renewal errors, but right after the pause I see >>>>>> this in /var/log/messages: >>>>>> >>>>>> systemd: kadmin.service: main process exited, code=exited, >>>>>> status=2/INVALIDARGUMENT >>>>>> systemd: Unit kadmin.service entered failed state. >>>>>> systemd: kadmin.service failed. >>>>>> >>>>>> I rebooted the server just in case, and it's still getting stuck at the same >>>>>> place. ipa-otpd doesn't get around to starting. >>>>>> >>>>>> >>>>>> Bret >>>>>> >>>>>> After the several-minutes-long pause after ipactl start outputs "Starting >>>>>> pki-tomcatd Service", I get the >>>>>> >>>>>> On 04/26/2016 08:14 AM, Bret Wortman wrote: >>>>>>> I have an IPA server on a private network which has apparently run into >>>>>>> certificate issues this morning. It's been running without issue for quite a >>>>>>> while, and is on 4.1.4-1 on fedora 21. >>>>>>> >>>>>>> This morning, the gui started giving: >>>>>>> >>>>>>> IPA Error 907: NetworkError with description "cannot connect to >>>>>>> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': >>>>>>> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as expired." >>>>>>> >>>>>>> I dug into the logs and after trying to restart ipa using ipactl, there was a >>>>>>> length pause, then: >>>>>>> >>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>>>>>> certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in >>>>>>> database "/etc/httpd/alias" is no longer valid. >>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>>>>>> certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS >>>>>>> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. >>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available. >>>>>>> named-pkcs11[3437]: client 192.168.208.205#57832: update >>>>>>> '208.168.192.in-addr.arpa/IN' denied >>>>>>> >>>>>>> and then things start shutting down. I can't start ipa at all using ipactl. >>>>>>> >>>>>>> So at present, our DNS is down. Authentication should work for a while, but >>>>>>> I'd like to get this working again as quickly as possible. Any ideas? I deal >>>>>>> with certificates so infrequently (like only when something like this >>>>>>> happens) that I'm not sure where to start. >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Bret Wortman* >>>>>>> /Coming soon to Kickstarter.../ >>>>>>> >>>>>>> http://wrapbuddies.co/ >>>>>>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Apr 26 17:45:40 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Apr 2016 12:45:40 -0500 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <571F9E04.2050400@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> Message-ID: <571FA944.8040003@redhat.com> Bret Wortman wrote: > I think I've found a deeper problem, in that I can't update these > because IPA simply won't start at all now. > > I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and > 2016-04-01 is actually 2036-04-01. > > As for the unknowns, the first says status: CA_REJECTED and the error > says "hostname in subject of request 'zw198.private.net' does not match > principal hostname 'private.net'", with stuck: yes. > > The second is similar, but for a different host. Is it really a different host and why? I think we'd need to see the full output to know what's going on. A given host can only get certificates for itself or those delegated to it. Hostnames are used for this enforcement so if they don't line up you'll see this type of rejection. > > No idea what's wrong with the rest, or why nothing will start. Near as I > can tell, Kerberos is failing to start, which is causing everything else > to go toes up. > > Early in the startup, in /var/log/messages, there's: > > ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide > more information (No Kerberos credentials available) Without more context it's hard to say. 389 is rather chatty about things and of course when it starts it has no ticket so it logs a bunch of stuff, eventually (hopefully) gets one, and then shuts up. > > After that, I get a jar file read pboelm on log4j.jar, then a series of > property setting attempts that don't find matching properties. Then some > cipher errors, then it looks like named starts up okay, and everything > pauses for about 5 minutes before it all comes crashing back down. > I wouldn't get too hung up on particular services just yet. Without valid certs things will fail and those problems will cascade. I think we just need more details at this point. rob > > Bret > > On 04/26/2016 12:40 PM, Petr Vobornik wrote: >> On 04/26/2016 06:00 PM, Bret Wortman wrote: >>> # getcert list | grep expires >>> expires: 2018-04-02 13:04:51 UTC >>> expires: 2018-04-02 13:04:31 UTC >>> expires: unknown >>> expires: 2016-04-17 18:19:19 UTC >>> expires: 2016-04-17 18:19:18 UTC >>> expires: 2016-04-17 18:19:19 UTC >>> expires: 2016-04-01 20:16:39 UTC >>> expires: 2016-04-17 18:19:35 UTC >>> expires: 2016-03-11 13:04:29 UTC >>> expires: unknown >>> # >>> >>> So some got updated and most didn't. Is there a recommended way to update these >>> all? The system is still backdated to 3 April (ntpd disabled) at this point. >> It's usually good to start renewing(when it doesn't happen automatically >> from some reason) with the cert which is about to expired first, i.e. >> the one with "2016-03-11 13:04:29" >> >> The process is: >> - move date before the cert is about to expired >> - leave it up to certmonger or manually force resubmit by `getcert >> resubmit -i $REQUEST_ID`, where request ID is in `getcert list` output. >> >> I'm little worried about the fact that CA cert was renewed at date which >> is after expiration of the other certs. >> >> Also the `expires: unknown` doesn't look good. Check `getcert list` >> output for errors related to the cert. >> >> >>> >>> Bret >>> >>> >>> On 04/26/2016 11:46 AM, Petr Vobornik wrote: >>>> On 04/26/2016 03:26 PM, Bret Wortman wrote: >>>>> On our non-CA IPA server, this is happening, in case it's related and illustrative: >>>>> >>>>> # ipa host-del zw113.private.net >>>>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The >>>>> certificate/key database is in an old, unsupported format. >>>>> # >>>> I would start with checking on all IPA servers if and what certificates >>>> are expired: >>>> # getcert list >>>> or short version to check if there are any: >>>> # getcert list | grep expires >>>> >>>> When CA cert is renewed, it is not automatically transfered to clients. >>>> There one must run: >>>> # ipa-certupdate >>>> >>>>> On 04/26/2016 09:24 AM, Bret Wortman wrote: >>>>>> I rolled the date on the IPA server in question back to April 1 and ran >>>>>> "ipa-cacert-manage renew", which said it completed successfully. I rolled the >>>>>> date back to current and tried restarting ipa using ipactl stop && ipactl >>>>>> start, but no joy. No more ca renewal errors, but right after the pause I see >>>>>> this in /var/log/messages: >>>>>> >>>>>> systemd: kadmin.service: main process exited, code=exited, >>>>>> status=2/INVALIDARGUMENT >>>>>> systemd: Unit kadmin.service entered failed state. >>>>>> systemd: kadmin.service failed. >>>>>> >>>>>> I rebooted the server just in case, and it's still getting stuck at the same >>>>>> place. ipa-otpd doesn't get around to starting. >>>>>> >>>>>> >>>>>> Bret >>>>>> >>>>>> After the several-minutes-long pause after ipactl start outputs "Starting >>>>>> pki-tomcatd Service", I get the >>>>>> >>>>>> On 04/26/2016 08:14 AM, Bret Wortman wrote: >>>>>>> I have an IPA server on a private network which has apparently run into >>>>>>> certificate issues this morning. It's been running without issue for quite a >>>>>>> while, and is on 4.1.4-1 on fedora 21. >>>>>>> >>>>>>> This morning, the gui started giving: >>>>>>> >>>>>>> IPA Error 907: NetworkError with description "cannot connect to >>>>>>> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': >>>>>>> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as expired." >>>>>>> >>>>>>> I dug into the logs and after trying to restart ipa using ipactl, there was a >>>>>>> length pause, then: >>>>>>> >>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>>>>>> certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in >>>>>>> database "/etc/httpd/alias" is no longer valid. >>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>>>>>> certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS >>>>>>> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. >>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available. >>>>>>> named-pkcs11[3437]: client 192.168.208.205#57832: update >>>>>>> '208.168.192.in-addr.arpa/IN' denied >>>>>>> >>>>>>> and then things start shutting down. I can't start ipa at all using ipactl. >>>>>>> >>>>>>> So at present, our DNS is down. Authentication should work for a while, but >>>>>>> I'd like to get this working again as quickly as possible. Any ideas? I deal >>>>>>> with certificates so infrequently (like only when something like this >>>>>>> happens) that I'm not sure where to start. >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Bret Wortman* >>>>>>> /Coming soon to Kickstarter.../ >>>>>>> >>>>>>> http://wrapbuddies.co/ >>>>>>> >> > > > From bret.wortman at damascusgrp.com Tue Apr 26 18:06:20 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 26 Apr 2016 14:06:20 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <571FA944.8040003@redhat.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> Message-ID: <571FAE1C.107@damascusgrp.com> On 04/26/2016 01:45 PM, Rob Crittenden wrote: > Bret Wortman wrote: >> I think I've found a deeper problem, in that I can't update these >> because IPA simply won't start at all now. >> >> I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and >> 2016-04-01 is actually 2036-04-01. >> >> As for the unknowns, the first says status: CA_REJECTED and the error >> says "hostname in subject of request 'zw198.private.net' does not match >> principal hostname 'private.net'", with stuck: yes. >> >> The second is similar, but for a different host. > > Is it really a different host and why? I think we'd need to see the > full output to know what's going on. > Full output: Number of certificates and requests being tracked: 10. Request ID '20140428181940': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PRIVATE-NET/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=PRIVATE.NET subject: CN=zsipa.private.net,O=PRIVATE.NET expires: 2018-04-02 13:04:51 UTC principal name: ldap/zsipa.private.net at PRIVATE.NET key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20140428182016': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=PRIVATE.NET subject: CN=zsipa.private.net,O=PRIVATE.NET expires: 2018-04-02 13:04:31 UTC principal name: HTTP/zsipa.private.net at PRIVATE.NET key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150211141945': status: CA_REJECTED ca-error: Server at https://zsipa.private.net/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: hostname in subject of request 'zw198.private.net' does not match principal hostname 'private.net'). stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150816194107': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='424151811070' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PRIVATE.NET subject: CN=CA Audit,O=PRIVATE.NET expires: 2016-04-17 18:19:19 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150816194108': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='424151811070' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PRIVATE.NET subject: CN=OCSP Subsystem,O=PRIVATE.NET expires: 2016-04-17 18:19:18 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150816194109': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='424151811070' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PRIVATE.NET subject: CN=CA Subsystem,O=PRIVATE.NET expires: 2016-04-17 18:19:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150816194110': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='424151811070' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PRIVATE.NET subject: CN=Certificate Authority,O=PRIVATE.NET expires: 2036-04-01 20:16:39 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150816194111': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=PRIVATE.NET subject: CN=IPA RA,O=PRIVATE.NET expires: 2016-04-17 18:19:35 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150816194112': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='424151811070' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=PRIVATE.NET subject: CN=zsipa.private.net,O=PRIVATE.NET expires: 2018-03-11 13:04:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20151214165433': status: CA_REJECTED ca-error: Server at https://zsipa.private.net/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: hostname in subject of request 'zsipa.private.net' does not match principal hostname 'www.private.net'). stuck: yes key pair storage: type=FILE,location='/etc/pki/tls/private/www.private.net.key' certificate: type=FILE,location='/etc/pki/tls/certs/www.private.net.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes > A given host can only get certificates for itself or those delegated > to it. Hostnames are used for this enforcement so if they don't line > up you'll see this type of rejection. > >> >> No idea what's wrong with the rest, or why nothing will start. Near as I >> can tell, Kerberos is failing to start, which is causing everything else >> to go toes up. >> >> Early in the startup, in /var/log/messages, there's: >> >> ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide >> more information (No Kerberos credentials available) > > Without more context it's hard to say. 389 is rather chatty about > things and of course when it starts it has no ticket so it logs a > bunch of stuff, eventually (hopefully) gets one, and then shuts up. > >> >> After that, I get a jar file read pboelm on log4j.jar, then a series of >> property setting attempts that don't find matching properties. Then some >> cipher errors, then it looks like named starts up okay, and everything >> pauses for about 5 minutes before it all comes crashing back down. >> > > I wouldn't get too hung up on particular services just yet. Without > valid certs things will fail and those problems will cascade. I think > we just need more details at this point. > > rob > >> >> Bret >> >> On 04/26/2016 12:40 PM, Petr Vobornik wrote: >>> On 04/26/2016 06:00 PM, Bret Wortman wrote: >>>> # getcert list | grep expires >>>> expires: 2018-04-02 13:04:51 UTC >>>> expires: 2018-04-02 13:04:31 UTC >>>> expires: unknown >>>> expires: 2016-04-17 18:19:19 UTC >>>> expires: 2016-04-17 18:19:18 UTC >>>> expires: 2016-04-17 18:19:19 UTC >>>> expires: 2016-04-01 20:16:39 UTC >>>> expires: 2016-04-17 18:19:35 UTC >>>> expires: 2016-03-11 13:04:29 UTC >>>> expires: unknown >>>> # >>>> >>>> So some got updated and most didn't. Is there a recommended way to >>>> update these >>>> all? The system is still backdated to 3 April (ntpd disabled) at >>>> this point. >>> It's usually good to start renewing(when it doesn't happen >>> automatically >>> from some reason) with the cert which is about to expired first, i.e. >>> the one with "2016-03-11 13:04:29" >>> >>> The process is: >>> - move date before the cert is about to expired >>> - leave it up to certmonger or manually force resubmit by `getcert >>> resubmit -i $REQUEST_ID`, where request ID is in `getcert list` output. >>> >>> I'm little worried about the fact that CA cert was renewed at date >>> which >>> is after expiration of the other certs. >>> >>> Also the `expires: unknown` doesn't look good. Check `getcert list` >>> output for errors related to the cert. >>> >>> >>>> >>>> Bret >>>> >>>> >>>> On 04/26/2016 11:46 AM, Petr Vobornik wrote: >>>>> On 04/26/2016 03:26 PM, Bret Wortman wrote: >>>>>> On our non-CA IPA server, this is happening, in case it's related >>>>>> and illustrative: >>>>>> >>>>>> # ipa host-del zw113.private.net >>>>>> ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) >>>>>> The >>>>>> certificate/key database is in an old, unsupported format. >>>>>> # >>>>> I would start with checking on all IPA servers if and what >>>>> certificates >>>>> are expired: >>>>> # getcert list >>>>> or short version to check if there are any: >>>>> # getcert list | grep expires >>>>> >>>>> When CA cert is renewed, it is not automatically transfered to >>>>> clients. >>>>> There one must run: >>>>> # ipa-certupdate >>>>> >>>>>> On 04/26/2016 09:24 AM, Bret Wortman wrote: >>>>>>> I rolled the date on the IPA server in question back to April 1 >>>>>>> and ran >>>>>>> "ipa-cacert-manage renew", which said it completed successfully. >>>>>>> I rolled the >>>>>>> date back to current and tried restarting ipa using ipactl stop >>>>>>> && ipactl >>>>>>> start, but no joy. No more ca renewal errors, but right after >>>>>>> the pause I see >>>>>>> this in /var/log/messages: >>>>>>> >>>>>>> systemd: kadmin.service: main process exited, code=exited, >>>>>>> status=2/INVALIDARGUMENT >>>>>>> systemd: Unit kadmin.service entered failed state. >>>>>>> systemd: kadmin.service failed. >>>>>>> >>>>>>> I rebooted the server just in case, and it's still getting stuck >>>>>>> at the same >>>>>>> place. ipa-otpd doesn't get around to starting. >>>>>>> >>>>>>> >>>>>>> Bret >>>>>>> >>>>>>> After the several-minutes-long pause after ipactl start outputs >>>>>>> "Starting >>>>>>> pki-tomcatd Service", I get the >>>>>>> >>>>>>> On 04/26/2016 08:14 AM, Bret Wortman wrote: >>>>>>>> I have an IPA server on a private network which has apparently >>>>>>>> run into >>>>>>>> certificate issues this morning. It's been running without >>>>>>>> issue for quite a >>>>>>>> while, and is on 4.1.4-1 on fedora 21. >>>>>>>> >>>>>>>> This morning, the gui started giving: >>>>>>>> >>>>>>>> IPA Error 907: NetworkError with description "cannot connect to >>>>>>>> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': >>>>>>>> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your >>>>>>>> certificate as expired." >>>>>>>> >>>>>>>> I dug into the logs and after trying to restart ipa using >>>>>>>> ipactl, there was a >>>>>>>> length pause, then: >>>>>>>> >>>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not >>>>>>>> available >>>>>>>> certmonger: Certificate named "ipaCert" in token "NSS >>>>>>>> Certificate DB" in >>>>>>>> database "/etc/httpd/alias" is no longer valid. >>>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not >>>>>>>> available >>>>>>>> certmonger: Certificate named "ocspSigningCert cert-pki-ca" in >>>>>>>> token "NSS >>>>>>>> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no >>>>>>>> longer valid. >>>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not >>>>>>>> available. >>>>>>>> named-pkcs11[3437]: client 192.168.208.205#57832: update >>>>>>>> '208.168.192.in-addr.arpa/IN' denied >>>>>>>> >>>>>>>> and then things start shutting down. I can't start ipa at all >>>>>>>> using ipactl. >>>>>>>> >>>>>>>> So at present, our DNS is down. Authentication should work for >>>>>>>> a while, but >>>>>>>> I'd like to get this working again as quickly as possible. Any >>>>>>>> ideas? I deal >>>>>>>> with certificates so infrequently (like only when something >>>>>>>> like this >>>>>>>> happens) that I'm not sure where to start. >>>>>>>> >>>>>>>> Thanks! >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Bret Wortman* >>>>>>>> /Coming soon to Kickstarter.../ >>>>>>>> >>>>>>>> http://wrapbuddies.co/ >>>>>>>> >>> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnotrica at candeal.com Tue Apr 26 18:15:59 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Tue, 26 Apr 2016 18:15:59 +0000 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> Hey world, Any ideas? Gady -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica Sent: April 26, 2016 10:10 AM To: Ludwig Krispenz; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting No, no changes. Lost connectivity with my VMs during the night (networking issues in datacenter) Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. Gady Notrica -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz Sent: April 26, 2016 10:02 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 03:26 PM, Gady Notrica wrote: > Here... > > [root at cd-p-ipa1 log]# ipactl status > Directory Service: STOPPED > Directory Service must be running in order to obtain status of other > services > ipa: INFO: The ipactl command was successful > > [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service > -l ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. > Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) > Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago > Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i > -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid > (code=exited, status=1/FAILURE) > > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. this says the server doesn't know a syntax oid, but it is a known one. It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? And, did you do any changes to the system before this problem started ? > [root at cd-p-ipa1 log]# > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Babinsky > Sent: April 26, 2016 9:17 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > On 04/26/2016 03:13 PM, Gady Notrica wrote: >> Hello world, >> >> >> >> I am having issues this morning with my primary IPA. See below the >> details in the logs and command result. Basically, krb5kdc service >> not starting - krb5kdc: Server error - while fetching master key. >> >> >> >> DNS is functioning. See below dig result. I have a trust with Windows AD. >> >> >> >> Please help?! >> >> >> >> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l >> >> ? krb5kdc.service - Kerberos 5 KDC >> >> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >> disabled; vendor preset: disabled) >> >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 >> EDT; 41min ago >> >> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid >> $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >> >> >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos >> 5 KDC... >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: >> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >> control process exited, code=exited status=1 >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >> Kerberos 5 KDC. >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >> krb5kdc.service entered failed state. >> >> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >> >> [root at cd-ipa1 log]# >> >> >> >> Errors in /var/log/krb5kdc.log >> >> >> >> krb5kdc: Server error - while fetching master key K/M for realm >> DOMAIN.LOCAL >> >> krb5kdc: Server error - while fetching master key K/M for realm >> DOMAIN.LOCAL >> >> krb5kdc: Server error - while fetching master key K/M for realm >> DOMAIN.LOCAL >> >> >> >> [root at cd-ipa1 log]# systemctl status httpd -l >> >> ? httpd.service - The Apache HTTP Server >> >> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; >> vendor >> preset: disabled) >> >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 >> EDT; 39min ago >> >> Docs: man:httpd(8) >> >> man:apachectl(8) >> >> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >> (code=exited, status=1/FAILURE) >> >> >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: >> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line >> 1579, in __wait_for_connection >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> wait_for_open_socket(lurl.hostport, timeout) >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line >> 1200, in wait_for_open_socket >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> raise e >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> error: [Errno 2] No such file or directory >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >> ipa : ERROR Unknown error while retrieving setting from >> ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such >> file or directory >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >> control process exited, code=exited status=1 >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >> The Apache HTTP Server. >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit >> httpd.service entered failed state. >> >> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >> >> [root at cd-ipa1 log]# >> >> >> >> >> >> DNS Result for dig redhat.com >> >> >> >> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >> >> ;; global options: +cmd >> >> ;; Got answer: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >> >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2 >> >> >> >> ;; OPT PSEUDOSECTION: >> >> ; EDNS: version: 0, flags:; udp: 4096 >> >> ;; QUESTION SECTION: >> >> ;redhat.com. IN A >> >> >> >> ;; ANSWER SECTION: >> >> redhat.com. 60 IN A 209.132.183.105 >> >> >> >> ;; AUTHORITY SECTION: >> >> . 849 IN NS f.root-servers.net. >> >> . 849 IN NS e.root-servers.net. >> >> . 849 IN NS k.root-servers.net. >> >> . 849 IN NS m.root-servers.net. >> >> . 849 IN NS b.root-servers.net. >> >> . 849 IN NS g.root-servers.net. >> >> . 849 IN NS c.root-servers.net. >> >> . 849 IN NS h.root-servers.net. >> >> . 849 IN NS l.root-servers.net. >> >> . 849 IN NS a.root-servers.net. >> >> . 849 IN NS j.root-servers.net. >> >> . 849 IN NS i.root-servers.net. >> >> . 849 IN NS d.root-servers.net. >> >> >> >> ;; ADDITIONAL SECTION: >> >> j.root-servers.net. 3246 IN A 192.58.128.30 >> >> >> >> ;; Query time: 79 msec >> >> ;; SERVER: 10.20.10.41#53(10.20.10.41) >> >> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >> >> ;; MSG SIZE rcvd: 282 >> >> >> >> Gady >> >> >> >> >> > It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-CANDEAL-CA.service'? > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From rcritten at redhat.com Tue Apr 26 18:44:11 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 26 Apr 2016 13:44:11 -0500 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <571FB6FB.3010906@redhat.com> Gady Notrica wrote: > Hey world, > > Any ideas? What about the first part of Ludwig's question: Is there anything in the 389-ds error log? rob > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > Sent: April 26, 2016 10:10 AM > To: Ludwig Krispenz; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > No, no changes. Lost connectivity with my VMs during the night (networking issues in datacenter) > > Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. > > Gady Notrica > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > Sent: April 26, 2016 10:02 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: >> Here... >> >> [root at cd-p-ipa1 log]# ipactl status >> Directory Service: STOPPED >> Directory Service must be running in order to obtain status of other >> services >> ipa: INFO: The ipactl command was successful >> >> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service >> -l ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i >> -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid >> (code=exited, status=1/FAILURE) >> >> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016! :08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" >> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > this says the server doesn't know a syntax oid, but it is a known one. > It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? > > And, did you do any changes to the system before this problem started ? >> [root at cd-p-ipa1 log]# >> >> Gady >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Babinsky >> Sent: April 26, 2016 9:17 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] krb5kdc service not starting >> >> On 04/26/2016 03:13 PM, Gady Notrica wrote: >>> Hello world, >>> >>> >>> >>> I am having issues this morning with my primary IPA. See below the >>> details in the logs and command result. Basically, krb5kdc service >>> not starting - krb5kdc: Server error - while fetching master key. >>> >>> >>> >>> DNS is functioning. See below dig result. I have a trust with Windows AD. >>> >>> >>> >>> Please help?! >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l >>> >>> ? krb5kdc.service - Kerberos 5 KDC >>> >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 >>> EDT; 41min ago >>> >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid >>> $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos >>> 5 KDC... >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> Kerberos 5 KDC. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> krb5kdc.service entered failed state. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> Errors in /var/log/krb5kdc.log >>> >>> >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status httpd -l >>> >>> ? httpd.service - The Apache HTTP Server >>> >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; >>> vendor >>> preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 >>> EDT; 39min ago >>> >>> Docs: man:httpd(8) >>> >>> man:apachectl(8) >>> >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >>> (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line >>> 1579, in __wait_for_connection >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> wait_for_open_socket(lurl.hostport, timeout) >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line >>> 1200, in wait_for_open_socket >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> raise e >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> error: [Errno 2] No such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> ipa : ERROR Unknown error while retrieving setting from >>> ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such >>> file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> The Apache HTTP Server. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> httpd.service entered failed state. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> >>> >>> DNS Result for dig redhat.com >>> >>> >>> >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >>> >>> ;; global options: +cmd >>> >>> ;; Got answer: >>> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >>> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2 >>> >>> >>> >>> ;; OPT PSEUDOSECTION: >>> >>> ; EDNS: version: 0, flags:; udp: 4096 >>> >>> ;; QUESTION SECTION: >>> >>> ;redhat.com. IN A >>> >>> >>> >>> ;; ANSWER SECTION: >>> >>> redhat.com. 60 IN A 209.132.183.105 >>> >>> >>> >>> ;; AUTHORITY SECTION: >>> >>> . 849 IN NS f.root-servers.net. >>> >>> . 849 IN NS e.root-servers.net. >>> >>> . 849 IN NS k.root-servers.net. >>> >>> . 849 IN NS m.root-servers.net. >>> >>> . 849 IN NS b.root-servers.net. >>> >>> . 849 IN NS g.root-servers.net. >>> >>> . 849 IN NS c.root-servers.net. >>> >>> . 849 IN NS h.root-servers.net. >>> >>> . 849 IN NS l.root-servers.net. >>> >>> . 849 IN NS a.root-servers.net. >>> >>> . 849 IN NS j.root-servers.net. >>> >>> . 849 IN NS i.root-servers.net. >>> >>> . 849 IN NS d.root-servers.net. >>> >>> >>> >>> ;; ADDITIONAL SECTION: >>> >>> j.root-servers.net. 3246 IN A 192.58.128.30 >>> >>> >>> >>> ;; Query time: 79 msec >>> >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) >>> >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >>> >>> ;; MSG SIZE rcvd: 282 >>> >>> >>> >>> Gady >>> >>> >>> >>> >>> >> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-CANDEAL-CA.service'? >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From gnotrica at candeal.com Tue Apr 26 19:09:00 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Tue, 26 Apr 2016 19:09:00 +0000 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <571FB6FB.3010906@redhat.com> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> HERE.. [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests [23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 26, 2016 2:44 PM To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting Gady Notrica wrote: > Hey world, > > Any ideas? What about the first part of Ludwig's question: Is there anything in the 389-ds error log? rob > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > Sent: April 26, 2016 10:10 AM > To: Ludwig Krispenz; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > No, no changes. Lost connectivity with my VMs during the night > (networking issues in datacenter) > > Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. > > Gady Notrica > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > Sent: April 26, 2016 10:02 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: >> Here... >> >> [root at cd-p-ipa1 log]# ipactl status >> Directory Service: STOPPED >> Directory Service must be running in order to obtain status of other >> services >> ipa: INFO: The ipactl command was successful >> >> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-DOMAIN-LOCAL.service >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service - 389 Directory Server IPA-DOMAIN-LOCAL. >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) >> >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! :08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > this says the server doesn't know a syntax oid, but it is a known one. > It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? > > And, did you do any changes to the system before this problem started ? >> [root at cd-p-ipa1 log]# >> >> Gady >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin >> Babinsky >> Sent: April 26, 2016 9:17 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] krb5kdc service not starting >> >> On 04/26/2016 03:13 PM, Gady Notrica wrote: >>> Hello world, >>> >>> >>> >>> I am having issues this morning with my primary IPA. See below the >>> details in the logs and command result. Basically, krb5kdc service >>> not starting - krb5kdc: Server error - while fetching master key. >>> >>> >>> >>> DNS is functioning. See below dig result. I have a trust with Windows AD. >>> >>> >>> >>> Please help?! >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l >>> >>> ? krb5kdc.service - Kerberos 5 KDC >>> >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:52 EDT; 41min ago >>> >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting >>> Kerberos >>> 5 KDC... >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> Kerberos 5 KDC. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> krb5kdc.service entered failed state. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> Errors in /var/log/krb5kdc.log >>> >>> >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status httpd -l >>> >>> ? httpd.service - The Apache HTTP Server >>> >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; >>> vendor >>> preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:21 EDT; 39min ago >>> >>> Docs: man:httpd(8) >>> >>> man:apachectl(8) >>> >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >>> (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line >>> 1579, in __wait_for_connection >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> wait_for_open_socket(lurl.hostport, timeout) >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line >>> 1200, in wait_for_open_socket >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> raise e >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> error: [Errno 2] No such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> ipa : ERROR Unknown error while retrieving setting from >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No >>> such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> The Apache HTTP Server. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> httpd.service entered failed state. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> >>> >>> DNS Result for dig redhat.com >>> >>> >>> >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >>> >>> ;; global options: +cmd >>> >>> ;; Got answer: >>> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >>> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: >>> 2 >>> >>> >>> >>> ;; OPT PSEUDOSECTION: >>> >>> ; EDNS: version: 0, flags:; udp: 4096 >>> >>> ;; QUESTION SECTION: >>> >>> ;redhat.com. IN A >>> >>> >>> >>> ;; ANSWER SECTION: >>> >>> redhat.com. 60 IN A 209.132.183.105 >>> >>> >>> >>> ;; AUTHORITY SECTION: >>> >>> . 849 IN NS f.root-servers.net. >>> >>> . 849 IN NS e.root-servers.net. >>> >>> . 849 IN NS k.root-servers.net. >>> >>> . 849 IN NS m.root-servers.net. >>> >>> . 849 IN NS b.root-servers.net. >>> >>> . 849 IN NS g.root-servers.net. >>> >>> . 849 IN NS c.root-servers.net. >>> >>> . 849 IN NS h.root-servers.net. >>> >>> . 849 IN NS l.root-servers.net. >>> >>> . 849 IN NS a.root-servers.net. >>> >>> . 849 IN NS j.root-servers.net. >>> >>> . 849 IN NS i.root-servers.net. >>> >>> . 849 IN NS d.root-servers.net. >>> >>> >>> >>> ;; ADDITIONAL SECTION: >>> >>> j.root-servers.net. 3246 IN A 192.58.128.30 >>> >>> >>> >>> ;; Query time: 79 msec >>> >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) >>> >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >>> >>> ;; MSG SIZE rcvd: 282 >>> >>> >>> >>> Gady >>> >>> >>> >>> >>> >> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-DOMAIN-LOCAL.service'? >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From siology.io at gmail.com Wed Apr 27 01:43:01 2016 From: siology.io at gmail.com (siology.io) Date: Wed, 27 Apr 2016 13:43:01 +1200 Subject: [Freeipa-users] migration user passwords from openldap to freeipa Message-ID: I'm having issues migrating from an openldap directory (which has gosa schema) to freeipa. To migrate i'm doing (and yes, i know); ipa migrate-ds ldap://old.server.com:389 --bind-dn "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup --user-objectclass=inetOrgPerson --group-overwrite-gid --user-ignore-objectclass=gosaAccount --user-ignore-objectclass=gosaMailAccount --user-ignore-attribute=gosaMailDeliveryMode --user-ignore-attribute=gosaMailServer --user-ignore-attribute=gosaSpamSortLevel --user-ignore-attribute=gosaSpamMailbox --user-ignore-objectclass=sshaccount --user-ignore-objectclass=gosaacl --user-ignore-attribute=sshpublickey --user-ignore-attribute=sambaLMPassword --user-ignore-attribute=sambaBadPasswordTime --user-ignore-attribute=gosaaclentry --user-ignore-attribute=sambaBadPasswordCount --user-ignore-attribute=sambaNTPassword --user-ignore-attribute=sambaPwdLastSet Which seems to work to import all those users which have posix settings set, however i have two problems: - Am i right in thinking there's no way to auto-assign a gid/uid/home dir for the non-posix users at migration time ? That's not a deal breaker per se, but i'd need to spin up a new copy of the old ldap and then add those attributes to every user, then migrate to ipa from that source, which is a real pain. - The migration seems to be successful for the users that do have posix attributes, and ends with: Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. ...but i'm unable to login to that page as any of my migrated users, or bind as them with ldapsearch. It seems like the passwords were not migrated ? Because 90% of my ~350 users are only going to be using freeipa insomuch as using services which are making use of the ipa server's ldap i was hoping that i wouldn't need to make kerberos tickets for those users, and hence avoid needing every user to login to the migration page. At the moment however i'm not able to get any migrated users at all to be able to bind to ldap or login to that page. Any tips or gotchas i should know ? I've no idea how to begin debugging this. -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Wed Apr 27 05:27:49 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Tue, 26 Apr 2016 22:27:49 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL Message-ID: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> Hello, We currently have 7 ipa servers in multi master running: ipa-server-3.0.0-47.el6_7.1.x86_64 389-ds-base-1.2.11.15-68.el6_7.x86_64 Tenable is showing the use of weak ciphers along with freak vulnerabilities. I have followed https://access.redhat.com/solutions/675183 however issues remain in the ciphers being used. I have also modified dse.ldif with the following from http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports With ipa stopped I modified dse with below odifyTimestamp: 20150420131906Z nsSSL3Ciphers: +all,-rsa_null_sha allowWeakCipher: off numSubordinates: 1 I turn on ipa and get Starting Directory Service Starting dirsrv: PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry "cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed So I go back into the file and allowWeakCipher now shows allowweakcipher (caps for W and C are now lower case) nss.conf # new config to stop using weak ciphers. NSSCipherSuite -rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha SSL Protocol: # Cryptographic protocols that provide communication security. # NSS handles the specified protocols as "ranges", and automatically # negotiates the use of the strongest protocol for a connection starting # with the maximum specified protocol and downgrading as necessary to the # minimum specified protocol that can be used between two processes. # Since all protocol ranges are completely inclusive, and no protocol in the NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 server.xml clientAuth="true" sslOptions="ssl2=off,ssl3=off,tls=true" ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" Is there a config for this version of IPA/DS somewhere that will pass poodle, freak, null ciphers scanning or only allow strong ciphers? Sean Hogan -------------- next part -------------- An HTML attachment was scrubbed... URL: From harald.dunkel at aixigo.de Wed Apr 27 06:24:00 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Wed, 27 Apr 2016 08:24:00 +0200 Subject: [Freeipa-users] ipa -v ping lies about the cert database In-Reply-To: <571F895F.3060108@ubuntu.com> References: <5710DB60.7070508@redhat.com> <57148953.1070904@redhat.com> <5714CE39.9030704@ubuntu.com> <15ebb4fd-49e1-da66-d0a1-94d13da4e60f@aixigo.de> <571F895F.3060108@ubuntu.com> Message-ID: <8de7f352-018f-e662-296c-94d94c7d1bf1@aixigo.de> On 04/26/2016 05:29 PM, Timo Aaltonen wrote: > > I guess 4.3.1 would need to be in sid first, and it just got rejected > because of the minified javascript (bug #787593). Don't know when > that'll get fixed. > Is this 3rd party code? Anyway, I was talking about a *private* backport of freeipa 4.3.1 and its dependencies to Jessie. Of course I would be glad to make these backports available in the official jessie-backports as well, but I would need a sponsor for uploading. Regards Harri From tjaalton at ubuntu.com Wed Apr 27 06:25:42 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Wed, 27 Apr 2016 09:25:42 +0300 Subject: [Freeipa-users] ipa -v ping lies about the cert database In-Reply-To: <8de7f352-018f-e662-296c-94d94c7d1bf1@aixigo.de> References: <5710DB60.7070508@redhat.com> <57148953.1070904@redhat.com> <5714CE39.9030704@ubuntu.com> <15ebb4fd-49e1-da66-d0a1-94d13da4e60f@aixigo.de> <571F895F.3060108@ubuntu.com> <8de7f352-018f-e662-296c-94d94c7d1bf1@aixigo.de> Message-ID: <57205B66.9000800@ubuntu.com> 27.04.2016, 09:24, Harald Dunkel kirjoitti: > On 04/26/2016 05:29 PM, Timo Aaltonen wrote: >> >> I guess 4.3.1 would need to be in sid first, and it just got rejected >> because of the minified javascript (bug #787593). Don't know when >> that'll get fixed. >> > > Is this 3rd party code? yes: https://fedorahosted.org/freeipa/ticket/5639 > Anyway, I was talking about a *private* backport of freeipa 4.3.1 > and its dependencies to Jessie. Of course I would be glad to make > these backports available in the official jessie-backports as well, > but I would need a sponsor for uploading. Go for it, at least if the dependencies are manageable. -- t From abokovoy at redhat.com Wed Apr 27 06:52:15 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Apr 2016 09:52:15 +0300 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> Message-ID: <20160427065215.3owetlgimd6yujes@redhat.com> On Tue, 26 Apr 2016, Sean Hogan wrote: > > >Hello, > > We currently have 7 ipa servers in multi master running: > >ipa-server-3.0.0-47.el6_7.1.x86_64 >389-ds-base-1.2.11.15-68.el6_7.x86_64 > >Tenable is showing the use of weak ciphers along with freak >vulnerabilities. I have followed >https://access.redhat.com/solutions/675183 however issues remain in the >ciphers being used. $ git log --oneline 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1 5f3c87e Ticket #47838 - harden the list of ciphers available by default $ git tag --contains 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1 389-ds-base-1.3.4.0 This means allowweakcipher feature is only in 389-ds-base >= 1.3.4.0. This should explain your failures below. > >I have also modified dse.ldif with the following from >http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports > >With ipa stopped I modified dse with below > >odifyTimestamp: 20150420131906Z >nsSSL3Ciphers: +all,-rsa_null_sha >allowWeakCipher: off >numSubordinates: 1 > >I turn on ipa and get >Starting Directory Service >Starting dirsrv: > PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry >"cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed > >So I go back into the file and allowWeakCipher now shows allowweakcipher >(caps for W and C are now lower case) attribute names are case-insensitive and normalized to a lower case. Anyway, just don't use allowweakcipher in older 389-ds-base version. > >nss.conf > > ># new config to stop using weak ciphers. >NSSCipherSuite >-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha > SSL Protocol: ># Cryptographic protocols that provide communication security. ># NSS handles the specified protocols as "ranges", and automatically ># negotiates the use of the strongest protocol for a connection starting ># with the maximum specified protocol and downgrading as necessary to the ># minimum specified protocol that can be used between two processes. ># Since all protocol ranges are completely inclusive, and no protocol in >the >NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > >server.xml > > clientAuth="true" > sslOptions="ssl2=off,ssl3=off,tls=true" > >ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" > >ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" > >tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" > > > > > >Is there a config for this version of IPA/DS somewhere that will pass >poodle, freak, null ciphers scanning or only allow strong ciphers? FreeIPA 4.3.1 has default setup that gives A on these tests with SSL Labs. https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org&hideResults=on Follow https://fedorahosted.org/freeipa/ticket/5589 for Apache changes and for the script to generate proper lists. -- / Alexander Bokovoy From lkrispen at redhat.com Wed Apr 27 07:17:32 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 27 Apr 2016 09:17:32 +0200 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <5720678C.8090709@redhat.com> On 04/26/2016 09:09 PM, Gady Notrica wrote: > > HERE.. > > [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial > credentials for principal > [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > > [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > > [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > > [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication > bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > may provide more information (No Kerberos credentials available)) > > [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > > [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 > for LDAPS requests > > [23/Apr/2016:11:39:51 -0400] - Listening on > /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests > > [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication > bind with GSSAPI auth resumed > > [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to > receive the response for a startReplication extended operation to > consumer (Can't contact LDAP server). Will retry later. > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint > is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint > is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint > is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication > bind with GSSAPI auth resumed > > [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - > failed to send dirsync search request: 2 > these are old logs, the problem you were reporting was on Apr, 26: Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. we need the logs from that time > Gady > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: April 26, 2016 2:44 PM > To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > Gady Notrica wrote: > > > Hey world, > > > > > > Any ideas? > > What about the first part of Ludwig's question: Is there anything in > the 389-ds error log? > > rob > > > > > > Gady > > > > > > -----Original Message----- > > > From: freeipa-users-bounces at redhat.com > > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > > > Sent: April 26, 2016 10:10 AM > > > To: Ludwig Krispenz; freeipa-users at redhat.com > > > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > > > > No, no changes. Lost connectivity with my VMs during the night > > > (networking issues in datacenter) > > > > > > Reboot the server and oups, no IPA is coming up... The replica > (secondary server) is fine though. > > > > > > Gady Notrica > > > > > > -----Original Message----- > > > From: freeipa-users-bounces at redhat.com > > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > > > Sent: April 26, 2016 10:02 AM > > > To: freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > > > > > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: > > >> Here... > > >> > > >> [root at cd-p-ipa1 log]# ipactl status > > >> Directory Service: STOPPED > > >> Directory Service must be running in order to obtain status of other > > >> services > > >> ipa: INFO: The ipactl command was successful > > >> > > >> [root at cd-p-ipa1 log]# systemctl status > dirsrv at IPA-DOMAIN-LOCAL.service > > >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service - 389 Directory Server > IPA-DOMAIN-LOCAL. > > >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service > ; enabled; vendor > preset: disabled) > > >> Active: failed (Result: exit-code) since Tue 2016-04-26 > 08:50:21 EDT; 30min ago > > >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D > > >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w > > >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) > > >> > > >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > > >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > > >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! > > :08:50:21 > > -0400] dse_read_one_file - The entry cn=schema in file > /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is > invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown > attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > > >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. > > > this says the server doesn't know a syntax oid, but it is a known one. > > > It could be that the syntax plugings couldn't be loaded. Thera are > more errors before, could you check where the errors start in > /var/log/dirsrv/slapd-/errors ? > > > > > > And, did you do any changes to the system before this problem started ? > > >> [root at cd-p-ipa1 log]# > > >> > > >> Gady > > >> > > >> -----Original Message----- > > >> From: freeipa-users-bounces at redhat.com > > > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin > > >> Babinsky > > >> Sent: April 26, 2016 9:17 AM > > >> To: freeipa-users at redhat.com > > >> Subject: Re: [Freeipa-users] krb5kdc service not starting > > >> > > >> On 04/26/2016 03:13 PM, Gady Notrica wrote: > > >>> Hello world, > > >>> > > >>> > > >>> > > >>> I am having issues this morning with my primary IPA. See below the > > >>> details in the logs and command result. Basically, krb5kdc service > > >>> not starting - krb5kdc: Server error - while fetching master key. > > >>> > > >>> > > >>> > > >>> DNS is functioning. See below dig result. I have a trust with > Windows AD. > > >>> > > >>> > > >>> > > >>> Please help?! > > >>> > > >>> > > >>> > > >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l > > >>> > > >>> ? krb5kdc.service - Kerberos 5 KDC > > >>> > > >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; > > >>> disabled; vendor preset: disabled) > > >>> > > >>> Active: failed (Result: exit-code) since Tue 2016-04-26 > > >>> 08:27:52 EDT; 41min ago > > >>> > > >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P > > >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > > >>> > > >>> > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting > > >>> Kerberos > > >>> 5 KDC... > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: > > >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: > > >>> control process exited, code=exited status=1 > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > > >>> Kerberos 5 KDC. > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit > > >>> krb5kdc.service entered failed state. > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: > krb5kdc.service failed. > > >>> > > >>> [root at cd-ipa1 log]# > > >>> > > >>> > > >>> > > >>> Errors in /var/log/krb5kdc.log > > >>> > > >>> > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> > > >>> > > >>> [root at cd-ipa1 log]# systemctl status httpd -l > > >>> > > >>> ? httpd.service - The Apache HTTP Server > > >>> > > >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; > > >>> vendor > > >>> preset: disabled) > > >>> > > >>> Active: failed (Result: exit-code) since Tue 2016-04-26 > > >>> 08:27:21 EDT; 39min ago > > >>> > > >>> Docs: man:httpd(8) > > >>> > > >>> man:apachectl(8) > > >>> > > >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy > > >>> (code=exited, status=1/FAILURE) > > >>> > > >>> > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: > > >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line > > >>> 1579, in __wait_for_connection > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> wait_for_open_socket(lurl.hostport, timeout) > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line > > >>> 1200, in wait_for_open_socket > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> raise e > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> error: [Errno 2] No such file or directory > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> ipa : ERROR Unknown error while retrieving setting from > > >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No > > >>> such file or directory > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: > > >>> control process exited, code=exited status=1 > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > > >>> The Apache HTTP Server. > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit > > >>> httpd.service entered failed state. > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service > failed. > > >>> > > >>> [root at cd-ipa1 log]# > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> DNS Result for dig redhat.com > > >>> > > >>> > > >>> > > >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com > > >>> > > >>> ;; global options: +cmd > > >>> > > >>> ;; Got answer: > > >>> > > >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 > > >>> > > >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: > > >>> 2 > > >>> > > >>> > > >>> > > >>> ;; OPT PSEUDOSECTION: > > >>> > > >>> ; EDNS: version: 0, flags:; udp: 4096 > > >>> > > >>> ;; QUESTION SECTION: > > >>> > > >>> ;redhat.com. IN A > > >>> > > >>> > > >>> > > >>> ;; ANSWER SECTION: > > >>> > > >>> redhat.com. 60 IN A 209.132.183.105 > > >>> > > >>> > > >>> > > >>> ;; AUTHORITY SECTION: > > >>> > > >>> . 849 IN NS f.root-servers.net. > > >>> > > >>> . 849 IN NS e.root-servers.net. > > >>> > > >>> . 849 IN NS k.root-servers.net. > > >>> > > >>> . 849 IN NS m.root-servers.net. > > >>> > > >>> . 849 IN NS b.root-servers.net. > > >>> > > >>> . 849 IN NS g.root-servers.net. > > >>> > > >>> . 849 IN NS c.root-servers.net. > > >>> > > >>> . 849 IN NS h.root-servers.net. > > >>> > > >>> . 849 IN NS l.root-servers.net. > > >>> > > >>> . 849 IN NS a.root-servers.net. > > >>> > > >>> . 849 IN NS j.root-servers.net. > > >>> > > >>> . 849 IN NS i.root-servers.net. > > >>> > > >>> . 849 IN NS d.root-servers.net. > > >>> > > >>> > > >>> > > >>> ;; ADDITIONAL SECTION: > > >>> > > >>> j.root-servers.net. 3246 IN A 192.58.128.30 > > >>> > > >>> > > >>> > > >>> ;; Query time: 79 msec > > >>> > > >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) > > >>> > > >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 > > >>> > > >>> ;; MSG SIZE rcvd: 282 > > >>> > > >>> > > >>> > > >>> Gady > > >>> > > >>> > > >>> > > >>> > > >>> > > >> It seems like Directory server is not running. Can you post result > of 'ipactl status' and 'systemctl status > dirsrv at IPA-DOMAIN-LOCAL.service '? > > >> > > >> -- > > >> Martin^3 Babinsky > > >> > > >> -- > > >> Manage your subscription for the Freeipa-users mailing list: > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >> Go to http://freeipa.org for more info on the project > > >> > > > > > > -- > > > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > > > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > > > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > > > O'Neill > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at kreitschmann.de Wed Apr 27 07:45:50 2016 From: david at kreitschmann.de (David Kreitschmann) Date: Wed, 27 Apr 2016 09:45:50 +0200 Subject: [Freeipa-users] migration user passwords from openldap to freeipa In-Reply-To: References: Message-ID: <5295D1CE-A4B5-43D0-B48F-8CA0F8541D64@kreitschmann.de> Are you sure that your bind dn has read access userPassword? A default OpenLDAP installation usually has a admin user. Gosa ACLs are only applied when using the web interface, they are not used for direct access via LDAP. > Am 27.04.2016 um 03:43 schrieb siology.io : > > I'm having issues migrating from an openldap directory (which has gosa schema) to freeipa. > > To migrate i'm doing (and yes, i know); > > ipa migrate-ds ldap://old.server.com:389 --bind-dn "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup --user-objectclass=inetOrgPerson --group-overwrite-gid --user-ignore-objectclass=gosaAccount --user-ignore-objectclass=gosaMailAccount --user-ignore-attribute=gosaMailDeliveryMode --user-ignore-attribute=gosaMailServer --user-ignore-attribute=gosaSpamSortLevel --user-ignore-attribute=gosaSpamMailbox --user-ignore-objectclass=sshaccount --user-ignore-objectclass=gosaacl --user-ignore-attribute=sshpublickey --user-ignore-attribute=sambaLMPassword --user-ignore-attribute=sambaBadPasswordTime --user-ignore-attribute=gosaaclentry --user-ignore-attribute=sambaBadPasswordCount --user-ignore-attribute=sambaNTPassword --user-ignore-attribute=sambaPwdLastSet > > Which seems to work to import all those users which have posix settings set, however i have two problems: > > - Am i right in thinking there's no way to auto-assign a gid/uid/home dir for the non-posix users at migration time ? That's not a deal breaker per se, but i'd need to spin up a new copy of the old ldap and then add those attributes to every user, then migrate to ipa from that source, which is a real pain. > > - The migration seems to be successful for the users that do have posix attributes, and ends with: > > Passwords have been migrated in pre-hashed format. > IPA is unable to generate Kerberos keys unless provided > with clear text passwords. All migrated users need to > login at https://your.domain/ipa/migration/ before they > can use their Kerberos accounts. > > ...but i'm unable to login to that page as any of my migrated users, or bind as them with ldapsearch. It seems like the passwords were not migrated ? > > Because 90% of my ~350 users are only going to be using freeipa insomuch as using services which are making use of the ipa server's ldap i was hoping that i wouldn't need to make kerberos tickets for those users, and hence avoid needing every user to login to the migration page. At the moment however i'm not able to get any migrated users at all to be able to bind to ldap or login to that page. > > Any tips or gotchas i should know ? I've no idea how to begin debugging this. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: From mkosek at redhat.com Wed Apr 27 08:22:32 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Apr 2016 10:22:32 +0200 Subject: [Freeipa-users] IPA & Yubikey In-Reply-To: References: Message-ID: <7cb3eedb-c793-5921-2b46-769b0b4f9090@redhat.com> On 04/22/2016 10:40 PM, Jeremy Utley wrote: > Hello all! > > I'm quite close to reaching the ideal point with our new FreeIPA setup, but one > thing that is standing in the way is 2FA. I know FreeIPA has support for Google > Auth, FreeOTP, and Yubikey. We'd like to go with Yubikeys over the phone-based > systems, but a lot of the docs regarding Yubikey seem to either be out-dated, or > not real clear (at least to me). So I'd like to ask a few questions to make > sure I'm understanding correctly. > > 1) It looks like the normal setup of a Yubikey is to plug it into a machine and > run the "ipa otptoken-add-yubikey" command. This implies that the machine that > sets up the Yubikey needs to be part of the FreeIPA domain, which presents > somewhat of a problem for us, as our current IPA setup has no desktops, and is > in a remote "lights-out" datacenter an hour's drive from our office. I did see > a post recently in the archives of someone figuring out how to set up a Yubikey > via the web interface > (https://www.redhat.com/archives/freeipa-users/2016-March/msg00114.html) - would > this be viable? Interesting question/suggestion, CCing Nathaniel on this one, he authored the feature. > 2) Does the otptoken-add-yubikey command actually change the programming of the > Yubikey, or does it simply read it's configuration? We have some users who are > already using a Yubikey for personal stuff, and we'd like to allow those users > to continue to use their existing Yubikey to auth to our IPA domain, but if the > add command changes the programming of the key, that may not be possible without > using the second slot, and if users are already using the second slot, they are > out of luck. > > 3) Does Yubikey auth require talking to the outside world to function? Our IPA > setup is within a secure zone, with no direct connectivity to the outside world, > so if this is necessary, it would be a possible deal-breaker for these. None of the FreeIPA setup should require communication with the outside world, maybe except some of the current DNS checks during validation. If it does, it sounds as a bug to me, as I know about multiple deployments of FreeIPA in such environments. Martin From mkosek at redhat.com Wed Apr 27 08:43:22 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 27 Apr 2016 10:43:22 +0200 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> Message-ID: <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> On 04/27/2016 07:27 AM, Sean Hogan wrote: > Hello, > > We currently have 7 ipa servers in multi master running: > > ipa-server-3.0.0-47.el6_7.1.x86_64 > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > Tenable is showing the use of weak ciphers along with freak vulnerabilities. I > have followed > https://access.redhat.com/solutions/675183 however issues remain in the ciphers > being used. Can you show the full report, so that we can see what's wrong? What I am looking for also is if the problem is LDAPS port or HTTPS port, so that we are not fixing wrong service. DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1154687 Further hardening comes with FreeIPA 4.3.1+: https://fedorahosted.org/freeipa/ticket/5684 https://fedorahosted.org/freeipa/ticket/5589 (it should appear in RHEL-7.3+) Martin From bret.wortman at damascusgrp.com Wed Apr 27 10:05:21 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Wed, 27 Apr 2016 06:05:21 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <571FAE1C.107@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> Message-ID: <57208EE1.3000006@damascusgrp.com> Was this at all informative? On 04/26/2016 02:06 PM, Bret Wortman wrote: > > > On 04/26/2016 01:45 PM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> I think I've found a deeper problem, in that I can't update these >>> because IPA simply won't start at all now. >>> >>> I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and >>> 2016-04-01 is actually 2036-04-01. >>> >>> As for the unknowns, the first says status: CA_REJECTED and the error >>> says "hostname in subject of request 'zw198.private.net' does not match >>> principal hostname 'private.net'", with stuck: yes. >>> >>> The second is similar, but for a different host. >> >> Is it really a different host and why? I think we'd need to see the >> full output to know what's going on. >> > > Full output: > > Number of certificates and requests being tracked: 10. > Request ID '20140428181940': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PRIVATE-NET/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=PRIVATE.NET > subject: CN=zsipa.private.net,O=PRIVATE.NET > expires: 2018-04-02 13:04:51 UTC > principal name: ldap/zsipa.private.net at PRIVATE.NET > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20140428182016': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=PRIVATE.NET > subject: CN=zsipa.private.net,O=PRIVATE.NET > expires: 2018-04-02 13:04:31 UTC > principal name: HTTP/zsipa.private.net at PRIVATE.NET > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150211141945': > status: CA_REJECTED > ca-error: Server at https://zsipa.private.net/ipa/xml denied our > request, giving up: 2100 (RPC failed at server. Insufficient access: > hostname in subject of request 'zw198.private.net' does not match > principal hostname 'private.net'). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > certificate: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150816194107': > status: CA_UNREACHABLE > ca-error: Internal error > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='424151811070' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PRIVATE.NET > subject: CN=CA Audit,O=PRIVATE.NET > expires: 2016-04-17 18:19:19 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150816194108': > status: CA_UNREACHABLE > ca-error: Internal error > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='424151811070' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PRIVATE.NET > subject: CN=OCSP Subsystem,O=PRIVATE.NET > expires: 2016-04-17 18:19:18 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150816194109': > status: CA_UNREACHABLE > ca-error: Internal error > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS > Certificate DB',pin='424151811070' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PRIVATE.NET > subject: CN=CA Subsystem,O=PRIVATE.NET > expires: 2016-04-17 18:19:19 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150816194110': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS > Certificate DB',pin='424151811070' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PRIVATE.NET > subject: CN=Certificate Authority,O=PRIVATE.NET > expires: 2036-04-01 20:16:39 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150816194111': > status: CA_UNREACHABLE > ca-error: Internal error > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PRIVATE.NET > subject: CN=IPA RA,O=PRIVATE.NET > expires: 2016-04-17 18:19:35 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20150816194112': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='424151811070' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=PRIVATE.NET > subject: CN=zsipa.private.net,O=PRIVATE.NET > expires: 2018-03-11 13:04:29 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20151214165433': > status: CA_REJECTED > ca-error: Server at https://zsipa.private.net/ipa/xml denied our > request, giving up: 2100 (RPC failed at server. Insufficient access: > hostname in subject of request 'zsipa.private.net' does not match > principal hostname 'www.private.net'). > stuck: yes > key pair storage: > type=FILE,location='/etc/pki/tls/private/www.private.net.key' > certificate: > type=FILE,location='/etc/pki/tls/certs/www.private.net.crt' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > > >> A given host can only get certificates for itself or those delegated >> to it. Hostnames are used for this enforcement so if they don't line >> up you'll see this type of rejection. >> >>> >>> No idea what's wrong with the rest, or why nothing will start. Near >>> as I >>> can tell, Kerberos is failing to start, which is causing everything >>> else >>> to go toes up. >>> >>> Early in the startup, in /var/log/messages, there's: >>> >>> ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide >>> more information (No Kerberos credentials available) >> >> Without more context it's hard to say. 389 is rather chatty about >> things and of course when it starts it has no ticket so it logs a >> bunch of stuff, eventually (hopefully) gets one, and then shuts up. >> >>> >>> After that, I get a jar file read pboelm on log4j.jar, then a series of >>> property setting attempts that don't find matching properties. Then >>> some >>> cipher errors, then it looks like named starts up okay, and everything >>> pauses for about 5 minutes before it all comes crashing back down. >>> >> >> I wouldn't get too hung up on particular services just yet. Without >> valid certs things will fail and those problems will cascade. I think >> we just need more details at this point. >> >> rob >> >>> >>> Bret >>> >>> On 04/26/2016 12:40 PM, Petr Vobornik wrote: >>>> On 04/26/2016 06:00 PM, Bret Wortman wrote: >>>>> # getcert list | grep expires >>>>> expires: 2018-04-02 13:04:51 UTC >>>>> expires: 2018-04-02 13:04:31 UTC >>>>> expires: unknown >>>>> expires: 2016-04-17 18:19:19 UTC >>>>> expires: 2016-04-17 18:19:18 UTC >>>>> expires: 2016-04-17 18:19:19 UTC >>>>> expires: 2016-04-01 20:16:39 UTC >>>>> expires: 2016-04-17 18:19:35 UTC >>>>> expires: 2016-03-11 13:04:29 UTC >>>>> expires: unknown >>>>> # >>>>> >>>>> So some got updated and most didn't. Is there a recommended way to >>>>> update these >>>>> all? The system is still backdated to 3 April (ntpd disabled) at >>>>> this point. >>>> It's usually good to start renewing(when it doesn't happen >>>> automatically >>>> from some reason) with the cert which is about to expired first, i.e. >>>> the one with "2016-03-11 13:04:29" >>>> >>>> The process is: >>>> - move date before the cert is about to expired >>>> - leave it up to certmonger or manually force resubmit by `getcert >>>> resubmit -i $REQUEST_ID`, where request ID is in `getcert list` >>>> output. >>>> >>>> I'm little worried about the fact that CA cert was renewed at date >>>> which >>>> is after expiration of the other certs. >>>> >>>> Also the `expires: unknown` doesn't look good. Check `getcert list` >>>> output for errors related to the cert. >>>> >>>> >>>>> >>>>> Bret >>>>> >>>>> >>>>> On 04/26/2016 11:46 AM, Petr Vobornik wrote: >>>>>> On 04/26/2016 03:26 PM, Bret Wortman wrote: >>>>>>> On our non-CA IPA server, this is happening, in case it's >>>>>>> related and illustrative: >>>>>>> >>>>>>> # ipa host-del zw113.private.net >>>>>>> ipa: ERROR: Certificate format error: >>>>>>> (SEC_ERROR_LEGACY_DATABASE) The >>>>>>> certificate/key database is in an old, unsupported format. >>>>>>> # >>>>>> I would start with checking on all IPA servers if and what >>>>>> certificates >>>>>> are expired: >>>>>> # getcert list >>>>>> or short version to check if there are any: >>>>>> # getcert list | grep expires >>>>>> >>>>>> When CA cert is renewed, it is not automatically transfered to >>>>>> clients. >>>>>> There one must run: >>>>>> # ipa-certupdate >>>>>> >>>>>>> On 04/26/2016 09:24 AM, Bret Wortman wrote: >>>>>>>> I rolled the date on the IPA server in question back to April 1 >>>>>>>> and ran >>>>>>>> "ipa-cacert-manage renew", which said it completed >>>>>>>> successfully. I rolled the >>>>>>>> date back to current and tried restarting ipa using ipactl stop >>>>>>>> && ipactl >>>>>>>> start, but no joy. No more ca renewal errors, but right after >>>>>>>> the pause I see >>>>>>>> this in /var/log/messages: >>>>>>>> >>>>>>>> systemd: kadmin.service: main process exited, code=exited, >>>>>>>> status=2/INVALIDARGUMENT >>>>>>>> systemd: Unit kadmin.service entered failed state. >>>>>>>> systemd: kadmin.service failed. >>>>>>>> >>>>>>>> I rebooted the server just in case, and it's still getting >>>>>>>> stuck at the same >>>>>>>> place. ipa-otpd doesn't get around to starting. >>>>>>>> >>>>>>>> >>>>>>>> Bret >>>>>>>> >>>>>>>> After the several-minutes-long pause after ipactl start outputs >>>>>>>> "Starting >>>>>>>> pki-tomcatd Service", I get the >>>>>>>> >>>>>>>> On 04/26/2016 08:14 AM, Bret Wortman wrote: >>>>>>>>> I have an IPA server on a private network which has apparently >>>>>>>>> run into >>>>>>>>> certificate issues this morning. It's been running without >>>>>>>>> issue for quite a >>>>>>>>> while, and is on 4.1.4-1 on fedora 21. >>>>>>>>> >>>>>>>>> This morning, the gui started giving: >>>>>>>>> >>>>>>>>> IPA Error 907: NetworkError with description "cannot connect to >>>>>>>>> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': >>>>>>>>> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your >>>>>>>>> certificate as expired." >>>>>>>>> >>>>>>>>> I dug into the logs and after trying to restart ipa using >>>>>>>>> ipactl, there was a >>>>>>>>> length pause, then: >>>>>>>>> >>>>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not >>>>>>>>> available >>>>>>>>> certmonger: Certificate named "ipaCert" in token "NSS >>>>>>>>> Certificate DB" in >>>>>>>>> database "/etc/httpd/alias" is no longer valid. >>>>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not >>>>>>>>> available >>>>>>>>> certmonger: Certificate named "ocspSigningCert cert-pki-ca" in >>>>>>>>> token "NSS >>>>>>>>> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no >>>>>>>>> longer valid. >>>>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not >>>>>>>>> available. >>>>>>>>> named-pkcs11[3437]: client 192.168.208.205#57832: update >>>>>>>>> '208.168.192.in-addr.arpa/IN' denied >>>>>>>>> >>>>>>>>> and then things start shutting down. I can't start ipa at all >>>>>>>>> using ipactl. >>>>>>>>> >>>>>>>>> So at present, our DNS is down. Authentication should work for >>>>>>>>> a while, but >>>>>>>>> I'd like to get this working again as quickly as possible. Any >>>>>>>>> ideas? I deal >>>>>>>>> with certificates so infrequently (like only when something >>>>>>>>> like this >>>>>>>>> happens) that I'm not sure where to start. >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Bret Wortman* >>>>>>>>> /Coming soon to Kickstarter.../ >>>>>>>>> >>>>>>>>> http://wrapbuddies.co/ >>>>>>>>> >>>> >>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Wed Apr 27 10:48:03 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Wed, 27 Apr 2016 18:48:03 +0800 Subject: [Freeipa-users] can live turn off nsslapd-security: to off ? Message-ID: Hi: Without restarting dirsrv possible do that ? thx Regards barry -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Wed Apr 27 11:10:51 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 27 Apr 2016 13:10:51 +0200 Subject: [Freeipa-users] can live turn off nsslapd-security: to off ? In-Reply-To: References: Message-ID: <14d0beeb-0f35-593f-19bc-4cebe1c051d7@redhat.com> On 27/04/16 12:48, barrykfl at gmail.com wrote: > Hi: > > Without restarting dirsrv possible do that ? > > > thx Regards > > barry > > > Hello Barry, this ldapsearch should list all attributes that needs restart after modification: $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config nsslapd-requiresrestart I don't see nsslapd-security listed so it should be possible to change it in runtime. -- David Kupka From barrykfl at gmail.com Wed Apr 27 11:15:37 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Wed, 27 Apr 2016 19:15:37 +0800 Subject: [Freeipa-users] can live turn off nsslapd-security: to off ? In-Reply-To: <14d0beeb-0f35-593f-19bc-4cebe1c051d7@redhat.com> References: <14d0beeb-0f35-593f-19bc-4cebe1c051d7@redhat.com> Message-ID: Do u meant use ldapmodify? I tried update the dse.ldif but it will fall back after a while. 2016?4?27? ??7:10 ? "David Kupka" ??? > On 27/04/16 12:48, barrykfl at gmail.com wrote: > >> Hi: >> >> Without restarting dirsrv possible do that ? >> >> >> thx Regards >> >> barry >> >> >> >> > Hello Barry, > > this ldapsearch should list all attributes that needs restart after > modification: > > $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config > nsslapd-requiresrestart > > I don't see nsslapd-security listed so it should be possible to change it > in runtime. > > -- > David Kupka > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Wed Apr 27 11:26:47 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 27 Apr 2016 13:26:47 +0200 Subject: [Freeipa-users] can live turn off nsslapd-security: to off ? In-Reply-To: References: <14d0beeb-0f35-593f-19bc-4cebe1c051d7@redhat.com> Message-ID: <42dfccde-ad58-e4ca-80ae-2e6a460186b3@redhat.com> On 27/04/16 13:15, barrykfl at gmail.com wrote: > Do u meant use ldapmodify? > I tried update the dse.ldif but it will fall back after a while. > > 2016?4?27? ??7:10 ? "David Kupka" > ??? > > On 27/04/16 12:48, barrykfl at gmail.com wrote: > > Hi: > > Without restarting dirsrv possible do that ? > > > thx Regards > > barry > > > > > Hello Barry, > > this ldapsearch should list all attributes that needs restart after > modification: > > $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config > nsslapd-requiresrestart > > I don't see nsslapd-security listed so it should be possible to change it in > runtime. > > -- > David Kupka > Yes, I mean ldapmodify. Editing dse.ldif while dirsrv is running has no effect because it is read only at start and written at least before exit. If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it and start dirsrv again. -- David Kupka From barrykfl at gmail.com Wed Apr 27 11:29:04 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Wed, 27 Apr 2016 19:29:04 +0800 Subject: [Freeipa-users] can live turn off nsslapd-security: to off ? In-Reply-To: <42dfccde-ad58-e4ca-80ae-2e6a460186b3@redhat.com> References: <14d0beeb-0f35-593f-19bc-4cebe1c051d7@redhat.com> <42dfccde-ad58-e4ca-80ae-2e6a460186b3@redhat.com> Message-ID: thx let me try as i dont want stop dirsrv but live disable nsslapd security. 2016?4?27? ??7:26 ? "David Kupka" ??? > On 27/04/16 13:15, barrykfl at gmail.com wrote: > >> Do u meant use ldapmodify? >> I tried update the dse.ldif but it will fall back after a while. >> >> 2016?4?27? ??7:10 ? "David Kupka" > > ??? >> >> On 27/04/16 12:48, barrykfl at gmail.com >> wrote: >> >> Hi: >> >> Without restarting dirsrv possible do that ? >> >> >> thx Regards >> >> barry >> >> >> >> >> Hello Barry, >> >> this ldapsearch should list all attributes that needs restart after >> modification: >> >> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config >> nsslapd-requiresrestart >> >> I don't see nsslapd-security listed so it should be possible to >> change it in >> runtime. >> >> -- >> David Kupka >> >> > Yes, I mean ldapmodify. > > Editing dse.ldif while dirsrv is running has no effect because it is read > only at start and written at least before exit. > > If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it > and start dirsrv again. > > -- > David Kupka > -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmccallum at redhat.com Wed Apr 27 12:54:18 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 27 Apr 2016 08:54:18 -0400 Subject: [Freeipa-users] IPA & Yubikey In-Reply-To: <7cb3eedb-c793-5921-2b46-769b0b4f9090@redhat.com> References: <7cb3eedb-c793-5921-2b46-769b0b4f9090@redhat.com> Message-ID: <1461761658.2328.5.camel@redhat.com> On Wed, 2016-04-27 at 10:22 +0200, Martin Kosek wrote: > On 04/22/2016 10:40 PM, Jeremy Utley wrote: > > Hello all! > > > > I'm quite close to reaching the ideal point with our new FreeIPA > > setup, but one? > > thing that is standing in the way is 2FA.??I know FreeIPA has > > support for Google? > > Auth, FreeOTP, and Yubikey.??We'd like to go with Yubikeys over the > > phone-based? > > systems, but a lot of the docs regarding Yubikey seem to either be > > out-dated, or? > > not real clear (at least to me).??So I'd like to ask a few > > questions to make? > > sure I'm understanding correctly. > > > > 1) It looks like the normal setup of a Yubikey is to plug it into a > > machine and? > > run the "ipa otptoken-add-yubikey" command.??This implies that the > > machine that? > > sets up the Yubikey needs to be part of the FreeIPA domain, which > > presents? > > somewhat of a problem for us, as our current IPA setup has no > > desktops, and is? > > in a remote "lights-out" datacenter an hour's drive from our > > office.??I did see? > > a post recently in the archives of someone figuring out how to set > > up a Yubikey? > > via the web interface? > > (https://www.redhat.com/archives/freeipa-users/2016-March/msg00114. > > html) - would? > > this be viable? > > Interesting question/suggestion, CCing Nathaniel on this one, he > authored the > feature. Yes, this is completely viable. The otptoken-add-yubikey is just a convenience wrapper. It simply programs the Yubikey with the secret that is also contained in the qr code. If you program this secret directly yourself, there is no need to use the otptoken-add-yubikey command. > > 2) Does the otptoken-add-yubikey command actually change the > > programming of the? > > Yubikey, or does it simply read it's configuration???We have some > > users who are? > > already using a Yubikey for personal stuff, and we'd like to allow > > those users? > > to continue to use their existing Yubikey to auth to our IPA > > domain, but if the? > > add command changes the programming of the key, that may not be > > possible without? > > using the second slot, and if users are already using the second > > slot, they are? > > out of luck. The command programs the YubiKey with the secret value that is in the QR code. You can do this yourself using Yubico's utilities if you don't want to use our tool. However, if users are already using both slots, you're out of luck anyway since there is no place to store the new secret key. This is a limitation of YubiKey, not FreeIPA. It would be most unwise to try to share secrets with another authenticator to overcome this limitation. > > 3) Does Yubikey auth require talking to the outside world to > > function???Our IPA? > > setup is within a secure zone, with no direct connectivity to the > > outside world,? > > so if this is necessary, it would be a possible deal-breaker for > > these. > > None of the FreeIPA setup should require communication with the > outside world, > maybe except some of the current DNS checks during validation. If it > does, it > sounds as a bug to me, as I know about multiple deployments of > FreeIPA in such > environments. No, YubiKey - when used with FreeIPA - uses the HOTP protocol. No network connectivity is required. From peljasz at yahoo.co.uk Wed Apr 27 13:12:18 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 27 Apr 2016 14:12:18 +0100 Subject: [Freeipa-users] does ptr records an admin have to take care of manually? Message-ID: <1461762738.3345.10.camel@yahoo.co.uk> hi, regular server install with --setup-dns then clients to follow, but I see there: Missing reverse record(s) for address(es): does that mean that by default server install process does not include reverse zones? These need to be set up manually/independently ? many thanks##SELECTION_END## -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Apr 27 13:22:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 27 Apr 2016 15:22:56 +0200 Subject: [Freeipa-users] does ptr records an admin have to take care of manually? In-Reply-To: <1461762738.3345.10.camel@yahoo.co.uk> References: <1461762738.3345.10.camel@yahoo.co.uk> Message-ID: <5720BD30.10600@redhat.com> On 27.04.2016 15:12, lejeczek wrote: > hi, > > regular server install with --setup-dns > then clients to follow, but I see there: > > Missing reverse record(s) for address(es): > > does that mean that by default server install process does not include > reverse zones? > These need to be set up manually/independently ? > > many thanks > > Hello, well this is warning for you, it depends on you if you want to create reverse zone or not. So if you need reverse records for IPA client, create the particular reverse zone. Probably you will need to enable syncptr feature https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-dynamic-dns-updates.html#ptr-sync Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnotrica at candeal.com Wed Apr 27 13:48:23 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 27 Apr 2016 13:48:23 +0000 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <5720678C.8090709@redhat.com> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> Hello Ludwig, I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person" [cid:image003.jpg at 01D1A069.EF91B910] I don?t know if that helps. Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 3:18 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 09:09 PM, Gady Notrica wrote: HERE.. [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests [23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 these are old logs, the problem you were reporting was on Apr, 26: Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. we need the logs from that time Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 26, 2016 2:44 PM To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting Gady Notrica wrote: > Hey world, > > Any ideas? What about the first part of Ludwig's question: Is there anything in the 389-ds error log? rob > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > Sent: April 26, 2016 10:10 AM > To: Ludwig Krispenz; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > No, no changes. Lost connectivity with my VMs during the night > (networking issues in datacenter) > > Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. > > Gady Notrica > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > Sent: April 26, 2016 10:02 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: >> Here... >> >> [root at cd-p-ipa1 log]# ipactl status >> Directory Service: STOPPED >> Directory Service must be running in order to obtain status of other >> services >> ipa: INFO: The ipactl command was successful >> >> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-DOMAIN-LOCAL.service >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service - 389 Directory Server IPA-DOMAIN-LOCAL. >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) >> >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! :08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > this says the server doesn't know a syntax oid, but it is a known one. > It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? > > And, did you do any changes to the system before this problem started ? >> [root at cd-p-ipa1 log]# >> >> Gady >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin >> Babinsky >> Sent: April 26, 2016 9:17 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] krb5kdc service not starting >> >> On 04/26/2016 03:13 PM, Gady Notrica wrote: >>> Hello world, >>> >>> >>> >>> I am having issues this morning with my primary IPA. See below the >>> details in the logs and command result. Basically, krb5kdc service >>> not starting - krb5kdc: Server error - while fetching master key. >>> >>> >>> >>> DNS is functioning. See below dig result. I have a trust with Windows AD. >>> >>> >>> >>> Please help?! >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l >>> >>> ? krb5kdc.service - Kerberos 5 KDC >>> >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:52 EDT; 41min ago >>> >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting >>> Kerberos >>> 5 KDC... >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> Kerberos 5 KDC. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> krb5kdc.service entered failed state. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> Errors in /var/log/krb5kdc.log >>> >>> >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status httpd -l >>> >>> ? httpd.service - The Apache HTTP Server >>> >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; >>> vendor >>> preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:21 EDT; 39min ago >>> >>> Docs: man:httpd(8) >>> >>> man:apachectl(8) >>> >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >>> (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line >>> 1579, in __wait_for_connection >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> wait_for_open_socket(lurl.hostport, timeout) >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line >>> 1200, in wait_for_open_socket >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> raise e >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> error: [Errno 2] No such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> ipa : ERROR Unknown error while retrieving setting from >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No >>> such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> The Apache HTTP Server. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> httpd.service entered failed state. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> >>> >>> DNS Result for dig redhat.com >>> >>> >>> >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >>> >>> ;; global options: +cmd >>> >>> ;; Got answer: >>> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >>> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: >>> 2 >>> >>> >>> >>> ;; OPT PSEUDOSECTION: >>> >>> ; EDNS: version: 0, flags:; udp: 4096 >>> >>> ;; QUESTION SECTION: >>> >>> ;redhat.com. IN A >>> >>> >>> >>> ;; ANSWER SECTION: >>> >>> redhat.com. 60 IN A 209.132.183.105 >>> >>> >>> >>> ;; AUTHORITY SECTION: >>> >>> . 849 IN NS f.root-servers.net. >>> >>> . 849 IN NS e.root-servers.net. >>> >>> . 849 IN NS k.root-servers.net. >>> >>> . 849 IN NS m.root-servers.net. >>> >>> . 849 IN NS b.root-servers.net. >>> >>> . 849 IN NS g.root-servers.net. >>> >>> . 849 IN NS c.root-servers.net. >>> >>> . 849 IN NS h.root-servers.net. >>> >>> . 849 IN NS l.root-servers.net. >>> >>> . 849 IN NS a.root-servers.net. >>> >>> . 849 IN NS j.root-servers.net. >>> >>> . 849 IN NS i.root-servers.net. >>> >>> . 849 IN NS d.root-servers.net. >>> >>> >>> >>> ;; ADDITIONAL SECTION: >>> >>> j.root-servers.net. 3246 IN A 192.58.128.30 >>> >>> >>> >>> ;; Query time: 79 msec >>> >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) >>> >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >>> >>> ;; MSG SIZE rcvd: 282 >>> >>> >>> >>> Gady >>> >>> >>> >>> >>> >> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-DOMAIN-LOCAL.service'? >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 7126 bytes Desc: image003.jpg URL: From lkrispen at redhat.com Wed Apr 27 14:05:59 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 27 Apr 2016 16:05:59 +0200 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <5720C747.7090709@redhat.com> On 04/27/2016 03:48 PM, Gady Notrica wrote: > > Hello Ludwig, > > I do have only 1 error logs for the 26^th in > /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have > > [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - > failed to send dirsync search request: 2 > > [*26/Apr/2016*:00:13:01 -0400] - Entry > "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing > attribute "sn" required by object class "person" > > I don?t know if that helps. > no. And it is weird that there should be no logs, there were definitely messages logged around 8:50, you provided them via systemctl status dirsrv... And at least the startup messages should b there Can you try to start dirsrv again. and check what config settings for errorlog are in your dse.ldif > > Gady > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* April 27, 2016 3:18 AM > *To:* Gady Notrica > *Cc:* Rob Crittenden; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] krb5kdc service not starting > > On 04/26/2016 09:09 PM, Gady Notrica wrote: > > HERE.. > > [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get > initial credentials for principal > [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL > ] in > keytab [FILE:/etc/dirsrv/ds.keytab > ]: -1765328228 (Cannot > contact any KDC for requested realm) > > [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (No Kerberos credentials available)) errno 0 (Success) > > [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -2 (Local error) > > [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local > error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No Kerberos > credentials available)) > > [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > > [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port > 636 for LDAPS requests > > [23/Apr/2016:11:39:51 -0400] - Listening on > /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests > > [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): > Replication bind with GSSAPI auth resumed > > [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable > to receive the response for a startReplication extended operation > to consumer (Can't contact LDAP server). Will retry later. > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 > (Transport endpoint is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 > (Transport endpoint is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 > (Transport endpoint is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): > Replication bind with GSSAPI auth resumed > > [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync > - failed to send dirsync search request: 2 > > these are old logs, the problem you were reporting was on Apr, 26: > > > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > > > we need the logs from that time > > > > > Gady > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: April 26, 2016 2:44 PM > To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > Gady Notrica wrote: > > > Hey world, > > > > > > Any ideas? > > What about the first part of Ludwig's question: Is there anything in > the 389-ds error log? > > rob > > > > > > Gady > > > > > > -----Original Message----- > > > From: freeipa-users-bounces at redhat.com > > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > > > Sent: April 26, 2016 10:10 AM > > > To: Ludwig Krispenz; freeipa-users at redhat.com > > > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > > > > No, no changes. Lost connectivity with my VMs during the night > > > (networking issues in datacenter) > > > > > > Reboot the server and oups, no IPA is coming up... The replica > (secondary server) is fine though. > > > > > > Gady Notrica > > > > > > -----Original Message----- > > > From: freeipa-users-bounces at redhat.com > > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > > > Sent: April 26, 2016 10:02 AM > > > To: freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > > > > > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: > > >> Here... > > >> > > >> [root at cd-p-ipa1 log]# ipactl status > > >> Directory Service: STOPPED > > >> Directory Service must be running in order to obtain status of other > > >> services > > >> ipa: INFO: The ipactl command was successful > > >> > > >> [root at cd-p-ipa1 log]# systemctl status > dirsrv at IPA-DOMAIN-LOCAL.service > > >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service > - 389 Directory Server > IPA-DOMAIN-LOCAL. > > >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service > ; enabled; vendor > preset: disabled) > > >> Active: failed (Result: exit-code) since Tue 2016-04-26 > 08:50:21 EDT; 30min ago > > >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D > > >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w > > >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) > > >> > > >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > > >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > > >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! > > :08:50:21 > > -0400] dse_read_one_file - The entry cn=schema in file > /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is > invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown > attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > > >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. > > > this says the server doesn't know a syntax oid, but it is a known one. > > > It could be that the syntax plugings couldn't be loaded. Thera are > more errors before, could you check where the errors start in > /var/log/dirsrv/slapd-/errors ? > > > > > > And, did you do any changes to the system before this problem started ? > > >> [root at cd-p-ipa1 log]# > > >> > > >> Gady > > >> > > >> -----Original Message----- > > >> From: freeipa-users-bounces at redhat.com > > > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin > > >> Babinsky > > >> Sent: April 26, 2016 9:17 AM > > >> To: freeipa-users at redhat.com > > >> Subject: Re: [Freeipa-users] krb5kdc service not starting > > >> > > >> On 04/26/2016 03:13 PM, Gady Notrica wrote: > > >>> Hello world, > > >>> > > >>> > > >>> > > >>> I am having issues this morning with my primary IPA. See below the > > >>> details in the logs and command result. Basically, krb5kdc service > > >>> not starting - krb5kdc: Server error - while fetching master key. > > >>> > > >>> > > >>> > > >>> DNS is functioning. See below dig result. I have a trust with > Windows AD. > > >>> > > >>> > > >>> > > >>> Please help?! > > >>> > > >>> > > >>> > > >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l > > >>> > > >>> ? krb5kdc.service - Kerberos 5 KDC > > >>> > > >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; > > >>> disabled; vendor preset: disabled) > > >>> > > >>> Active: failed (Result: exit-code) since Tue 2016-04-26 > > >>> 08:27:52 EDT; 41min ago > > >>> > > >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P > > >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > > >>> > > >>> > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting > > >>> Kerberos > > >>> 5 KDC... > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: > > >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: > > >>> control process exited, code=exited status=1 > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > > >>> Kerberos 5 KDC. > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit > > >>> krb5kdc.service entered failed state. > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: > krb5kdc.service failed. > > >>> > > >>> [root at cd-ipa1 log]# > > >>> > > >>> > > >>> > > >>> Errors in /var/log/krb5kdc.log > > >>> > > >>> > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> > > >>> > > >>> [root at cd-ipa1 log]# systemctl status httpd -l > > >>> > > >>> ? httpd.service - The Apache HTTP Server > > >>> > > >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; > > >>> vendor > > >>> preset: disabled) > > >>> > > >>> Active: failed (Result: exit-code) since Tue 2016-04-26 > > >>> 08:27:21 EDT; 39min ago > > >>> > > >>> Docs: man:httpd(8) > > >>> > > >>> man:apachectl(8) > > >>> > > >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy > > >>> (code=exited, status=1/FAILURE) > > >>> > > >>> > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: > > >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line > > >>> 1579, in __wait_for_connection > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> wait_for_open_socket(lurl.hostport, timeout) > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line > > >>> 1200, in wait_for_open_socket > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> raise e > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> error: [Errno 2] No such file or directory > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> ipa : ERROR Unknown error while retrieving setting from > > >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No > > >>> such file or directory > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: > > >>> control process exited, code=exited status=1 > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > > >>> The Apache HTTP Server. > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit > > >>> httpd.service entered failed state. > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service > failed. > > >>> > > >>> [root at cd-ipa1 log]# > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> DNS Result for dig redhat.com > > >>> > > >>> > > >>> > > >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com > > >>> > > >>> ;; global options: +cmd > > >>> > > >>> ;; Got answer: > > >>> > > >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 > > >>> > > >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: > > >>> 2 > > >>> > > >>> > > >>> > > >>> ;; OPT PSEUDOSECTION: > > >>> > > >>> ; EDNS: version: 0, flags:; udp: 4096 > > >>> > > >>> ;; QUESTION SECTION: > > >>> > > >>> ;redhat.com. IN A > > >>> > > >>> > > >>> > > >>> ;; ANSWER SECTION: > > >>> > > >>> redhat.com. 60 IN A 209.132.183.105 > > >>> > > >>> > > >>> > > >>> ;; AUTHORITY SECTION: > > >>> > > >>> . 849 IN NS f.root-servers.net. > > >>> > > >>> . 849 IN NS e.root-servers.net. > > >>> > > >>> . 849 IN NS k.root-servers.net. > > >>> > > >>> . 849 IN NS m.root-servers.net. > > >>> > > >>> . 849 IN NS b.root-servers.net. > > >>> > > >>> . 849 IN NS g.root-servers.net. > > >>> > > >>> . 849 IN NS c.root-servers.net. > > >>> > > >>> . 849 IN NS h.root-servers.net. > > >>> > > >>> . 849 IN NS l.root-servers.net. > > >>> > > >>> . 849 IN NS a.root-servers.net. > > >>> > > >>> . 849 IN NS j.root-servers.net. > > >>> > > >>> . 849 IN NS i.root-servers.net. > > >>> > > >>> . 849 IN NS d.root-servers.net. > > >>> > > >>> > > >>> > > >>> ;; ADDITIONAL SECTION: > > >>> > > >>> j.root-servers.net. 3246 IN A 192.58.128.30 > > >>> > > >>> > > >>> > > >>> ;; Query time: 79 msec > > >>> > > >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) > > >>> > > >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 > > >>> > > >>> ;; MSG SIZE rcvd: 282 > > >>> > > >>> > > >>> > > >>> Gady > > >>> > > >>> > > >>> > > >>> > > >>> > > >> It seems like Directory server is not running. Can you post result > of 'ipactl status' and 'systemctl status > dirsrv at IPA-DOMAIN-LOCAL.service '? > > >> > > >> -- > > >> Martin^3 Babinsky > > >> > > >> -- > > >> Manage your subscription for the Freeipa-users mailing list: > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >> Go to http://freeipa.org for more info on the project > > >> > > > > > > -- > > > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > > > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > > > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > > > O'Neill > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 7126 bytes Desc: not available URL: From gnotrica at candeal.com Wed Apr 27 14:36:52 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 27 Apr 2016 14:36:52 +0000 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <5720C747.7090709@redhat.com> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> No changes to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am tailing the log file and running those commands doesn?t generate any log, nothing. [root at cd-p-ipa1 log]# ipactl start Starting Directory Service Job for dirsrv at IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. Failed to start Directory Service: Command ''/bin/systemctl' 'start' 'dirsrv at IPA-CANDEAL-CA.service'' returned non-zero exit status 1 Logs from /var/log/messages Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server IPA-CANDEAL-CA.... Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] config - The given config file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, Netscape Portable Runtime error -5950 (File not found.) [root at cd-p-ipa1 log]# systemctl start dirsrv at IPA-CANDEAL-CA.service Job for dirsrv at IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service -l ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 3s ago Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [root at cd-p-ipa1 log]# Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 10:06 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 03:48 PM, Gady Notrica wrote: Hello Ludwig, I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person" [cid:image001.jpg at 01D1A06F.6FD59F60] I don?t know if that helps. no. And it is weird that there should be no logs, there were definitely messages logged around 8:50, you provided them via systemctl status dirsrv... And at least the startup messages should b there Can you try to start dirsrv again. and check what config settings for errorlog are in your dse.ldif Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 3:18 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 09:09 PM, Gady Notrica wrote: HERE.. [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests [23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 these are old logs, the problem you were reporting was on Apr, 26: Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. we need the logs from that time Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 26, 2016 2:44 PM To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting Gady Notrica wrote: > Hey world, > > Any ideas? What about the first part of Ludwig's question: Is there anything in the 389-ds error log? rob > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > Sent: April 26, 2016 10:10 AM > To: Ludwig Krispenz; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > No, no changes. Lost connectivity with my VMs during the night > (networking issues in datacenter) > > Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. > > Gady Notrica > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > Sent: April 26, 2016 10:02 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: >> Here... >> >> [root at cd-p-ipa1 log]# ipactl status >> Directory Service: STOPPED >> Directory Service must be running in order to obtain status of other >> services >> ipa: INFO: The ipactl command was successful >> >> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-DOMAIN-LOCAL.service >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service - 389 Directory Server IPA-DOMAIN-LOCAL. >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) >> >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! :08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > this says the server doesn't know a syntax oid, but it is a known one. > It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? > > And, did you do any changes to the system before this problem started ? >> [root at cd-p-ipa1 log]# >> >> Gady >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin >> Babinsky >> Sent: April 26, 2016 9:17 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] krb5kdc service not starting >> >> On 04/26/2016 03:13 PM, Gady Notrica wrote: >>> Hello world, >>> >>> >>> >>> I am having issues this morning with my primary IPA. See below the >>> details in the logs and command result. Basically, krb5kdc service >>> not starting - krb5kdc: Server error - while fetching master key. >>> >>> >>> >>> DNS is functioning. See below dig result. I have a trust with Windows AD. >>> >>> >>> >>> Please help?! >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l >>> >>> ? krb5kdc.service - Kerberos 5 KDC >>> >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:52 EDT; 41min ago >>> >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting >>> Kerberos >>> 5 KDC... >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> Kerberos 5 KDC. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> krb5kdc.service entered failed state. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> Errors in /var/log/krb5kdc.log >>> >>> >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status httpd -l >>> >>> ? httpd.service - The Apache HTTP Server >>> >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; >>> vendor >>> preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:21 EDT; 39min ago >>> >>> Docs: man:httpd(8) >>> >>> man:apachectl(8) >>> >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >>> (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line >>> 1579, in __wait_for_connection >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> wait_for_open_socket(lurl.hostport, timeout) >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line >>> 1200, in wait_for_open_socket >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> raise e >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> error: [Errno 2] No such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> ipa : ERROR Unknown error while retrieving setting from >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No >>> such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> The Apache HTTP Server. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> httpd.service entered failed state. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> >>> >>> DNS Result for dig redhat.com >>> >>> >>> >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >>> >>> ;; global options: +cmd >>> >>> ;; Got answer: >>> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >>> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: >>> 2 >>> >>> >>> >>> ;; OPT PSEUDOSECTION: >>> >>> ; EDNS: version: 0, flags:; udp: 4096 >>> >>> ;; QUESTION SECTION: >>> >>> ;redhat.com. IN A >>> >>> >>> >>> ;; ANSWER SECTION: >>> >>> redhat.com. 60 IN A 209.132.183.105 >>> >>> >>> >>> ;; AUTHORITY SECTION: >>> >>> . 849 IN NS f.root-servers.net. >>> >>> . 849 IN NS e.root-servers.net. >>> >>> . 849 IN NS k.root-servers.net. >>> >>> . 849 IN NS m.root-servers.net. >>> >>> . 849 IN NS b.root-servers.net. >>> >>> . 849 IN NS g.root-servers.net. >>> >>> . 849 IN NS c.root-servers.net. >>> >>> . 849 IN NS h.root-servers.net. >>> >>> . 849 IN NS l.root-servers.net. >>> >>> . 849 IN NS a.root-servers.net. >>> >>> . 849 IN NS j.root-servers.net. >>> >>> . 849 IN NS i.root-servers.net. >>> >>> . 849 IN NS d.root-servers.net. >>> >>> >>> >>> ;; ADDITIONAL SECTION: >>> >>> j.root-servers.net. 3246 IN A 192.58.128.30 >>> >>> >>> >>> ;; Query time: 79 msec >>> >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) >>> >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >>> >>> ;; MSG SIZE rcvd: 282 >>> >>> >>> >>> Gady >>> >>> >>> >>> >>> >> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-DOMAIN-LOCAL.service'? >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 7126 bytes Desc: image001.jpg URL: From bret.wortman at damascusgrp.com Wed Apr 27 14:46:00 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Wed, 27 Apr 2016 10:46:00 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <57208EE1.3000006@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> Message-ID: <5720D0A8.505@damascusgrp.com> So in lieu of fixing these certs, is there an acceptable way to dump them all and start over /without losing the contents of the IPA database/? Or otherwise really screwing ourselves? We have a replica that's still up and running and we've switched everyone over to talking to it, but we're at risk with just the one. Thanks! On 04/27/2016 06:05 AM, Bret Wortman wrote: > Was this at all informative? > > On 04/26/2016 02:06 PM, Bret Wortman wrote: >> >> >> On 04/26/2016 01:45 PM, Rob Crittenden wrote: >>> Bret Wortman wrote: >>>> I think I've found a deeper problem, in that I can't update these >>>> because IPA simply won't start at all now. >>>> >>>> I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and >>>> 2016-04-01 is actually 2036-04-01. >>>> >>>> As for the unknowns, the first says status: CA_REJECTED and the error >>>> says "hostname in subject of request 'zw198.private.net' does not >>>> match >>>> principal hostname 'private.net'", with stuck: yes. >>>> >>>> The second is similar, but for a different host. >>> >>> Is it really a different host and why? I think we'd need to see the >>> full output to know what's going on. >>> >> >> Full output: >> >> Number of certificates and requests being tracked: 10. >> Request ID '20140428181940': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-PRIVATE-NET/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=PRIVATE.NET >> subject: CN=zsipa.private.net,O=PRIVATE.NET >> expires: 2018-04-02 13:04:51 UTC >> principal name: ldap/zsipa.private.net at PRIVATE.NET >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20140428182016': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=PRIVATE.NET >> subject: CN=zsipa.private.net,O=PRIVATE.NET >> expires: 2018-04-02 13:04:31 UTC >> principal name: HTTP/zsipa.private.net at PRIVATE.NET >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20150211141945': >> status: CA_REJECTED >> ca-error: Server at https://zsipa.private.net/ipa/xml denied our >> request, giving up: 2100 (RPC failed at server. Insufficient access: >> hostname in subject of request 'zw198.private.net' does not match >> principal hostname 'private.net'). >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate >> DB' >> certificate: >> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' >> CA: IPA >> issuer: >> subject: >> expires: unknown >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20150816194107': >> status: CA_UNREACHABLE >> ca-error: Internal error >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='424151811070' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=PRIVATE.NET >> subject: CN=CA Audit,O=PRIVATE.NET >> expires: 2016-04-17 18:19:19 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20150816194108': >> status: CA_UNREACHABLE >> ca-error: Internal error >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='424151811070' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=PRIVATE.NET >> subject: CN=OCSP Subsystem,O=PRIVATE.NET >> expires: 2016-04-17 18:19:18 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> eku: id-kp-OCSPSigning >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20150816194109': >> status: CA_UNREACHABLE >> ca-error: Internal error >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin='424151811070' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=PRIVATE.NET >> subject: CN=CA Subsystem,O=PRIVATE.NET >> expires: 2016-04-17 18:19:19 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20150816194110': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='424151811070' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=PRIVATE.NET >> subject: CN=Certificate Authority,O=PRIVATE.NET >> expires: 2036-04-01 20:16:39 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20150816194111': >> status: CA_UNREACHABLE >> ca-error: Internal error >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=PRIVATE.NET >> subject: CN=IPA RA,O=PRIVATE.NET >> expires: 2016-04-17 18:19:35 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20150816194112': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin='424151811070' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=PRIVATE.NET >> subject: CN=zsipa.private.net,O=PRIVATE.NET >> expires: 2018-03-11 13:04:29 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20151214165433': >> status: CA_REJECTED >> ca-error: Server at https://zsipa.private.net/ipa/xml denied our >> request, giving up: 2100 (RPC failed at server. Insufficient access: >> hostname in subject of request 'zsipa.private.net' does not match >> principal hostname 'www.private.net'). >> stuck: yes >> key pair storage: >> type=FILE,location='/etc/pki/tls/private/www.private.net.key' >> certificate: >> type=FILE,location='/etc/pki/tls/certs/www.private.net.crt' >> CA: IPA >> issuer: >> subject: >> expires: unknown >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> >> >>> A given host can only get certificates for itself or those delegated >>> to it. Hostnames are used for this enforcement so if they don't line >>> up you'll see this type of rejection. >>> >>>> >>>> No idea what's wrong with the rest, or why nothing will start. Near >>>> as I >>>> can tell, Kerberos is failing to start, which is causing everything >>>> else >>>> to go toes up. >>>> >>>> Early in the startup, in /var/log/messages, there's: >>>> >>>> ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may >>>> provide >>>> more information (No Kerberos credentials available) >>> >>> Without more context it's hard to say. 389 is rather chatty about >>> things and of course when it starts it has no ticket so it logs a >>> bunch of stuff, eventually (hopefully) gets one, and then shuts up. >>> >>>> >>>> After that, I get a jar file read pboelm on log4j.jar, then a >>>> series of >>>> property setting attempts that don't find matching properties. Then >>>> some >>>> cipher errors, then it looks like named starts up okay, and everything >>>> pauses for about 5 minutes before it all comes crashing back down. >>>> >>> >>> I wouldn't get too hung up on particular services just yet. Without >>> valid certs things will fail and those problems will cascade. I >>> think we just need more details at this point. >>> >>> rob >>> >>>> >>>> Bret >>>> >>>> On 04/26/2016 12:40 PM, Petr Vobornik wrote: >>>>> On 04/26/2016 06:00 PM, Bret Wortman wrote: >>>>>> # getcert list | grep expires >>>>>> expires: 2018-04-02 13:04:51 UTC >>>>>> expires: 2018-04-02 13:04:31 UTC >>>>>> expires: unknown >>>>>> expires: 2016-04-17 18:19:19 UTC >>>>>> expires: 2016-04-17 18:19:18 UTC >>>>>> expires: 2016-04-17 18:19:19 UTC >>>>>> expires: 2016-04-01 20:16:39 UTC >>>>>> expires: 2016-04-17 18:19:35 UTC >>>>>> expires: 2016-03-11 13:04:29 UTC >>>>>> expires: unknown >>>>>> # >>>>>> >>>>>> So some got updated and most didn't. Is there a recommended way >>>>>> to update these >>>>>> all? The system is still backdated to 3 April (ntpd disabled) at >>>>>> this point. >>>>> It's usually good to start renewing(when it doesn't happen >>>>> automatically >>>>> from some reason) with the cert which is about to expired first, i.e. >>>>> the one with "2016-03-11 13:04:29" >>>>> >>>>> The process is: >>>>> - move date before the cert is about to expired >>>>> - leave it up to certmonger or manually force resubmit by `getcert >>>>> resubmit -i $REQUEST_ID`, where request ID is in `getcert list` >>>>> output. >>>>> >>>>> I'm little worried about the fact that CA cert was renewed at date >>>>> which >>>>> is after expiration of the other certs. >>>>> >>>>> Also the `expires: unknown` doesn't look good. Check `getcert list` >>>>> output for errors related to the cert. >>>>> >>>>> >>>>>> >>>>>> Bret >>>>>> >>>>>> >>>>>> On 04/26/2016 11:46 AM, Petr Vobornik wrote: >>>>>>> On 04/26/2016 03:26 PM, Bret Wortman wrote: >>>>>>>> On our non-CA IPA server, this is happening, in case it's >>>>>>>> related and illustrative: >>>>>>>> >>>>>>>> # ipa host-del zw113.private.net >>>>>>>> ipa: ERROR: Certificate format error: >>>>>>>> (SEC_ERROR_LEGACY_DATABASE) The >>>>>>>> certificate/key database is in an old, unsupported format. >>>>>>>> # >>>>>>> I would start with checking on all IPA servers if and what >>>>>>> certificates >>>>>>> are expired: >>>>>>> # getcert list >>>>>>> or short version to check if there are any: >>>>>>> # getcert list | grep expires >>>>>>> >>>>>>> When CA cert is renewed, it is not automatically transfered to >>>>>>> clients. >>>>>>> There one must run: >>>>>>> # ipa-certupdate >>>>>>> >>>>>>>> On 04/26/2016 09:24 AM, Bret Wortman wrote: >>>>>>>>> I rolled the date on the IPA server in question back to April >>>>>>>>> 1 and ran >>>>>>>>> "ipa-cacert-manage renew", which said it completed >>>>>>>>> successfully. I rolled the >>>>>>>>> date back to current and tried restarting ipa using ipactl >>>>>>>>> stop && ipactl >>>>>>>>> start, but no joy. No more ca renewal errors, but right after >>>>>>>>> the pause I see >>>>>>>>> this in /var/log/messages: >>>>>>>>> >>>>>>>>> systemd: kadmin.service: main process exited, code=exited, >>>>>>>>> status=2/INVALIDARGUMENT >>>>>>>>> systemd: Unit kadmin.service entered failed state. >>>>>>>>> systemd: kadmin.service failed. >>>>>>>>> >>>>>>>>> I rebooted the server just in case, and it's still getting >>>>>>>>> stuck at the same >>>>>>>>> place. ipa-otpd doesn't get around to starting. >>>>>>>>> >>>>>>>>> >>>>>>>>> Bret >>>>>>>>> >>>>>>>>> After the several-minutes-long pause after ipactl start >>>>>>>>> outputs "Starting >>>>>>>>> pki-tomcatd Service", I get the >>>>>>>>> >>>>>>>>> On 04/26/2016 08:14 AM, Bret Wortman wrote: >>>>>>>>>> I have an IPA server on a private network which has >>>>>>>>>> apparently run into >>>>>>>>>> certificate issues this morning. It's been running without >>>>>>>>>> issue for quite a >>>>>>>>>> while, and is on 4.1.4-1 on fedora 21. >>>>>>>>>> >>>>>>>>>> This morning, the gui started giving: >>>>>>>>>> >>>>>>>>>> IPA Error 907: NetworkError with description "cannot connect to >>>>>>>>>> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': >>>>>>>>>> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your >>>>>>>>>> certificate as expired." >>>>>>>>>> >>>>>>>>>> I dug into the logs and after trying to restart ipa using >>>>>>>>>> ipactl, there was a >>>>>>>>>> length pause, then: >>>>>>>>>> >>>>>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not >>>>>>>>>> available >>>>>>>>>> certmonger: Certificate named "ipaCert" in token "NSS >>>>>>>>>> Certificate DB" in >>>>>>>>>> database "/etc/httpd/alias" is no longer valid. >>>>>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not >>>>>>>>>> available >>>>>>>>>> certmonger: Certificate named "ocspSigningCert cert-pki-ca" >>>>>>>>>> in token "NSS >>>>>>>>>> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no >>>>>>>>>> longer valid. >>>>>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not >>>>>>>>>> available. >>>>>>>>>> named-pkcs11[3437]: client 192.168.208.205#57832: update >>>>>>>>>> '208.168.192.in-addr.arpa/IN' denied >>>>>>>>>> >>>>>>>>>> and then things start shutting down. I can't start ipa at all >>>>>>>>>> using ipactl. >>>>>>>>>> >>>>>>>>>> So at present, our DNS is down. Authentication should work >>>>>>>>>> for a while, but >>>>>>>>>> I'd like to get this working again as quickly as possible. >>>>>>>>>> Any ideas? I deal >>>>>>>>>> with certificates so infrequently (like only when something >>>>>>>>>> like this >>>>>>>>>> happens) that I'm not sure where to start. >>>>>>>>>> >>>>>>>>>> Thanks! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Bret Wortman* >>>>>>>>>> /Coming soon to Kickstarter.../ >>>>>>>>>> >>>>>>>>>> http://wrapbuddies.co/ >>>>>>>>>> >>>>> >>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Apr 27 14:49:31 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Apr 2016 17:49:31 +0300 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <20160427144931.6ll6eam6vknsutxl@redhat.com> On Wed, 27 Apr 2016, Gady Notrica wrote: >Hello Ludwig, > >I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have > >[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 >[26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person" > >[cid:image003.jpg at 01D1A069.EF91B910] > >I don?t know if that helps. Your setup seem to have corruption of the data on disk of that VM. Start from looking into whether all RPM package owned files are in correct state. For 389-ds-base run as root 'rpm -V 389-ds-base'. For normal install you would get something like this: # rpm -V 389-ds-base .M....G.. /etc/dirsrv ..5....T. c /etc/sysconfig/dirsrv S.5....T. c /etc/sysconfig/dirsrv.systemd .M....G.. /var/lib/dirsrv If you have more changes, show them. Repeat the same for freeipa-server (or ipa-server if this is RHEL/CentOS). Next, compare schema files between what is in the 389-ds-base and IPA deployment. Following shell snippet would give you output that shows difference between the schema files, ignoring comments. In normal situation the difference should only be in 99user.ldif. #!/bin/bash instance=EXAMPLE-COM for i in /etc/dirsrv/schema/*.ldif ; do f=/etc/dirsrv/slapd-$instance/schema/$(basename $i) [ -f $f ] && cmp -s $i $f || diff -u $i $f | egrep -v '^\+#|^-#|^ #' done > >Gady > >From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >Sent: April 27, 2016 3:18 AM >To: Gady Notrica >Cc: Rob Crittenden; freeipa-users at redhat.com >Subject: Re: [Freeipa-users] krb5kdc service not starting > > >On 04/26/2016 09:09 PM, Gady Notrica wrote: > >HERE.. > > > >[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) > >[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) > >[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) > >[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) > >[23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests > >[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests > >[23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests > >[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed > >[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. > >[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) > >[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) > >[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) > >[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) > >[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) > >[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) > >[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed > >[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 >these are old logs, the problem you were reporting was on Apr, 26: > > > >Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > >Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > > > > > >we need the logs from that time > > > > > > >Gady > > > >-----Original Message----- >From: Rob Crittenden [mailto:rcritten at redhat.com] >Sent: April 26, 2016 2:44 PM >To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com >Subject: Re: [Freeipa-users] krb5kdc service not starting > > > >Gady Notrica wrote: > >> Hey world, > >> > >> Any ideas? > > > >What about the first part of Ludwig's question: Is there anything in the 389-ds error log? > > > >rob > > > >> > >> Gady > >> > >> -----Original Message----- > >> From: freeipa-users-bounces at redhat.com > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > >> Sent: April 26, 2016 10:10 AM > >> To: Ludwig Krispenz; freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] krb5kdc service not starting > >> > >> No, no changes. Lost connectivity with my VMs during the night > >> (networking issues in datacenter) > >> > >> Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. > >> > >> Gady Notrica > >> > >> -----Original Message----- > >> From: freeipa-users-bounces at redhat.com > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > >> Sent: April 26, 2016 10:02 AM > >> To: freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] krb5kdc service not starting > >> > >> > >> On 04/26/2016 03:26 PM, Gady Notrica wrote: > >>> Here... > >>> > >>> [root at cd-p-ipa1 log]# ipactl status > >>> Directory Service: STOPPED > >>> Directory Service must be running in order to obtain status of other > >>> services > >>> ipa: INFO: The ipactl command was successful > >>> > >>> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-DOMAIN-LOCAL.service > >>> -l ? dirsrv at IPA-DOMAIN-LOCAL.service - 389 Directory Server IPA-DOMAIN-LOCAL. > >>> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) > >>> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago > >>> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D > >>> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w > >>> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) > >>> > >>> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > >>> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > >>> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > >>> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > >>> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > >>> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > >>> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > >>> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > >>> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! > > :08:50:21 > >-0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > >>> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > >> this says the server doesn't know a syntax oid, but it is a known one. > >> It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? > >> > >> And, did you do any changes to the system before this problem started ? > >>> [root at cd-p-ipa1 log]# > >>> > >>> Gady > >>> > >>> -----Original Message----- > >>> From: freeipa-users-bounces at redhat.com > >>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin > >>> Babinsky > >>> Sent: April 26, 2016 9:17 AM > >>> To: freeipa-users at redhat.com > >>> Subject: Re: [Freeipa-users] krb5kdc service not starting > >>> > >>> On 04/26/2016 03:13 PM, Gady Notrica wrote: > >>>> Hello world, > >>>> > >>>> > >>>> > >>>> I am having issues this morning with my primary IPA. See below the > >>>> details in the logs and command result. Basically, krb5kdc service > >>>> not starting - krb5kdc: Server error - while fetching master key. > >>>> > >>>> > >>>> > >>>> DNS is functioning. See below dig result. I have a trust with Windows AD. > >>>> > >>>> > >>>> > >>>> Please help?! > >>>> > >>>> > >>>> > >>>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l > >>>> > >>>> ? krb5kdc.service - Kerberos 5 KDC > >>>> > >>>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; > >>>> disabled; vendor preset: disabled) > >>>> > >>>> Active: failed (Result: exit-code) since Tue 2016-04-26 > >>>> 08:27:52 EDT; 41min ago > >>>> > >>>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P > >>>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > >>>> > >>>> > >>>> > >>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting > >>>> Kerberos > >>>> 5 KDC... > >>>> > >>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: > >>>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details > >>>> > >>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: > >>>> control process exited, code=exited status=1 > >>>> > >>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > >>>> Kerberos 5 KDC. > >>>> > >>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit > >>>> krb5kdc.service entered failed state. > >>>> > >>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. > >>>> > >>>> [root at cd-ipa1 log]# > >>>> > >>>> > >>>> > >>>> Errors in /var/log/krb5kdc.log > >>>> > >>>> > >>>> > >>>> krb5kdc: Server error - while fetching master key K/M for realm > >>>> DOMAIN.LOCAL > >>>> > >>>> krb5kdc: Server error - while fetching master key K/M for realm > >>>> DOMAIN.LOCAL > >>>> > >>>> krb5kdc: Server error - while fetching master key K/M for realm > >>>> DOMAIN.LOCAL > >>>> > >>>> > >>>> > >>>> [root at cd-ipa1 log]# systemctl status httpd -l > >>>> > >>>> ? httpd.service - The Apache HTTP Server > >>>> > >>>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; > >>>> vendor > >>>> preset: disabled) > >>>> > >>>> Active: failed (Result: exit-code) since Tue 2016-04-26 > >>>> 08:27:21 EDT; 39min ago > >>>> > >>>> Docs: man:httpd(8) > >>>> > >>>> man:apachectl(8) > >>>> > >>>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy > >>>> (code=exited, status=1/FAILURE) > >>>> > >>>> > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: > >>>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line > >>>> 1579, in __wait_for_connection > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > >>>> wait_for_open_socket(lurl.hostport, timeout) > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > >>>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line > >>>> 1200, in wait_for_open_socket > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > >>>> raise e > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > >>>> error: [Errno 2] No such file or directory > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > >>>> ipa : ERROR Unknown error while retrieving setting from > >>>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No > >>>> such file or directory > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: > >>>> control process exited, code=exited status=1 > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > >>>> The Apache HTTP Server. > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit > >>>> httpd.service entered failed state. > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. > >>>> > >>>> [root at cd-ipa1 log]# > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> DNS Result for dig redhat.com > >>>> > >>>> > >>>> > >>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com > >>>> > >>>> ;; global options: +cmd > >>>> > >>>> ;; Got answer: > >>>> > >>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 > >>>> > >>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: > >>>> 2 > >>>> > >>>> > >>>> > >>>> ;; OPT PSEUDOSECTION: > >>>> > >>>> ; EDNS: version: 0, flags:; udp: 4096 > >>>> > >>>> ;; QUESTION SECTION: > >>>> > >>>> ;redhat.com. IN A > >>>> > >>>> > >>>> > >>>> ;; ANSWER SECTION: > >>>> > >>>> redhat.com. 60 IN A 209.132.183.105 > >>>> > >>>> > >>>> > >>>> ;; AUTHORITY SECTION: > >>>> > >>>> . 849 IN NS f.root-servers.net. > >>>> > >>>> . 849 IN NS e.root-servers.net. > >>>> > >>>> . 849 IN NS k.root-servers.net. > >>>> > >>>> . 849 IN NS m.root-servers.net. > >>>> > >>>> . 849 IN NS b.root-servers.net. > >>>> > >>>> . 849 IN NS g.root-servers.net. > >>>> > >>>> . 849 IN NS c.root-servers.net. > >>>> > >>>> . 849 IN NS h.root-servers.net. > >>>> > >>>> . 849 IN NS l.root-servers.net. > >>>> > >>>> . 849 IN NS a.root-servers.net. > >>>> > >>>> . 849 IN NS j.root-servers.net. > >>>> > >>>> . 849 IN NS i.root-servers.net. > >>>> > >>>> . 849 IN NS d.root-servers.net. > >>>> > >>>> > >>>> > >>>> ;; ADDITIONAL SECTION: > >>>> > >>>> j.root-servers.net. 3246 IN A 192.58.128.30 > >>>> > >>>> > >>>> > >>>> ;; Query time: 79 msec > >>>> > >>>> ;; SERVER: 10.20.10.41#53(10.20.10.41) > >>>> > >>>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 > >>>> > >>>> ;; MSG SIZE rcvd: 282 > >>>> > >>>> > >>>> > >>>> Gady > >>>> > >>>> > >>>> > >>>> > >>>> > >>> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-DOMAIN-LOCAL.service'? > >>> > >>> -- > >>> Martin^3 Babinsky > >>> > >>> -- > >>> Manage your subscription for the Freeipa-users mailing list: > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> Go to http://freeipa.org for more info on the project > >>> > >> > >> -- > >> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > >> Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > >> Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > >> O'Neill > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > > > > > >-- > >Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > >Commercial register: Amtsgericht Muenchen, HRB 153243, > >Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From lkrispen at redhat.com Wed Apr 27 14:57:32 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 27 Apr 2016 16:57:32 +0200 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <5720D35C.8050304@redhat.com> On 04/27/2016 04:36 PM, Gady Notrica wrote: > > *No changes*to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am > tailing the log file and running those commands doesn?t generate any > log, nothing. > > [root at cd-p-ipa1 log]# ipactl start > > Starting Directory Service > > Job for dirsrv at IPA-CANDEAL-CA.service failed because the control > process exited with error code. See "systemctl status > dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. > > Failed to start Directory Service: Command ''/bin/systemctl' 'start' > 'dirsrv at IPA-CANDEAL-CA.service'' returned non-zero exit status 1 > > *Logs from /var/log/messages* > > Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server > IPA-CANDEAL-CA.... > > Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - > The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was > not restored from backup > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1 > > Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - > The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was > not restored from backup > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1 > > Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] > config - The given config file > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, > Netscape Portable Runtime error -5950 (File not found.) > this is BAD, looks like you completely lost your configuration file for DS, so it doesn't even know where to log anything. When you lost your VM and rebooted there must hav ebeen some data loss. It could be only dse.ldif, but also other files. > > [root at cd-p-ipa1 log]# systemctl start dirsrv at IPA-CANDEAL-CA.service > > Job for dirsrv at IPA-CANDEAL-CA.service failed because the control > process exited with error code. See "systemctl status > dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. > > [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service -l > > ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. > > Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; > vendor preset: disabled) > > Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; > 3s ago > > Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i > /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid > (code=exited, status=1/FAILURE) > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema > in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: > 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: > Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. > > [root at cd-p-ipa1 log]# > > Gady > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* April 27, 2016 10:06 AM > *To:* Gady Notrica > *Cc:* Rob Crittenden; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] krb5kdc service not starting > > On 04/27/2016 03:48 PM, Gady Notrica wrote: > > Hello Ludwig, > > I do have only 1 error logs for the 26^th in > /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only > line I have > > [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync > - failed to send dirsync search request: 2 > > [*26/Apr/2016*:00:13:01 -0400] - Entry > "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" > missing attribute "sn" required by object class "person" > > I don?t know if that helps. > > no. And it is weird that there should be no logs, there were > definitely messages logged around 8:50, you provided them via > systemctl status dirsrv... > And at least the startup messages should b there > > Can you try to start dirsrv again. and check what config settings for > errorlog are in your dse.ldif > > Gady > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* April 27, 2016 3:18 AM > *To:* Gady Notrica > *Cc:* Rob Crittenden; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] krb5kdc service not starting > > On 04/26/2016 09:09 PM, Gady Notrica wrote: > > HERE.. > > [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get > initial credentials for principal > [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL > ] in > keytab [FILE:/etc/dirsrv/ds.keytab > ]: -1765328228 > (Cannot contact any KDC for requested realm) > > [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (No Kerberos credentials available)) errno 0 (Success) > > [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -2 (Local error) > > [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local > error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No Kerberos > credentials available)) > > [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > > [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port > 636 for LDAPS requests > > [23/Apr/2016:11:39:51 -0400] - Listening on > /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests > > [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): > Replication bind with GSSAPI auth resumed > > [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable > to receive the response for a startReplication extended operation > to consumer (Can't contact LDAP server). Will retry later. > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 > (Transport endpoint is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 > (Transport endpoint is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 > (Transport endpoint is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): > Replication bind with GSSAPI auth resumed > > [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync > - failed to send dirsync search request: 2 > > these are old logs, the problem you were reporting was on Apr, 26: > > > > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > > > we need the logs from that time > > > > > > Gady > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: April 26, 2016 2:44 PM > To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > Gady Notrica wrote: > > > Hey world, > > > > > > Any ideas? > > What about the first part of Ludwig's question: Is there anything in > the 389-ds error log? > > rob > > > > > > Gady > > > > > > -----Original Message----- > > > From: freeipa-users-bounces at redhat.com > > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > > > Sent: April 26, 2016 10:10 AM > > > To: Ludwig Krispenz; freeipa-users at redhat.com > > > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > > > > No, no changes. Lost connectivity with my VMs during the night > > > (networking issues in datacenter) > > > > > > Reboot the server and oups, no IPA is coming up... The replica > (secondary server) is fine though. > > > > > > Gady Notrica > > > > > > -----Original Message----- > > > From: freeipa-users-bounces at redhat.com > > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > > > Sent: April 26, 2016 10:02 AM > > > To: freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > > > > > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: > > >> Here... > > >> > > >> [root at cd-p-ipa1 log]# ipactl status > > >> Directory Service: STOPPED > > >> Directory Service must be running in order to obtain status of other > > >> services > > >> ipa: INFO: The ipactl command was successful > > >> > > >> [root at cd-p-ipa1 log]# systemctl status > dirsrv at IPA-DOMAIN-LOCAL.service > > >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service > - 389 Directory Server > IPA-DOMAIN-LOCAL. > > >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service > ; enabled; vendor > preset: disabled) > > >> Active: failed (Result: exit-code) since Tue 2016-04-26 > 08:50:21 EDT; 30min ago > > >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D > > >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w > > >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) > > >> > > >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > > >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > > >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! > > :08:50:21 > > -0400] dse_read_one_file - The entry cn=schema in file > /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is > invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown > attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > > >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. > > > this says the server doesn't know a syntax oid, but it is a known one. > > > It could be that the syntax plugings couldn't be loaded. Thera are > more errors before, could you check where the errors start in > /var/log/dirsrv/slapd-/errors ? > > > > > > And, did you do any changes to the system before this problem started ? > > >> [root at cd-p-ipa1 log]# > > >> > > >> Gady > > >> > > >> -----Original Message----- > > >> From: freeipa-users-bounces at redhat.com > > > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin > > >> Babinsky > > >> Sent: April 26, 2016 9:17 AM > > >> To: freeipa-users at redhat.com > > >> Subject: Re: [Freeipa-users] krb5kdc service not starting > > >> > > >> On 04/26/2016 03:13 PM, Gady Notrica wrote: > > >>> Hello world, > > >>> > > >>> > > >>> > > >>> I am having issues this morning with my primary IPA. See below the > > >>> details in the logs and command result. Basically, krb5kdc service > > >>> not starting - krb5kdc: Server error - while fetching master key. > > >>> > > >>> > > >>> > > >>> DNS is functioning. See below dig result. I have a trust with > Windows AD. > > >>> > > >>> > > >>> > > >>> Please help?! > > >>> > > >>> > > >>> > > >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l > > >>> > > >>> ? krb5kdc.service - Kerberos 5 KDC > > >>> > > >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; > > >>> disabled; vendor preset: disabled) > > >>> > > >>> Active: failed (Result: exit-code) since Tue 2016-04-26 > > >>> 08:27:52 EDT; 41min ago > > >>> > > >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P > > >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > > >>> > > >>> > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting > > >>> Kerberos > > >>> 5 KDC... > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: > > >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: > > >>> control process exited, code=exited status=1 > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > > >>> Kerberos 5 KDC. > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit > > >>> krb5kdc.service entered failed state. > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: > krb5kdc.service failed. > > >>> > > >>> [root at cd-ipa1 log]# > > >>> > > >>> > > >>> > > >>> Errors in /var/log/krb5kdc.log > > >>> > > >>> > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> > > >>> > > >>> [root at cd-ipa1 log]# systemctl status httpd -l > > >>> > > >>> ? httpd.service - The Apache HTTP Server > > >>> > > >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; > > >>> vendor > > >>> preset: disabled) > > >>> > > >>> Active: failed (Result: exit-code) since Tue 2016-04-26 > > >>> 08:27:21 EDT; 39min ago > > >>> > > >>> Docs: man:httpd(8) > > >>> > > >>> man:apachectl(8) > > >>> > > >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy > > >>> (code=exited, status=1/FAILURE) > > >>> > > >>> > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: > > >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line > > >>> 1579, in __wait_for_connection > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> wait_for_open_socket(lurl.hostport, timeout) > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line > > >>> 1200, in wait_for_open_socket > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> raise e > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> error: [Errno 2] No such file or directory > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> ipa : ERROR Unknown error while retrieving setting from > > >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No > > >>> such file or directory > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: > > >>> control process exited, code=exited status=1 > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > > >>> The Apache HTTP Server. > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit > > >>> httpd.service entered failed state. > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service > failed. > > >>> > > >>> [root at cd-ipa1 log]# > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> DNS Result for dig redhat.com > > >>> > > >>> > > >>> > > >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com > > >>> > > >>> ;; global options: +cmd > > >>> > > >>> ;; Got answer: > > >>> > > >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 > > >>> > > >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: > > >>> 2 > > >>> > > >>> > > >>> > > >>> ;; OPT PSEUDOSECTION: > > >>> > > >>> ; EDNS: version: 0, flags:; udp: 4096 > > >>> > > >>> ;; QUESTION SECTION: > > >>> > > >>> ;redhat.com. IN A > > >>> > > >>> > > >>> > > >>> ;; ANSWER SECTION: > > >>> > > >>> redhat.com. 60 IN A 209.132.183.105 > > >>> > > >>> > > >>> > > >>> ;; AUTHORITY SECTION: > > >>> > > >>> . 849 IN NS f.root-servers.net. > > >>> > > >>> . 849 IN NS e.root-servers.net. > > >>> > > >>> . 849 IN NS k.root-servers.net. > > >>> > > >>> . 849 IN NS m.root-servers.net. > > >>> > > >>> . 849 IN NS b.root-servers.net. > > >>> > > >>> . 849 IN NS g.root-servers.net. > > >>> > > >>> . 849 IN NS c.root-servers.net. > > >>> > > >>> . 849 IN NS h.root-servers.net. > > >>> > > >>> . 849 IN NS l.root-servers.net. > > >>> > > >>> . 849 IN NS a.root-servers.net. > > >>> > > >>> . 849 IN NS j.root-servers.net. > > >>> > > >>> . 849 IN NS i.root-servers.net. > > >>> > > >>> . 849 IN NS d.root-servers.net. > > >>> > > >>> > > >>> > > >>> ;; ADDITIONAL SECTION: > > >>> > > >>> j.root-servers.net. 3246 IN A 192.58.128.30 > > >>> > > >>> > > >>> > > >>> ;; Query time: 79 msec > > >>> > > >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) > > >>> > > >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 > > >>> > > >>> ;; MSG SIZE rcvd: 282 > > >>> > > >>> > > >>> > > >>> Gady > > >>> > > >>> > > >>> > > >>> > > >>> > > >> It seems like Directory server is not running. Can you post result > of 'ipactl status' and 'systemctl status > dirsrv at IPA-DOMAIN-LOCAL.service '? > > >> > > >> -- > > >> Martin^3 Babinsky > > >> > > >> -- > > >> Manage your subscription for the Freeipa-users mailing list: > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >> Go to http://freeipa.org for more info on the project > > >> > > > > > > -- > > > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > > > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > > > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > > > O'Neill > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > > > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 7126 bytes Desc: not available URL: From gnotrica at candeal.com Wed Apr 27 15:10:03 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 27 Apr 2016 15:10:03 +0000 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <5720D35C.8050304@redhat.com> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> <5720D35C.8050304@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> Oh! No? Is there a way I can pull those files from the secondary server and put them on the primary? Or I can run the re-installation ipa-server-install with repair option and copy the data back from the secondary server? Thanks, Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 10:58 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 04:36 PM, Gady Notrica wrote: No changes to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am tailing the log file and running those commands doesn?t generate any log, nothing. [root at cd-p-ipa1 log]# ipactl start Starting Directory Service Job for dirsrv at IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. Failed to start Directory Service: Command ''/bin/systemctl' 'start' 'dirsrv at IPA-CANDEAL-CA.service'' returned non-zero exit status 1 Logs from /var/log/messages Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server IPA-CANDEAL-CA.... Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] config - The given config file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, Netscape Portable Runtime error -5950 (File not found.) this is BAD, looks like you completely lost your configuration file for DS, so it doesn't even know where to log anything. When you lost your VM and rebooted there must hav ebeen some data loss. It could be only dse.ldif, but also other files. [root at cd-p-ipa1 log]# systemctl start dirsrv at IPA-CANDEAL-CA.service Job for dirsrv at IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service -l ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 3s ago Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [root at cd-p-ipa1 log]# Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 10:06 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 03:48 PM, Gady Notrica wrote: Hello Ludwig, I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person" [cid:image003.jpg at 01D1A075.56096890] I don?t know if that helps. no. And it is weird that there should be no logs, there were definitely messages logged around 8:50, you provided them via systemctl status dirsrv... And at least the startup messages should b there Can you try to start dirsrv again. and check what config settings for errorlog are in your dse.ldif Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 3:18 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 09:09 PM, Gady Notrica wrote: HERE.. [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests [23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 these are old logs, the problem you were reporting was on Apr, 26: Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. we need the logs from that time Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 26, 2016 2:44 PM To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting Gady Notrica wrote: > Hey world, > > Any ideas? What about the first part of Ludwig's question: Is there anything in the 389-ds error log? rob > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > Sent: April 26, 2016 10:10 AM > To: Ludwig Krispenz; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > No, no changes. Lost connectivity with my VMs during the night > (networking issues in datacenter) > > Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. > > Gady Notrica > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > Sent: April 26, 2016 10:02 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: >> Here... >> >> [root at cd-p-ipa1 log]# ipactl status >> Directory Service: STOPPED >> Directory Service must be running in order to obtain status of other >> services >> ipa: INFO: The ipactl command was successful >> >> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-DOMAIN-LOCAL.service >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service - 389 Directory Server IPA-DOMAIN-LOCAL. >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) >> >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! :08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > this says the server doesn't know a syntax oid, but it is a known one. > It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? > > And, did you do any changes to the system before this problem started ? >> [root at cd-p-ipa1 log]# >> >> Gady >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin >> Babinsky >> Sent: April 26, 2016 9:17 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] krb5kdc service not starting >> >> On 04/26/2016 03:13 PM, Gady Notrica wrote: >>> Hello world, >>> >>> >>> >>> I am having issues this morning with my primary IPA. See below the >>> details in the logs and command result. Basically, krb5kdc service >>> not starting - krb5kdc: Server error - while fetching master key. >>> >>> >>> >>> DNS is functioning. See below dig result. I have a trust with Windows AD. >>> >>> >>> >>> Please help?! >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l >>> >>> ? krb5kdc.service - Kerberos 5 KDC >>> >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:52 EDT; 41min ago >>> >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting >>> Kerberos >>> 5 KDC... >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> Kerberos 5 KDC. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> krb5kdc.service entered failed state. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> Errors in /var/log/krb5kdc.log >>> >>> >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status httpd -l >>> >>> ? httpd.service - The Apache HTTP Server >>> >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; >>> vendor >>> preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:21 EDT; 39min ago >>> >>> Docs: man:httpd(8) >>> >>> man:apachectl(8) >>> >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >>> (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line >>> 1579, in __wait_for_connection >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> wait_for_open_socket(lurl.hostport, timeout) >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line >>> 1200, in wait_for_open_socket >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> raise e >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> error: [Errno 2] No such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> ipa : ERROR Unknown error while retrieving setting from >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No >>> such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> The Apache HTTP Server. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> httpd.service entered failed state. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> >>> >>> DNS Result for dig redhat.com >>> >>> >>> >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >>> >>> ;; global options: +cmd >>> >>> ;; Got answer: >>> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >>> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: >>> 2 >>> >>> >>> >>> ;; OPT PSEUDOSECTION: >>> >>> ; EDNS: version: 0, flags:; udp: 4096 >>> >>> ;; QUESTION SECTION: >>> >>> ;redhat.com. IN A >>> >>> >>> >>> ;; ANSWER SECTION: >>> >>> redhat.com. 60 IN A 209.132.183.105 >>> >>> >>> >>> ;; AUTHORITY SECTION: >>> >>> . 849 IN NS f.root-servers.net. >>> >>> . 849 IN NS e.root-servers.net. >>> >>> . 849 IN NS k.root-servers.net. >>> >>> . 849 IN NS m.root-servers.net. >>> >>> . 849 IN NS b.root-servers.net. >>> >>> . 849 IN NS g.root-servers.net. >>> >>> . 849 IN NS c.root-servers.net. >>> >>> . 849 IN NS h.root-servers.net. >>> >>> . 849 IN NS l.root-servers.net. >>> >>> . 849 IN NS a.root-servers.net. >>> >>> . 849 IN NS j.root-servers.net. >>> >>> . 849 IN NS i.root-servers.net. >>> >>> . 849 IN NS d.root-servers.net. >>> >>> >>> >>> ;; ADDITIONAL SECTION: >>> >>> j.root-servers.net. 3246 IN A 192.58.128.30 >>> >>> >>> >>> ;; Query time: 79 msec >>> >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) >>> >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >>> >>> ;; MSG SIZE rcvd: 282 >>> >>> >>> >>> Gady >>> >>> >>> >>> >>> >> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-DOMAIN-LOCAL.service'? >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 11810 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 11586 bytes Desc: image002.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 7126 bytes Desc: image003.jpg URL: From gnotrica at candeal.com Wed Apr 27 15:15:04 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 27 Apr 2016 15:15:04 +0000 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <20160427144931.6ll6eam6vknsutxl@redhat.com> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <20160427144931.6ll6eam6vknsutxl@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70AC0348D@cd-exchange01.CD-PRD.candeal.ca> Hello Alexander, # rpm -V 389-ds-base Returned nothing # rpm ?V ipa-server Returned nothing The script got differences in 99user.ldif as expected. I did make a small change to it. Attached is the result of the script #!/bin/bash for i in /etc/dirsrv/schema/*.ldif ; do f=/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/$(basename $i) [ -f $f ] && cmp -s $i $f || diff -u $i $f | egrep -v '^\+#|^-#|^ #' done Gady -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: April 27, 2016 10:50 AM To: Gady Notrica Cc: Ludwig Krispenz; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On Wed, 27 Apr 2016, Gady Notrica wrote: >Hello Ludwig, > >I do have only 1 error logs for the 26th in >/var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I >have > >[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - >failed to send dirsync search request: 2 >[26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person" > >[cid:image003.jpg at 01D1A069.EF91B910] > >I don?t know if that helps. Your setup seem to have corruption of the data on disk of that VM. Start from looking into whether all RPM package owned files are in correct state. For 389-ds-base run as root 'rpm -V 389-ds-base'. For normal install you would get something like this: # rpm -V 389-ds-base .M....G.. /etc/dirsrv ..5....T. c /etc/sysconfig/dirsrv S.5....T. c /etc/sysconfig/dirsrv.systemd .M....G.. /var/lib/dirsrv If you have more changes, show them. Repeat the same for freeipa-server (or ipa-server if this is RHEL/CentOS). Next, compare schema files between what is in the 389-ds-base and IPA deployment. Following shell snippet would give you output that shows difference between the schema files, ignoring comments. In normal situation the difference should only be in 99user.ldif. #!/bin/bash instance=EXAMPLE-COM for i in /etc/dirsrv/schema/*.ldif ; do f=/etc/dirsrv/slapd-$instance/schema/$(basename $i) [ -f $f ] && cmp -s $i $f || diff -u $i $f | egrep -v '^\+#|^-#|^ #' done > >Gady > >From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >Sent: April 27, 2016 3:18 AM >To: Gady Notrica >Cc: Rob Crittenden; freeipa-users at redhat.com >Subject: Re: [Freeipa-users] krb5kdc service not starting > > >On 04/26/2016 09:09 PM, Gady Notrica wrote: > >HERE.. > > > >[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial >credentials for principal >[ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL.ipa.domain.local at IPA.DOMAIN.LOCAL>] in keytab >[FILE:/etc/dirsrv/ds.keytab]: >-1765328228 (Cannot contact any KDC for requested realm) > >[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >GSS failure. Minor code may provide more information (No Kerberos >credentials available)) errno 0 (Success) > >[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform >interactive bind for id [] authentication mechanism [GSSAPI]: error -2 >(Local error) > >[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - >agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication >bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may >provide more information (No Kerberos credentials available)) > >[23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All >Interfaces port 389 for LDAP requests > >[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for >LDAPS requests > >[23/Apr/2016:11:39:51 -0400] - Listening on >/var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests > >[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - >agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication >bind with GSSAPI auth resumed > >[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. > >[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: >could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint >is not connected) > >[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform >interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >(Can't contact LDAP server) > >[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: >could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint >is not connected) > >[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform >interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >(Can't contact LDAP server) > >[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: >could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint >is not connected) > >[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform >interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >(Can't contact LDAP server) > >[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - >agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication >bind with GSSAPI auth resumed > >[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - >failed to send dirsync search request: 2 these are old logs, the problem you were reporting was on Apr, 26: > > > >Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > >Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > > > > > >we need the logs from that time > > > > > > >Gady > > > >-----Original Message----- >From: Rob Crittenden [mailto:rcritten at redhat.com] >Sent: April 26, 2016 2:44 PM >To: Gady Notrica; Ludwig Krispenz; >freeipa-users at redhat.com> >Subject: Re: [Freeipa-users] krb5kdc service not starting > > > >Gady Notrica wrote: > >> Hey world, > >> > >> Any ideas? > > > >What about the first part of Ludwig's question: Is there anything in the 389-ds error log? > > > >rob > > > >> > >> Gady > >> > >> -----Original Message----- > >> From: >> freeipa-users-bounces at redhat.com. >> com> > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > >> Sent: April 26, 2016 10:10 AM > >> To: Ludwig Krispenz; >> freeipa-users at redhat.com> > >> Subject: Re: [Freeipa-users] krb5kdc service not starting > >> > >> No, no changes. Lost connectivity with my VMs during the night > >> (networking issues in datacenter) > >> > >> Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. > >> > >> Gady Notrica > >> > >> -----Original Message----- > >> From: >> freeipa-users-bounces at redhat.com. >> com> > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig >> Krispenz > >> Sent: April 26, 2016 10:02 AM > >> To: freeipa-users at redhat.com> > >> Subject: Re: [Freeipa-users] krb5kdc service not starting > >> > >> > >> On 04/26/2016 03:26 PM, Gady Notrica wrote: > >>> Here... > >>> > >>> [root at cd-p-ipa1 log]# ipactl status > >>> Directory Service: STOPPED > >>> Directory Service must be running in order to obtain status of other > >>> services > >>> ipa: INFO: The ipactl command was successful > >>> > >>> [root at cd-p-ipa1 log]# systemctl status >>> dirsrv at IPA-DOMAIN-LOCAL.service >>> > > >>> -l ? dirsrv at IPA-DOMAIN-LOCAL.service> - 389 Directory Server IPA-DOMAIN-LOCAL. > >>> Loaded: loaded >>> (/usr/lib/systemd/system/dirsrv at .service >>> tem/dirsrv at .service>; enabled; vendor preset: disabled) > >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:50:21 EDT; 30min ago > >>> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D > >>> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w > >>> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) > >>> > >>> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > >>> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > >>> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > >>> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > >>> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > >>> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > >>> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > >>> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > >>> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! > > :08:50:21 > >-0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > >>> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > >> this says the server doesn't know a syntax oid, but it is a known one. > >> It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? > >> > >> And, did you do any changes to the system before this problem started ? > >>> [root at cd-p-ipa1 log]# > >>> > >>> Gady > >>> > >>> -----Original Message----- > >>> From: >>> freeipa-users-bounces at redhat.com >>> .com> > >>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin > >>> Babinsky > >>> Sent: April 26, 2016 9:17 AM > >>> To: freeipa-users at redhat.com> > >>> Subject: Re: [Freeipa-users] krb5kdc service not starting > >>> > >>> On 04/26/2016 03:13 PM, Gady Notrica wrote: > >>>> Hello world, > >>>> > >>>> > >>>> > >>>> I am having issues this morning with my primary IPA. See below the > >>>> details in the logs and command result. Basically, krb5kdc service > >>>> not starting - krb5kdc: Server error - while fetching master key. > >>>> > >>>> > >>>> > >>>> DNS is functioning. See below dig result. I have a trust with Windows AD. > >>>> > >>>> > >>>> > >>>> Please help?! > >>>> > >>>> > >>>> > >>>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l > >>>> > >>>> ? krb5kdc.service - Kerberos 5 KDC > >>>> > >>>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; > >>>> disabled; vendor preset: disabled) > >>>> > >>>> Active: failed (Result: exit-code) since Tue 2016-04-26 > >>>> 08:27:52 EDT; 41min ago > >>>> > >>>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P > >>>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > >>>> > >>>> > >>>> > >>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting > >>>> Kerberos > >>>> 5 KDC... > >>>> > >>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: > >>>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details > >>>> > >>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: > >>>> control process exited, code=exited status=1 > >>>> > >>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > >>>> Kerberos 5 KDC. > >>>> > >>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit > >>>> krb5kdc.service entered failed state. > >>>> > >>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. > >>>> > >>>> [root at cd-ipa1 log]# > >>>> > >>>> > >>>> > >>>> Errors in /var/log/krb5kdc.log > >>>> > >>>> > >>>> > >>>> krb5kdc: Server error - while fetching master key K/M for realm > >>>> DOMAIN.LOCAL > >>>> > >>>> krb5kdc: Server error - while fetching master key K/M for realm > >>>> DOMAIN.LOCAL > >>>> > >>>> krb5kdc: Server error - while fetching master key K/M for realm > >>>> DOMAIN.LOCAL > >>>> > >>>> > >>>> > >>>> [root at cd-ipa1 log]# systemctl status httpd -l > >>>> > >>>> ? httpd.service - The Apache HTTP Server > >>>> > >>>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; > >>>> vendor > >>>> preset: disabled) > >>>> > >>>> Active: failed (Result: exit-code) since Tue 2016-04-26 > >>>> 08:27:21 EDT; 39min ago > >>>> > >>>> Docs: man:httpd(8) > >>>> > >>>> man:apachectl(8) > >>>> > >>>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy > >>>> (code=exited, status=1/FAILURE) > >>>> > >>>> > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: > >>>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line > >>>> 1579, in __wait_for_connection > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > >>>> wait_for_open_socket(lurl.hostport, timeout) > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > >>>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line > >>>> 1200, in wait_for_open_socket > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > >>>> raise e > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > >>>> error: [Errno 2] No such file or directory > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > >>>> ipa : ERROR Unknown error while retrieving setting from > >>>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No > >>>> such file or directory > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: > >>>> control process exited, code=exited status=1 > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > >>>> The Apache HTTP Server. > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit > >>>> httpd.service entered failed state. > >>>> > >>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. > >>>> > >>>> [root at cd-ipa1 log]# > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> DNS Result for dig redhat.com > >>>> > >>>> > >>>> > >>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com > >>>> > >>>> ;; global options: +cmd > >>>> > >>>> ;; Got answer: > >>>> > >>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 > >>>> > >>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: > >>>> 2 > >>>> > >>>> > >>>> > >>>> ;; OPT PSEUDOSECTION: > >>>> > >>>> ; EDNS: version: 0, flags:; udp: 4096 > >>>> > >>>> ;; QUESTION SECTION: > >>>> > >>>> ;redhat.com. IN A > >>>> > >>>> > >>>> > >>>> ;; ANSWER SECTION: > >>>> > >>>> redhat.com. 60 IN A 209.132.183.105 > >>>> > >>>> > >>>> > >>>> ;; AUTHORITY SECTION: > >>>> > >>>> . 849 IN NS f.root-servers.net. > >>>> > >>>> . 849 IN NS e.root-servers.net. > >>>> > >>>> . 849 IN NS k.root-servers.net. > >>>> > >>>> . 849 IN NS m.root-servers.net. > >>>> > >>>> . 849 IN NS b.root-servers.net. > >>>> > >>>> . 849 IN NS g.root-servers.net. > >>>> > >>>> . 849 IN NS c.root-servers.net. > >>>> > >>>> . 849 IN NS h.root-servers.net. > >>>> > >>>> . 849 IN NS l.root-servers.net. > >>>> > >>>> . 849 IN NS a.root-servers.net. > >>>> > >>>> . 849 IN NS j.root-servers.net. > >>>> > >>>> . 849 IN NS i.root-servers.net. > >>>> > >>>> . 849 IN NS d.root-servers.net. > >>>> > >>>> > >>>> > >>>> ;; ADDITIONAL SECTION: > >>>> > >>>> j.root-servers.net. 3246 IN A 192.58.128.30 > >>>> > >>>> > >>>> > >>>> ;; Query time: 79 msec > >>>> > >>>> ;; SERVER: 10.20.10.41#53(10.20.10.41) > >>>> > >>>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 > >>>> > >>>> ;; MSG SIZE rcvd: 282 > >>>> > >>>> > >>>> > >>>> Gady > >>>> > >>>> > >>>> > >>>> > >>>> > >>> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-DOMAIN-LOCAL.service>'? > >>> > >>> -- > >>> Martin^3 Babinsky > >>> > >>> -- > >>> Manage your subscription for the Freeipa-users mailing list: > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> Go to http://freeipa.org for more info on the project > >>> > >> > >> -- > >> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > >> Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > >> Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > >> O'Neill > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > > > > > >-- > >Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > >Commercial register: Amtsgericht Muenchen, HRB 153243, > >Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, >Michael O'Neill >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ipachecklogs.txt URL: From lkrispen at redhat.com Wed Apr 27 15:17:34 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 27 Apr 2016 17:17:34 +0200 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> <5720D35C.8050304@redhat.com> <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <5720D80E.7070003@redhat.com> On 04/27/2016 05:10 PM, Gady Notrica wrote: > > Oh! No? > > Is there a way I can pull those files from the secondary server and > put them on the primary? > do you have any file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* ? There might be some older states to try If you want to use a dse.ldif from another server, it could only work if the other server is really the same, same backends, indexes,,.... and you would have to do a lot of editing to adapt the file to the local system, eg replication agreements .... And then it is not sure if something else could be broken > > Or I can run the re-installation ipa-server-install with repair option > and copy the data back from the secondary server? > I'm not so sure about the IPA reinstall/repair process, maybe soemone else can step in > > Thanks, > > Gady Notrica| IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. > 416.818.4797 | gnotrica at candeal.com > > CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | > www.candeal.com | Follow us:Description: > Description: cid:image003.jpg at 01CBD419.622CDF90 > *Description: Description: > Description: cid:image002.jpg at 01CBD419.622CDF90* > > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* April 27, 2016 10:58 AM > *To:* Gady Notrica > *Cc:* Rob Crittenden; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] krb5kdc service not starting > > On 04/27/2016 04:36 PM, Gady Notrica wrote: > > *No changes*to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am > tailing the log file and running those commands doesn?t generate > any log, nothing. > > [root at cd-p-ipa1 log]# ipactl start > > Starting Directory Service > > Job for dirsrv at IPA-CANDEAL-CA.service > failed because the control > process exited with error code. See "systemctl status > dirsrv at IPA-CANDEAL-CA.service > " and "journalctl -xe" for > details. > > Failed to start Directory Service: Command ''/bin/systemctl' > 'start' 'dirsrv at IPA-CANDEAL-CA.service > '' returned non-zero exit > status 1 > > *Logs from /var/log/messages* > > Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server > IPA-CANDEAL-CA.... > > Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] > dse - The configuration file > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from > backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1 > > Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] > dse - The configuration file > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from > backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1 > > Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] > config - The given config file > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, > Netscape Portable Runtime error -5950 (File not found.) > > this is BAD, looks like you completely lost your configuration file > for DS, so it doesn't even know where to log anything. When you lost > your VM and rebooted there must hav ebeen some data loss. > It could be only dse.ldif, but also other files. > > [root at cd-p-ipa1 log]# systemctl start dirsrv at IPA-CANDEAL-CA.service > > > Job for dirsrv at IPA-CANDEAL-CA.service > failed because the control > process exited with error code. See "systemctl status > dirsrv at IPA-CANDEAL-CA.service " > and "journalctl -xe" for details. > > [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service > -l > > ? dirsrv at IPA-CANDEAL-CA.service > - 389 Directory Server IPA-CANDEAL-CA. > > Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service > ; enabled; vendor > preset: disabled) > > Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; > 3s ago > > Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i > /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid > (code=exited, status=1/FAILURE) > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema > in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: > 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: > Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. > > [root at cd-p-ipa1 log]# > > Gady > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* April 27, 2016 10:06 AM > *To:* Gady Notrica > *Cc:* Rob Crittenden; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] krb5kdc service not starting > > On 04/27/2016 03:48 PM, Gady Notrica wrote: > > Hello Ludwig, > > I do have only 1 error logs for the 26^th in > /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only > line I have > > [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync > - failed to send dirsync search request: 2 > > [*26/Apr/2016*:00:13:01 -0400] - Entry > "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" > missing attribute "sn" required by object class "person" > > I don?t know if that helps. > > no. And it is weird that there should be no logs, there were > definitely messages logged around 8:50, you provided them via > systemctl status dirsrv... > And at least the startup messages should b there > > Can you try to start dirsrv again. and check what config settings for > errorlog are in your dse.ldif > > > Gady > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* April 27, 2016 3:18 AM > *To:* Gady Notrica > *Cc:* Rob Crittenden; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] krb5kdc service not starting > > On 04/26/2016 09:09 PM, Gady Notrica wrote: > > HERE.. > > [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get > initial credentials for principal > [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL > ] in > keytab [FILE:/etc/dirsrv/ds.keytab > ]: -1765328228 > (Cannot contact any KDC for requested realm) > > [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (No Kerberos credentials available)) errno 0 (Success) > > [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -2 (Local error) > > [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local > error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No Kerberos > credentials available)) > > [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > > [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port > 636 for LDAPS requests > > [23/Apr/2016:11:39:51 -0400] - Listening on > /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests > > [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): > Replication bind with GSSAPI auth resumed > > [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable > to receive the response for a startReplication extended operation > to consumer (Can't contact LDAP server). Will retry later. > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 > (Transport endpoint is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 > (Transport endpoint is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 > (Transport endpoint is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): > Replication bind with GSSAPI auth resumed > > [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync > - failed to send dirsync search request: 2 > > these are old logs, the problem you were reporting was on Apr, 26: > > > > > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > > > we need the logs from that time > > > > > > > Gady > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: April 26, 2016 2:44 PM > To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > Gady Notrica wrote: > > > Hey world, > > > > > > Any ideas? > > What about the first part of Ludwig's question: Is there anything in > the 389-ds error log? > > rob > > > > > > Gady > > > > > > -----Original Message----- > > > From: freeipa-users-bounces at redhat.com > > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > > > Sent: April 26, 2016 10:10 AM > > > To: Ludwig Krispenz; freeipa-users at redhat.com > > > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > > > > No, no changes. Lost connectivity with my VMs during the night > > > (networking issues in datacenter) > > > > > > Reboot the server and oups, no IPA is coming up... The replica > (secondary server) is fine though. > > > > > > Gady Notrica > > > > > > -----Original Message----- > > > From: freeipa-users-bounces at redhat.com > > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > > > Sent: April 26, 2016 10:02 AM > > > To: freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > > > > > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: > > >> Here... > > >> > > >> [root at cd-p-ipa1 log]# ipactl status > > >> Directory Service: STOPPED > > >> Directory Service must be running in order to obtain status of other > > >> services > > >> ipa: INFO: The ipactl command was successful > > >> > > >> [root at cd-p-ipa1 log]# systemctl status > dirsrv at IPA-DOMAIN-LOCAL.service > > >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service > - 389 Directory Server > IPA-DOMAIN-LOCAL. > > >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service > ; enabled; vendor > preset: disabled) > > >> Active: failed (Result: exit-code) since Tue 2016-04-26 > 08:50:21 EDT; 30min ago > > >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D > > >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w > > >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) > > >> > > >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > > >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > > >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! > > :08:50:21 > > -0400] dse_read_one_file - The entry cn=schema in file > /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is > invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown > attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > > >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. > > > this says the server doesn't know a syntax oid, but it is a known one. > > > It could be that the syntax plugings couldn't be loaded. Thera are > more errors before, could you check where the errors start in > /var/log/dirsrv/slapd-/errors ? > > > > > > And, did you do any changes to the system before this problem started ? > > >> [root at cd-p-ipa1 log]# > > >> > > >> Gady > > >> > > >> -----Original Message----- > > >> From: freeipa-users-bounces at redhat.com > > > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin > > >> Babinsky > > >> Sent: April 26, 2016 9:17 AM > > >> To: freeipa-users at redhat.com > > >> Subject: Re: [Freeipa-users] krb5kdc service not starting > > >> > > >> On 04/26/2016 03:13 PM, Gady Notrica wrote: > > >>> Hello world, > > >>> > > >>> > > >>> > > >>> I am having issues this morning with my primary IPA. See below the > > >>> details in the logs and command result. Basically, krb5kdc service > > >>> not starting - krb5kdc: Server error - while fetching master key. > > >>> > > >>> > > >>> > > >>> DNS is functioning. See below dig result. I have a trust with > Windows AD. > > >>> > > >>> > > >>> > > >>> Please help?! > > >>> > > >>> > > >>> > > >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l > > >>> > > >>> ? krb5kdc.service - Kerberos 5 KDC > > >>> > > >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; > > >>> disabled; vendor preset: disabled) > > >>> > > >>> Active: failed (Result: exit-code) since Tue 2016-04-26 > > >>> 08:27:52 EDT; 41min ago > > >>> > > >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P > > >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > > >>> > > >>> > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting > > >>> Kerberos > > >>> 5 KDC... > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: > > >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: > > >>> control process exited, code=exited status=1 > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > > >>> Kerberos 5 KDC. > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit > > >>> krb5kdc.service entered failed state. > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: > krb5kdc.service failed. > > >>> > > >>> [root at cd-ipa1 log]# > > >>> > > >>> > > >>> > > >>> Errors in /var/log/krb5kdc.log > > >>> > > >>> > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> > > >>> > > >>> [root at cd-ipa1 log]# systemctl status httpd -l > > >>> > > >>> ? httpd.service - The Apache HTTP Server > > >>> > > >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; > > >>> vendor > > >>> preset: disabled) > > >>> > > >>> Active: failed (Result: exit-code) since Tue 2016-04-26 > > >>> 08:27:21 EDT; 39min ago > > >>> > > >>> Docs: man:httpd(8) > > >>> > > >>> man:apachectl(8) > > >>> > > >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy > > >>> (code=exited, status=1/FAILURE) > > >>> > > >>> > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: > > >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line > > >>> 1579, in __wait_for_connection > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> wait_for_open_socket(lurl.hostport, timeout) > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line > > >>> 1200, in wait_for_open_socket > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> raise e > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> error: [Errno 2] No such file or directory > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> ipa : ERROR Unknown error while retrieving setting from > > >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No > > >>> such file or directory > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: > > >>> control process exited, code=exited status=1 > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > > >>> The Apache HTTP Server. > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit > > >>> httpd.service entered failed state. > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service > failed. > > >>> > > >>> [root at cd-ipa1 log]# > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> DNS Result for dig redhat.com > > >>> > > >>> > > >>> > > >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com > > >>> > > >>> ;; global options: +cmd > > >>> > > >>> ;; Got answer: > > >>> > > >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 > > >>> > > >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: > > >>> 2 > > >>> > > >>> > > >>> > > >>> ;; OPT PSEUDOSECTION: > > >>> > > >>> ; EDNS: version: 0, flags:; udp: 4096 > > >>> > > >>> ;; QUESTION SECTION: > > >>> > > >>> ;redhat.com. IN A > > >>> > > >>> > > >>> > > >>> ;; ANSWER SECTION: > > >>> > > >>> redhat.com. 60 IN A 209.132.183.105 > > >>> > > >>> > > >>> > > >>> ;; AUTHORITY SECTION: > > >>> > > >>> . 849 IN NS f.root-servers.net. > > >>> > > >>> . 849 IN NS e.root-servers.net. > > >>> > > >>> . 849 IN NS k.root-servers.net. > > >>> > > >>> . 849 IN NS m.root-servers.net. > > >>> > > >>> . 849 IN NS b.root-servers.net. > > >>> > > >>> . 849 IN NS g.root-servers.net. > > >>> > > >>> . 849 IN NS c.root-servers.net. > > >>> > > >>> . 849 IN NS h.root-servers.net. > > >>> > > >>> . 849 IN NS l.root-servers.net. > > >>> > > >>> . 849 IN NS a.root-servers.net. > > >>> > > >>> . 849 IN NS j.root-servers.net. > > >>> > > >>> . 849 IN NS i.root-servers.net. > > >>> > > >>> . 849 IN NS d.root-servers.net. > > >>> > > >>> > > >>> > > >>> ;; ADDITIONAL SECTION: > > >>> > > >>> j.root-servers.net. 3246 IN A 192.58.128.30 > > >>> > > >>> > > >>> > > >>> ;; Query time: 79 msec > > >>> > > >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) > > >>> > > >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 > > >>> > > >>> ;; MSG SIZE rcvd: 282 > > >>> > > >>> > > >>> > > >>> Gady > > >>> > > >>> > > >>> > > >>> > > >>> > > >> It seems like Directory server is not running. Can you post result > of 'ipactl status' and 'systemctl status > dirsrv at IPA-DOMAIN-LOCAL.service '? > > >> > > >> -- > > >> Martin^3 Babinsky > > >> > > >> -- > > >> Manage your subscription for the Freeipa-users mailing list: > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >> Go to http://freeipa.org for more info on the project > > >> > > > > > > -- > > > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > > > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > > > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > > > O'Neill > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > > > > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > > > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 11810 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 11586 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 7126 bytes Desc: not available URL: From gnotrica at candeal.com Wed Apr 27 15:19:24 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 27 Apr 2016 15:19:24 +0000 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <5720D80E.7070003@redhat.com> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> <5720D35C.8050304@redhat.com> <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> <5720D80E.7070003@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70AC034DC@cd-exchange01.CD-PRD.candeal.ca> Yes I have few files? see here?: [root at cd-p-ipa1 log]# ls -l /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* -rw------- 1 dirsrv root 153365 Jan 15 11:59 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.2a425e90d7bf6f15 -rw------- 1 dirsrv root 187894 Feb 17 11:51 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.359903482c3cf7aa -rw------- 1 dirsrv root 191405 Apr 14 09:36 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.37a6887eb1084abe -rw------- 1 dirsrv root 191427 Mar 11 09:40 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.95bd550f879430c2 -rw------- 1 dirsrv root 191427 Mar 7 15:17 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.e21fffebbee53edb -rw-r--r-- 1 dirsrv root 191566 Apr 14 09:37 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.modified.out -rw------- 1 dirsrv dirsrv 191405 Apr 23 11:39 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK -r--r----- 1 dirsrv dirsrv 36003 Jan 15 11:46 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse_original.ldif Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 11:18 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 05:10 PM, Gady Notrica wrote: Oh! No? Is there a way I can pull those files from the secondary server and put them on the primary? do you have any file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* ? There might be some older states to try If you want to use a dse.ldif from another server, it could only work if the other server is really the same, same backends, indexes,,.... and you would have to do a lot of editing to adapt the file to the local system, eg replication agreements .... And then it is not sure if something else could be broken Or I can run the re-installation ipa-server-install with repair option and copy the data back from the secondary server? I'm not so sure about the IPA reinstall/repair process, maybe soemone else can step in Thanks, Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 10:58 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 04:36 PM, Gady Notrica wrote: No changes to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am tailing the log file and running those commands doesn?t generate any log, nothing. [root at cd-p-ipa1 log]# ipactl start Starting Directory Service Job for dirsrv at IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. Failed to start Directory Service: Command ''/bin/systemctl' 'start' 'dirsrv at IPA-CANDEAL-CA.service'' returned non-zero exit status 1 Logs from /var/log/messages Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server IPA-CANDEAL-CA.... Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] config - The given config file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, Netscape Portable Runtime error -5950 (File not found.) this is BAD, looks like you completely lost your configuration file for DS, so it doesn't even know where to log anything. When you lost your VM and rebooted there must hav ebeen some data loss. It could be only dse.ldif, but also other files. [root at cd-p-ipa1 log]# systemctl start dirsrv at IPA-CANDEAL-CA.service Job for dirsrv at IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service -l ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 3s ago Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [root at cd-p-ipa1 log]# Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 10:06 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 03:48 PM, Gady Notrica wrote: Hello Ludwig, I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person" [cid:image003.jpg at 01D1A076.A619D170] I don?t know if that helps. no. And it is weird that there should be no logs, there were definitely messages logged around 8:50, you provided them via systemctl status dirsrv... And at least the startup messages should b there Can you try to start dirsrv again. and check what config settings for errorlog are in your dse.ldif Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 3:18 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 09:09 PM, Gady Notrica wrote: HERE.. [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests [23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 these are old logs, the problem you were reporting was on Apr, 26: Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. we need the logs from that time Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 26, 2016 2:44 PM To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting Gady Notrica wrote: > Hey world, > > Any ideas? What about the first part of Ludwig's question: Is there anything in the 389-ds error log? rob > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > Sent: April 26, 2016 10:10 AM > To: Ludwig Krispenz; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > No, no changes. Lost connectivity with my VMs during the night > (networking issues in datacenter) > > Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. > > Gady Notrica > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > Sent: April 26, 2016 10:02 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: >> Here... >> >> [root at cd-p-ipa1 log]# ipactl status >> Directory Service: STOPPED >> Directory Service must be running in order to obtain status of other >> services >> ipa: INFO: The ipactl command was successful >> >> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-DOMAIN-LOCAL.service >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service - 389 Directory Server IPA-DOMAIN-LOCAL. >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) >> >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! :08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > this says the server doesn't know a syntax oid, but it is a known one. > It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? > > And, did you do any changes to the system before this problem started ? >> [root at cd-p-ipa1 log]# >> >> Gady >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin >> Babinsky >> Sent: April 26, 2016 9:17 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] krb5kdc service not starting >> >> On 04/26/2016 03:13 PM, Gady Notrica wrote: >>> Hello world, >>> >>> >>> >>> I am having issues this morning with my primary IPA. See below the >>> details in the logs and command result. Basically, krb5kdc service >>> not starting - krb5kdc: Server error - while fetching master key. >>> >>> >>> >>> DNS is functioning. See below dig result. I have a trust with Windows AD. >>> >>> >>> >>> Please help?! >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l >>> >>> ? krb5kdc.service - Kerberos 5 KDC >>> >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:52 EDT; 41min ago >>> >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting >>> Kerberos >>> 5 KDC... >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> Kerberos 5 KDC. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> krb5kdc.service entered failed state. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> Errors in /var/log/krb5kdc.log >>> >>> >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status httpd -l >>> >>> ? httpd.service - The Apache HTTP Server >>> >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; >>> vendor >>> preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:21 EDT; 39min ago >>> >>> Docs: man:httpd(8) >>> >>> man:apachectl(8) >>> >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >>> (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line >>> 1579, in __wait_for_connection >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> wait_for_open_socket(lurl.hostport, timeout) >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line >>> 1200, in wait_for_open_socket >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> raise e >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> error: [Errno 2] No such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> ipa : ERROR Unknown error while retrieving setting from >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No >>> such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> The Apache HTTP Server. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> httpd.service entered failed state. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> >>> >>> DNS Result for dig redhat.com >>> >>> >>> >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >>> >>> ;; global options: +cmd >>> >>> ;; Got answer: >>> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >>> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: >>> 2 >>> >>> >>> >>> ;; OPT PSEUDOSECTION: >>> >>> ; EDNS: version: 0, flags:; udp: 4096 >>> >>> ;; QUESTION SECTION: >>> >>> ;redhat.com. IN A >>> >>> >>> >>> ;; ANSWER SECTION: >>> >>> redhat.com. 60 IN A 209.132.183.105 >>> >>> >>> >>> ;; AUTHORITY SECTION: >>> >>> . 849 IN NS f.root-servers.net. >>> >>> . 849 IN NS e.root-servers.net. >>> >>> . 849 IN NS k.root-servers.net. >>> >>> . 849 IN NS m.root-servers.net. >>> >>> . 849 IN NS b.root-servers.net. >>> >>> . 849 IN NS g.root-servers.net. >>> >>> . 849 IN NS c.root-servers.net. >>> >>> . 849 IN NS h.root-servers.net. >>> >>> . 849 IN NS l.root-servers.net. >>> >>> . 849 IN NS a.root-servers.net. >>> >>> . 849 IN NS j.root-servers.net. >>> >>> . 849 IN NS i.root-servers.net. >>> >>> . 849 IN NS d.root-servers.net. >>> >>> >>> >>> ;; ADDITIONAL SECTION: >>> >>> j.root-servers.net. 3246 IN A 192.58.128.30 >>> >>> >>> >>> ;; Query time: 79 msec >>> >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) >>> >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >>> >>> ;; MSG SIZE rcvd: 282 >>> >>> >>> >>> Gady >>> >>> >>> >>> >>> >> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-DOMAIN-LOCAL.service'? >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 11810 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 11586 bytes Desc: image002.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 7126 bytes Desc: image003.jpg URL: From lkrispen at redhat.com Wed Apr 27 15:25:56 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 27 Apr 2016 17:25:56 +0200 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <0984AB34E553F54B8705D776686863E70AC034DC@cd-exchange01.CD-PRD.candeal.ca> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> <5720D35C.8050304@redhat.com> <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> <5720D80E.7070003@redhat.com> <0984AB34E553F54B8705D776686863E70AC034DC@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <5720DA04.3090506@redhat.com> you can try: cp /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif and start dirsrv again, On 04/27/2016 05:19 PM, Gady Notrica wrote: > > Yes I have few files? see here?: > > [root at cd-p-ipa1 log]# ls -l /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* > > -rw------- 1 dirsrv root 153365 Jan 15 11:59 > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.2a425e90d7bf6f15 > > -rw------- 1 dirsrv root 187894 Feb 17 11:51 > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.359903482c3cf7aa > > -rw------- 1 dirsrv root 191405 Apr 14 09:36 > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.37a6887eb1084abe > > -rw------- 1 dirsrv root 191427 Mar 11 09:40 > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.95bd550f879430c2 > > -rw------- 1 dirsrv root 191427 Mar 7 15:17 > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.e21fffebbee53edb > > -rw-r--r-- 1 dirsrv root 191566 Apr 14 09:37 > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.modified.out > > -rw------- 1 dirsrv dirsrv 191405 Apr 23 11:39 > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK > > -r--r----- 1 dirsrv dirsrv 36003 Jan 15 11:46 > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse_original.ldif > > Gady Notrica| IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. > 416.818.4797 | gnotrica at candeal.com > > CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | > www.candeal.com | Follow us:Description: > Description: cid:image003.jpg at 01CBD419.622CDF90 > *Description: Description: > Description: cid:image002.jpg at 01CBD419.622CDF90* > > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* April 27, 2016 11:18 AM > *To:* Gady Notrica > *Cc:* Rob Crittenden; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] krb5kdc service not starting > > On 04/27/2016 05:10 PM, Gady Notrica wrote: > > Oh! No? > > Is there a way I can pull those files from the secondary server > and put them on the primary? > > do you have any file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* ? There > might be some older states to try > If you want to use a dse.ldif from another server, it could only work > if the other server is really the same, same backends, indexes,,.... > and you would have to do a lot of editing to adapt the file to the > local system, eg replication agreements .... > And then it is not sure if something else could be broken > > Or I can run the re-installation ipa-server-install with repair option > and copy the data back from the secondary server? > > I'm not so sure about the IPA reinstall/repair process, maybe soemone > else can step in > > Thanks, > > Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. > 416.818.4797 | gnotrica at candeal.com > > CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | > www.candeal.com | Follow us:Description: > Description: cid:image003.jpg at 01CBD419.622CDF90 > *Description: Description: > Description: cid:image002.jpg at 01CBD419.622CDF90* > > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* April 27, 2016 10:58 AM > *To:* Gady Notrica > *Cc:* Rob Crittenden; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] krb5kdc service not starting > > On 04/27/2016 04:36 PM, Gady Notrica wrote: > > *No changes*to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am > tailing the log file and running those commands doesn?t generate > any log, nothing. > > [root at cd-p-ipa1 log]# ipactl start > > Starting Directory Service > > Job for dirsrv at IPA-CANDEAL-CA.service > failed because the control > process exited with error code. See "systemctl status > dirsrv at IPA-CANDEAL-CA.service > " and "journalctl -xe" for > details. > > Failed to start Directory Service: Command ''/bin/systemctl' > 'start' 'dirsrv at IPA-CANDEAL-CA.service > '' returned non-zero exit > status 1 > > *Logs from /var/log/messages* > > Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server > IPA-CANDEAL-CA.... > > Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] > dse - The configuration file > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from > backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1 > > Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] > dse - The configuration file > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from > backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1 > > Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] > config - The given config file > /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, > Netscape Portable Runtime error -5950 (File not found.) > > this is BAD, looks like you completely lost your configuration file > for DS, so it doesn't even know where to log anything. When you lost > your VM and rebooted there must hav ebeen some data loss. > It could be only dse.ldif, but also other files. > > > [root at cd-p-ipa1 log]# systemctl start dirsrv at IPA-CANDEAL-CA.service > > > Job for dirsrv at IPA-CANDEAL-CA.service > failed because the control > process exited with error code. See "systemctl status > dirsrv at IPA-CANDEAL-CA.service " > and "journalctl -xe" for details. > > [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service > -l > > ? dirsrv at IPA-CANDEAL-CA.service > - 389 Directory Server IPA-CANDEAL-CA. > > Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service > ; enabled; vendor > preset: disabled) > > Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; > 3s ago > > Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i > /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid > (code=exited, status=1/FAILURE) > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema > in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: > 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: > Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > > Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: > [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. > > [root at cd-p-ipa1 log]# > > Gady > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* April 27, 2016 10:06 AM > *To:* Gady Notrica > *Cc:* Rob Crittenden; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] krb5kdc service not starting > > On 04/27/2016 03:48 PM, Gady Notrica wrote: > > Hello Ludwig, > > I do have only 1 error logs for the 26^th in > /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only > line I have > > [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync > - failed to send dirsync search request: 2 > > [*26/Apr/2016*:00:13:01 -0400] - Entry > "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" > missing attribute "sn" required by object class "person" > > I don?t know if that helps. > > no. And it is weird that there should be no logs, there were > definitely messages logged around 8:50, you provided them via > systemctl status dirsrv... > And at least the startup messages should b there > > Can you try to start dirsrv again. and check what config settings for > errorlog are in your dse.ldif > > > > Gady > > *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com] > *Sent:* April 27, 2016 3:18 AM > *To:* Gady Notrica > *Cc:* Rob Crittenden; freeipa-users at redhat.com > > *Subject:* Re: [Freeipa-users] krb5kdc service not starting > > On 04/26/2016 09:09 PM, Gady Notrica wrote: > > HERE.. > > [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get > initial credentials for principal > [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL > ] in > keytab [FILE:/etc/dirsrv/ds.keytab > ]: > -1765328228 (Cannot contact any KDC for requested realm) > > [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more > information (No Kerberos credentials available)) errno 0 (Success) > > [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -2 (Local error) > > [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local > error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No Kerberos > credentials available)) > > [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > > [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port > 636 for LDAPS requests > > [23/Apr/2016:11:39:51 -0400] - Listening on > /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests > > [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): > Replication bind with GSSAPI auth resumed > > [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable > to receive the response for a startReplication extended operation > to consumer (Can't contact LDAP server). Will retry later. > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 > (Transport endpoint is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 > (Transport endpoint is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 > (Transport endpoint is not connected) > > [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism > [GSSAPI]: error -1 (Can't contact LDAP server) > > [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - > agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): > Replication bind with GSSAPI auth resumed > > [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync > - failed to send dirsync search request: 2 > > these are old logs, the problem you were reporting was on Apr, 26: > > > > > > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > > > we need the logs from that time > > > > > > > > Gady > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: April 26, 2016 2:44 PM > To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > Gady Notrica wrote: > > > Hey world, > > > > > > Any ideas? > > What about the first part of Ludwig's question: Is there anything in > the 389-ds error log? > > rob > > > > > > Gady > > > > > > -----Original Message----- > > > From: freeipa-users-bounces at redhat.com > > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > > > Sent: April 26, 2016 10:10 AM > > > To: Ludwig Krispenz; freeipa-users at redhat.com > > > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > > > > No, no changes. Lost connectivity with my VMs during the night > > > (networking issues in datacenter) > > > > > > Reboot the server and oups, no IPA is coming up... The replica > (secondary server) is fine though. > > > > > > Gady Notrica > > > > > > -----Original Message----- > > > From: freeipa-users-bounces at redhat.com > > > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > > > Sent: April 26, 2016 10:02 AM > > > To: freeipa-users at redhat.com > > > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > > > > > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: > > >> Here... > > >> > > >> [root at cd-p-ipa1 log]# ipactl status > > >> Directory Service: STOPPED > > >> Directory Service must be running in order to obtain status of other > > >> services > > >> ipa: INFO: The ipactl command was successful > > >> > > >> [root at cd-p-ipa1 log]# systemctl status > dirsrv at IPA-DOMAIN-LOCAL.service > > >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service > - 389 Directory Server > IPA-DOMAIN-LOCAL. > > >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service > ; enabled; vendor > preset: disabled) > > >> Active: failed (Result: exit-code) since Tue 2016-04-26 > 08:50:21 EDT; 30min ago > > >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D > > >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w > > >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) > > >> > > >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > > >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > > >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > > >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > > >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: > slapi_attr_values2keys_sv failed for type attributetypes Apr 26 > 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! > > :08:50:21 > > -0400] dse_read_one_file - The entry cn=schema in file > /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is > invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown > attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" > > >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: > [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the > reported problems and then restart the server. > > > this says the server doesn't know a syntax oid, but it is a known one. > > > It could be that the syntax plugings couldn't be loaded. Thera are > more errors before, could you check where the errors start in > /var/log/dirsrv/slapd-/errors ? > > > > > > And, did you do any changes to the system before this problem started ? > > >> [root at cd-p-ipa1 log]# > > >> > > >> Gady > > >> > > >> -----Original Message----- > > >> From: freeipa-users-bounces at redhat.com > > > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin > > >> Babinsky > > >> Sent: April 26, 2016 9:17 AM > > >> To: freeipa-users at redhat.com > > >> Subject: Re: [Freeipa-users] krb5kdc service not starting > > >> > > >> On 04/26/2016 03:13 PM, Gady Notrica wrote: > > >>> Hello world, > > >>> > > >>> > > >>> > > >>> I am having issues this morning with my primary IPA. See below the > > >>> details in the logs and command result. Basically, krb5kdc service > > >>> not starting - krb5kdc: Server error - while fetching master key. > > >>> > > >>> > > >>> > > >>> DNS is functioning. See below dig result. I have a trust with > Windows AD. > > >>> > > >>> > > >>> > > >>> Please help?! > > >>> > > >>> > > >>> > > >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l > > >>> > > >>> ? krb5kdc.service - Kerberos 5 KDC > > >>> > > >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; > > >>> disabled; vendor preset: disabled) > > >>> > > >>> Active: failed (Result: exit-code) since Tue 2016-04-26 > > >>> 08:27:52 EDT; 41min ago > > >>> > > >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P > > >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > > >>> > > >>> > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting > > >>> Kerberos > > >>> 5 KDC... > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: > > >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: > > >>> control process exited, code=exited status=1 > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > > >>> Kerberos 5 KDC. > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit > > >>> krb5kdc.service entered failed state. > > >>> > > >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: > krb5kdc.service failed. > > >>> > > >>> [root at cd-ipa1 log]# > > >>> > > >>> > > >>> > > >>> Errors in /var/log/krb5kdc.log > > >>> > > >>> > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> krb5kdc: Server error - while fetching master key K/M for realm > > >>> DOMAIN.LOCAL > > >>> > > >>> > > >>> > > >>> [root at cd-ipa1 log]# systemctl status httpd -l > > >>> > > >>> ? httpd.service - The Apache HTTP Server > > >>> > > >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; > > >>> vendor > > >>> preset: disabled) > > >>> > > >>> Active: failed (Result: exit-code) since Tue 2016-04-26 > > >>> 08:27:21 EDT; 39min ago > > >>> > > >>> Docs: man:httpd(8) > > >>> > > >>> man:apachectl(8) > > >>> > > >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy > > >>> (code=exited, status=1/FAILURE) > > >>> > > >>> > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: > > >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line > > >>> 1579, in __wait_for_connection > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> wait_for_open_socket(lurl.hostport, timeout) > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line > > >>> 1200, in wait_for_open_socket > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> raise e > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> error: [Errno 2] No such file or directory > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: > > >>> ipa : ERROR Unknown error while retrieving setting from > > >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No > > >>> such file or directory > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: > > >>> control process exited, code=exited status=1 > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start > > >>> The Apache HTTP Server. > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit > > >>> httpd.service entered failed state. > > >>> > > >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service > failed. > > >>> > > >>> [root at cd-ipa1 log]# > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> DNS Result for dig redhat.com > > >>> > > >>> > > >>> > > >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com > > >>> > > >>> ;; global options: +cmd > > >>> > > >>> ;; Got answer: > > >>> > > >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 > > >>> > > >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: > > >>> 2 > > >>> > > >>> > > >>> > > >>> ;; OPT PSEUDOSECTION: > > >>> > > >>> ; EDNS: version: 0, flags:; udp: 4096 > > >>> > > >>> ;; QUESTION SECTION: > > >>> > > >>> ;redhat.com. IN A > > >>> > > >>> > > >>> > > >>> ;; ANSWER SECTION: > > >>> > > >>> redhat.com. 60 IN A 209.132.183.105 > > >>> > > >>> > > >>> > > >>> ;; AUTHORITY SECTION: > > >>> > > >>> . 849 IN NS f.root-servers.net. > > >>> > > >>> . 849 IN NS e.root-servers.net. > > >>> > > >>> . 849 IN NS k.root-servers.net. > > >>> > > >>> . 849 IN NS m.root-servers.net. > > >>> > > >>> . 849 IN NS b.root-servers.net. > > >>> > > >>> . 849 IN NS g.root-servers.net. > > >>> > > >>> . 849 IN NS c.root-servers.net. > > >>> > > >>> . 849 IN NS h.root-servers.net. > > >>> > > >>> . 849 IN NS l.root-servers.net. > > >>> > > >>> . 849 IN NS a.root-servers.net. > > >>> > > >>> . 849 IN NS j.root-servers.net. > > >>> > > >>> . 849 IN NS i.root-servers.net. > > >>> > > >>> . 849 IN NS d.root-servers.net. > > >>> > > >>> > > >>> > > >>> ;; ADDITIONAL SECTION: > > >>> > > >>> j.root-servers.net. 3246 IN A 192.58.128.30 > > >>> > > >>> > > >>> > > >>> ;; Query time: 79 msec > > >>> > > >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) > > >>> > > >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 > > >>> > > >>> ;; MSG SIZE rcvd: 282 > > >>> > > >>> > > >>> > > >>> Gady > > >>> > > >>> > > >>> > > >>> > > >>> > > >> It seems like Directory server is not running. Can you post result > of 'ipactl status' and 'systemctl status > dirsrv at IPA-DOMAIN-LOCAL.service '? > > >> > > >> -- > > >> Martin^3 Babinsky > > >> > > >> -- > > >> Manage your subscription for the Freeipa-users mailing list: > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >> Go to http://freeipa.org for more info on the project > > >> > > > > > > -- > > > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > > > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > > > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > > > O'Neill > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > > > > > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > > > > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill > > > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 11810 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 11586 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 7126 bytes Desc: not available URL: From gnotrica at candeal.com Wed Apr 27 15:34:34 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 27 Apr 2016 15:34:34 +0000 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <5720DA04.3090506@redhat.com> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> <5720D35C.8050304@redhat.com> <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> <5720D80E.7070003@redhat.com> <0984AB34E553F54B8705D776686863E70AC034DC@cd-exchange01.CD-PRD.candeal.ca> <5720DA04.3090506@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70AC03573@cd-exchange01.CD-PRD.candeal.ca> That worked. The service is up and I can see a bunch of logs on the log I?m tailing? /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors [root at cd-p-ipa1 slapd-IPA-CANDEAL-CA]# systemctl start dirsrv at IPA-CANDEAL-CA.service [root at cd-p-ipa1 slapd-IPA-CANDEAL-CA]# systemctl status dirsrv at IPA-CANDEAL-CA.service -l ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) Active: active (running) since Wed 2016-04-27 11:31:04 EDT; 10s ago Process: 17300 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS) Main PID: 17317 (ns-slapd) CGroup: /system.slice/system-dirsrv.slice/dirsrv at IPA-CANDEAL-CA.service ??17317 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-IPA-CANDEAL-CA -i /var/run/dirsrv/slapd-IPA-CANDEAL-CA.pid -w /var/run/dirsrv/slapd-IPA-CANDEAL-CA.startpid Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 Apr 27 11:31:12 cd-p-ipa1.ipa.candeal.ca ns-slapd[17317]: GSSAPI client step 1 Apr 27 11:31:12 cd-p-ipa1.ipa.candeal.ca ns-slapd[17317]: GSSAPI client step 1 Apr 27 11:31:12 cd-p-ipa1.ipa.candeal.ca ns-slapd[17317]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) [root at cd-p-ipa1 slapd-IPA-CANDEAL-CA]# Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 11:26 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting you can try: cp /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif and start dirsrv again, On 04/27/2016 05:19 PM, Gady Notrica wrote: Yes I have few files? see here?: [root at cd-p-ipa1 log]# ls -l /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* -rw------- 1 dirsrv root 153365 Jan 15 11:59 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.2a425e90d7bf6f15 -rw------- 1 dirsrv root 187894 Feb 17 11:51 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.359903482c3cf7aa -rw------- 1 dirsrv root 191405 Apr 14 09:36 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.37a6887eb1084abe -rw------- 1 dirsrv root 191427 Mar 11 09:40 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.95bd550f879430c2 -rw------- 1 dirsrv root 191427 Mar 7 15:17 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.e21fffebbee53edb -rw-r--r-- 1 dirsrv root 191566 Apr 14 09:37 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.modified.out -rw------- 1 dirsrv dirsrv 191405 Apr 23 11:39 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK -r--r----- 1 dirsrv dirsrv 36003 Jan 15 11:46 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse_original.ldif Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 11:18 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 05:10 PM, Gady Notrica wrote: Oh! No? Is there a way I can pull those files from the secondary server and put them on the primary? do you have any file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* ? There might be some older states to try If you want to use a dse.ldif from another server, it could only work if the other server is really the same, same backends, indexes,,.... and you would have to do a lot of editing to adapt the file to the local system, eg replication agreements .... And then it is not sure if something else could be broken Or I can run the re-installation ipa-server-install with repair option and copy the data back from the secondary server? I'm not so sure about the IPA reinstall/repair process, maybe soemone else can step in Thanks, Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 10:58 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 04:36 PM, Gady Notrica wrote: No changes to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am tailing the log file and running those commands doesn?t generate any log, nothing. [root at cd-p-ipa1 log]# ipactl start Starting Directory Service Job for dirsrv at IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. Failed to start Directory Service: Command ''/bin/systemctl' 'start' 'dirsrv at IPA-CANDEAL-CA.service'' returned non-zero exit status 1 Logs from /var/log/messages Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server IPA-CANDEAL-CA.... Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] config - The given config file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, Netscape Portable Runtime error -5950 (File not found.) this is BAD, looks like you completely lost your configuration file for DS, so it doesn't even know where to log anything. When you lost your VM and rebooted there must hav ebeen some data loss. It could be only dse.ldif, but also other files. [root at cd-p-ipa1 log]# systemctl start dirsrv at IPA-CANDEAL-CA.service Job for dirsrv at IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service -l ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 3s ago Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [root at cd-p-ipa1 log]# Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 10:06 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 03:48 PM, Gady Notrica wrote: Hello Ludwig, I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person" [cid:image003.jpg at 01D1A078.C3EA58D0] I don?t know if that helps. no. And it is weird that there should be no logs, there were definitely messages logged around 8:50, you provided them via systemctl status dirsrv... And at least the startup messages should b there Can you try to start dirsrv again. and check what config settings for errorlog are in your dse.ldif Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 3:18 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 09:09 PM, Gady Notrica wrote: HERE.. [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests [23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 these are old logs, the problem you were reporting was on Apr, 26: Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. we need the logs from that time Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 26, 2016 2:44 PM To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting Gady Notrica wrote: > Hey world, > > Any ideas? What about the first part of Ludwig's question: Is there anything in the 389-ds error log? rob > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > Sent: April 26, 2016 10:10 AM > To: Ludwig Krispenz; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > No, no changes. Lost connectivity with my VMs during the night > (networking issues in datacenter) > > Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. > > Gady Notrica > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > Sent: April 26, 2016 10:02 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: >> Here... >> >> [root at cd-p-ipa1 log]# ipactl status >> Directory Service: STOPPED >> Directory Service must be running in order to obtain status of other >> services >> ipa: INFO: The ipactl command was successful >> >> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-DOMAIN-LOCAL.service >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service - 389 Directory Server IPA-DOMAIN-LOCAL. >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) >> >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! :08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > this says the server doesn't know a syntax oid, but it is a known one. > It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? > > And, did you do any changes to the system before this problem started ? >> [root at cd-p-ipa1 log]# >> >> Gady >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin >> Babinsky >> Sent: April 26, 2016 9:17 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] krb5kdc service not starting >> >> On 04/26/2016 03:13 PM, Gady Notrica wrote: >>> Hello world, >>> >>> >>> >>> I am having issues this morning with my primary IPA. See below the >>> details in the logs and command result. Basically, krb5kdc service >>> not starting - krb5kdc: Server error - while fetching master key. >>> >>> >>> >>> DNS is functioning. See below dig result. I have a trust with Windows AD. >>> >>> >>> >>> Please help?! >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l >>> >>> ? krb5kdc.service - Kerberos 5 KDC >>> >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:52 EDT; 41min ago >>> >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting >>> Kerberos >>> 5 KDC... >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> Kerberos 5 KDC. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> krb5kdc.service entered failed state. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> Errors in /var/log/krb5kdc.log >>> >>> >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status httpd -l >>> >>> ? httpd.service - The Apache HTTP Server >>> >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; >>> vendor >>> preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:21 EDT; 39min ago >>> >>> Docs: man:httpd(8) >>> >>> man:apachectl(8) >>> >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >>> (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line >>> 1579, in __wait_for_connection >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> wait_for_open_socket(lurl.hostport, timeout) >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line >>> 1200, in wait_for_open_socket >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> raise e >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> error: [Errno 2] No such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> ipa : ERROR Unknown error while retrieving setting from >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No >>> such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> The Apache HTTP Server. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> httpd.service entered failed state. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> >>> >>> DNS Result for dig redhat.com >>> >>> >>> >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >>> >>> ;; global options: +cmd >>> >>> ;; Got answer: >>> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >>> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: >>> 2 >>> >>> >>> >>> ;; OPT PSEUDOSECTION: >>> >>> ; EDNS: version: 0, flags:; udp: 4096 >>> >>> ;; QUESTION SECTION: >>> >>> ;redhat.com. IN A >>> >>> >>> >>> ;; ANSWER SECTION: >>> >>> redhat.com. 60 IN A 209.132.183.105 >>> >>> >>> >>> ;; AUTHORITY SECTION: >>> >>> . 849 IN NS f.root-servers.net. >>> >>> . 849 IN NS e.root-servers.net. >>> >>> . 849 IN NS k.root-servers.net. >>> >>> . 849 IN NS m.root-servers.net. >>> >>> . 849 IN NS b.root-servers.net. >>> >>> . 849 IN NS g.root-servers.net. >>> >>> . 849 IN NS c.root-servers.net. >>> >>> . 849 IN NS h.root-servers.net. >>> >>> . 849 IN NS l.root-servers.net. >>> >>> . 849 IN NS a.root-servers.net. >>> >>> . 849 IN NS j.root-servers.net. >>> >>> . 849 IN NS i.root-servers.net. >>> >>> . 849 IN NS d.root-servers.net. >>> >>> >>> >>> ;; ADDITIONAL SECTION: >>> >>> j.root-servers.net. 3246 IN A 192.58.128.30 >>> >>> >>> >>> ;; Query time: 79 msec >>> >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) >>> >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >>> >>> ;; MSG SIZE rcvd: 282 >>> >>> >>> >>> Gady >>> >>> >>> >>> >>> >> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-DOMAIN-LOCAL.service'? >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 11810 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 11586 bytes Desc: image002.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 7126 bytes Desc: image003.jpg URL: From gnotrica at candeal.com Wed Apr 27 16:01:25 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 27 Apr 2016 16:01:25 +0000 Subject: [Freeipa-users] krb5kdc service not starting References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> <5720D35C.8050304@redhat.com> <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> <5720D80E.7070003@redhat.com> <0984AB34E553F54B8705D776686863E70AC034DC@cd-exchange01.CD-PRD.candeal.ca> <5720DA04.3090506@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70AC03606@cd-exchange01.CD-PRD.candeal.ca> IPA came up! Yay!!! You guys are awesome!!! [root at cd-p-ipa1 slapd-IPA-CANDEAL-CA]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Starting smb Service Starting winbind Service Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] From: Gady Notrica Sent: April 27, 2016 11:35 AM To: 'Ludwig Krispenz' Cc: Rob Crittenden; freeipa-users at redhat.com Subject: RE: [Freeipa-users] krb5kdc service not starting That worked. The service is up and I can see a bunch of logs on the log I?m tailing? /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors [root at cd-p-ipa1 slapd-IPA-CANDEAL-CA]# systemctl start dirsrv at IPA-CANDEAL-CA.service [root at cd-p-ipa1 slapd-IPA-CANDEAL-CA]# systemctl status dirsrv at IPA-CANDEAL-CA.service -l ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) Active: active (running) since Wed 2016-04-27 11:31:04 EDT; 10s ago Process: 17300 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS) Main PID: 17317 (ns-slapd) CGroup: /system.slice/system-dirsrv.slice/dirsrv at IPA-CANDEAL-CA.service ??17317 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-IPA-CANDEAL-CA -i /var/run/dirsrv/slapd-IPA-CANDEAL-CA.pid -w /var/run/dirsrv/slapd-IPA-CANDEAL-CA.startpid Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled Apr 27 11:31:05 cd-p-ipa1.ipa.candeal.ca ns-slapd[17300]: [27/Apr/2016:11:31:05 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 Apr 27 11:31:12 cd-p-ipa1.ipa.candeal.ca ns-slapd[17317]: GSSAPI client step 1 Apr 27 11:31:12 cd-p-ipa1.ipa.candeal.ca ns-slapd[17317]: GSSAPI client step 1 Apr 27 11:31:12 cd-p-ipa1.ipa.candeal.ca ns-slapd[17317]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) [root at cd-p-ipa1 slapd-IPA-CANDEAL-CA]# Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 11:26 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting you can try: cp /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif and start dirsrv again, On 04/27/2016 05:19 PM, Gady Notrica wrote: Yes I have few files? see here?: [root at cd-p-ipa1 log]# ls -l /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* -rw------- 1 dirsrv root 153365 Jan 15 11:59 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.2a425e90d7bf6f15 -rw------- 1 dirsrv root 187894 Feb 17 11:51 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.359903482c3cf7aa -rw------- 1 dirsrv root 191405 Apr 14 09:36 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.37a6887eb1084abe -rw------- 1 dirsrv root 191427 Mar 11 09:40 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.95bd550f879430c2 -rw------- 1 dirsrv root 191427 Mar 7 15:17 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.e21fffebbee53edb -rw-r--r-- 1 dirsrv root 191566 Apr 14 09:37 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.modified.out -rw------- 1 dirsrv dirsrv 191405 Apr 23 11:39 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK -r--r----- 1 dirsrv dirsrv 36003 Jan 15 11:46 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse_original.ldif Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 11:18 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 05:10 PM, Gady Notrica wrote: Oh! No? Is there a way I can pull those files from the secondary server and put them on the primary? do you have any file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* ? There might be some older states to try If you want to use a dse.ldif from another server, it could only work if the other server is really the same, same backends, indexes,,.... and you would have to do a lot of editing to adapt the file to the local system, eg replication agreements .... And then it is not sure if something else could be broken Or I can run the re-installation ipa-server-install with repair option and copy the data back from the secondary server? I'm not so sure about the IPA reinstall/repair process, maybe soemone else can step in Thanks, Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 10:58 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 04:36 PM, Gady Notrica wrote: No changes to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am tailing the log file and running those commands doesn?t generate any log, nothing. [root at cd-p-ipa1 log]# ipactl start Starting Directory Service Job for dirsrv at IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. Failed to start Directory Service: Command ''/bin/systemctl' 'start' 'dirsrv at IPA-CANDEAL-CA.service'' returned non-zero exit status 1 Logs from /var/log/messages Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server IPA-CANDEAL-CA.... Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] config - The given config file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, Netscape Portable Runtime error -5950 (File not found.) this is BAD, looks like you completely lost your configuration file for DS, so it doesn't even know where to log anything. When you lost your VM and rebooted there must hav ebeen some data loss. It could be only dse.ldif, but also other files. [root at cd-p-ipa1 log]# systemctl start dirsrv at IPA-CANDEAL-CA.service Job for dirsrv at IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service -l ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 3s ago Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [root at cd-p-ipa1 log]# Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 10:06 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 03:48 PM, Gady Notrica wrote: Hello Ludwig, I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person" [cid:image003.jpg at 01D1A07B.59FF7330] I don?t know if that helps. no. And it is weird that there should be no logs, there were definitely messages logged around 8:50, you provided them via systemctl status dirsrv... And at least the startup messages should b there Can you try to start dirsrv again. and check what config settings for errorlog are in your dse.ldif Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 3:18 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 09:09 PM, Gady Notrica wrote: HERE.. [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests [23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 these are old logs, the problem you were reporting was on Apr, 26: Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. we need the logs from that time Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 26, 2016 2:44 PM To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting Gady Notrica wrote: > Hey world, > > Any ideas? What about the first part of Ludwig's question: Is there anything in the 389-ds error log? rob > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > Sent: April 26, 2016 10:10 AM > To: Ludwig Krispenz; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > No, no changes. Lost connectivity with my VMs during the night > (networking issues in datacenter) > > Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. > > Gady Notrica > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > Sent: April 26, 2016 10:02 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: >> Here... >> >> [root at cd-p-ipa1 log]# ipactl status >> Directory Service: STOPPED >> Directory Service must be running in order to obtain status of other >> services >> ipa: INFO: The ipactl command was successful >> >> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-DOMAIN-LOCAL.service >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service - 389 Directory Server IPA-DOMAIN-LOCAL. >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) >> >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! :08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > this says the server doesn't know a syntax oid, but it is a known one. > It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? > > And, did you do any changes to the system before this problem started ? >> [root at cd-p-ipa1 log]# >> >> Gady >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin >> Babinsky >> Sent: April 26, 2016 9:17 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] krb5kdc service not starting >> >> On 04/26/2016 03:13 PM, Gady Notrica wrote: >>> Hello world, >>> >>> >>> >>> I am having issues this morning with my primary IPA. See below the >>> details in the logs and command result. Basically, krb5kdc service >>> not starting - krb5kdc: Server error - while fetching master key. >>> >>> >>> >>> DNS is functioning. See below dig result. I have a trust with Windows AD. >>> >>> >>> >>> Please help?! >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l >>> >>> ? krb5kdc.service - Kerberos 5 KDC >>> >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:52 EDT; 41min ago >>> >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting >>> Kerberos >>> 5 KDC... >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> Kerberos 5 KDC. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> krb5kdc.service entered failed state. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> Errors in /var/log/krb5kdc.log >>> >>> >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status httpd -l >>> >>> ? httpd.service - The Apache HTTP Server >>> >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; >>> vendor >>> preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:21 EDT; 39min ago >>> >>> Docs: man:httpd(8) >>> >>> man:apachectl(8) >>> >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >>> (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line >>> 1579, in __wait_for_connection >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> wait_for_open_socket(lurl.hostport, timeout) >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line >>> 1200, in wait_for_open_socket >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> raise e >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> error: [Errno 2] No such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> ipa : ERROR Unknown error while retrieving setting from >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No >>> such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> The Apache HTTP Server. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> httpd.service entered failed state. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> >>> >>> DNS Result for dig redhat.com >>> >>> >>> >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >>> >>> ;; global options: +cmd >>> >>> ;; Got answer: >>> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >>> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: >>> 2 >>> >>> >>> >>> ;; OPT PSEUDOSECTION: >>> >>> ; EDNS: version: 0, flags:; udp: 4096 >>> >>> ;; QUESTION SECTION: >>> >>> ;redhat.com. IN A >>> >>> >>> >>> ;; ANSWER SECTION: >>> >>> redhat.com. 60 IN A 209.132.183.105 >>> >>> >>> >>> ;; AUTHORITY SECTION: >>> >>> . 849 IN NS f.root-servers.net. >>> >>> . 849 IN NS e.root-servers.net. >>> >>> . 849 IN NS k.root-servers.net. >>> >>> . 849 IN NS m.root-servers.net. >>> >>> . 849 IN NS b.root-servers.net. >>> >>> . 849 IN NS g.root-servers.net. >>> >>> . 849 IN NS c.root-servers.net. >>> >>> . 849 IN NS h.root-servers.net. >>> >>> . 849 IN NS l.root-servers.net. >>> >>> . 849 IN NS a.root-servers.net. >>> >>> . 849 IN NS j.root-servers.net. >>> >>> . 849 IN NS i.root-servers.net. >>> >>> . 849 IN NS d.root-servers.net. >>> >>> >>> >>> ;; ADDITIONAL SECTION: >>> >>> j.root-servers.net. 3246 IN A 192.58.128.30 >>> >>> >>> >>> ;; Query time: 79 msec >>> >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) >>> >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >>> >>> ;; MSG SIZE rcvd: 282 >>> >>> >>> >>> Gady >>> >>> >>> >>> >>> >> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-DOMAIN-LOCAL.service'? >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 11810 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 11586 bytes Desc: image002.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 7126 bytes Desc: image003.jpg URL: From schogan at us.ibm.com Wed Apr 27 16:33:26 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Wed, 27 Apr 2016 09:33:26 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> Message-ID: <201604271633.u3RGXaQ9005835@d03av02.boulder.ibm.com> Hi Martin, Thanks for the response. We are at RHEL 6.7... getting the hits on 389 and 636 so its the Directory server ports which I assume is dse.ldif. Sean Hogan From: Martin Kosek To: Sean Hogan/Durham/IBM at IBMUS, freeipa-users Date: 04/27/2016 01:43 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL On 04/27/2016 07:27 AM, Sean Hogan wrote: > Hello, > > We currently have 7 ipa servers in multi master running: > > ipa-server-3.0.0-47.el6_7.1.x86_64 > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > Tenable is showing the use of weak ciphers along with freak vulnerabilities. I > have followed > https://access.redhat.com/solutions/675183 however issues remain in the ciphers > being used. Can you show the full report, so that we can see what's wrong? What I am looking for also is if the problem is LDAPS port or HTTPS port, so that we are not fixing wrong service. DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1154687 Further hardening comes with FreeIPA 4.3.1+: https://fedorahosted.org/freeipa/ticket/5684 https://fedorahosted.org/freeipa/ticket/5589 (it should appear in RHEL-7.3+) Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From a.rubets at levi9.com Tue Apr 26 12:02:52 2016 From: a.rubets at levi9.com (Anton Rubets) Date: Tue, 26 Apr 2016 12:02:52 +0000 Subject: [Freeipa-users] Replication error Message-ID: <1461672172950.27500@levi9.com> Hhi all I have issues with replication between to FreeIPA server In maters log [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap2.domain:389/o%3Dipaca) failed. [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap2.domain:389/o%3Dipaca) failed. [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap2.domain389/o%3Dipaca) failed. [26/Apr/2016:10:39:35 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) On replica server [26/Apr/2016:08:38:12 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap1.domain:389/o%3Dipaca) failed. [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap1domain:389/o%3Dipaca) failed. [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap1.domain:389/o%3Dipaca) failed. [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap1.domain:389/o%3Dipaca) failed. And i can't find source of this problem. I have checked permission and etc. As i see replica is working but this message disturb my email every few minutes and i wanna somehow fix this. Also I just migrate from 3.0 to 4.2. Info: Master : rpm -qa | grep ipa ipa-server-dns-4.2.0-15.0.1.el7.centos.6.x86_64 ipa-admintools-4.2.0-15.0.1.el7.centos.6.x86_64 sssd-ipa-1.13.0-40.el7_2.2.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64 libipa_hbac-1.13.0-40.el7_2.2.x86_64 python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 python-iniparse-0.4-9.el7.noarch ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64 ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64? Replica: rpm -qa | grep ipa sssd-ipa-1.13.0-40.el7_2.2.x86_64 ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 libipa_hbac-1.13.0-40.el7_2.2.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 python-iniparse-0.4-9.el7.noarch ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64? Best Regards Anton Rubets -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Wed Apr 27 16:59:59 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Wed, 27 Apr 2016 09:59:59 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> Message-ID: I ran the following: nmap --script ssl-enum-ciphers -p 636 `hostname` Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 12:48 EDT Nmap scan report for bob Host is up (0.000078s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds Tenable is barking about the following.. only listing 636 but the same applies for 389 Plugin ID: 65821 Port 636 Synopsis: The remote service supports the use of the RC4 cipher. Description The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness. And 636 and 389 for Plugin ID: 81606 port 389 Synopsis: The remote host supports a set of weak ciphers. Description The remote host supports EXPORT_RSA cipher suites with keys less than or equal to 512 bits. An attacker can factor a 512-bit RSA modulus in a short amount of time. A man-in-the middle attacker may be able to downgrade the session to use EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to remove support for weak cipher suites. So I do see RC4 and the exports so I guess I can - those in the dse.ldif From: Sean Hogan/Durham/IBM To: Martin Kosek Cc: freeipa-users Date: 04/27/2016 09:33 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Hi Martin, Thanks for the response. We are at RHEL 6.7... getting the hits on 389 and 636 so its the Directory server ports which I assume is dse.ldif. Sean Hogan From: Martin Kosek To: Sean Hogan/Durham/IBM at IBMUS, freeipa-users Date: 04/27/2016 01:43 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL On 04/27/2016 07:27 AM, Sean Hogan wrote: > Hello, > > We currently have 7 ipa servers in multi master running: > > ipa-server-3.0.0-47.el6_7.1.x86_64 > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > Tenable is showing the use of weak ciphers along with freak vulnerabilities. I > have followed > https://access.redhat.com/solutions/675183 however issues remain in the ciphers > being used. Can you show the full report, so that we can see what's wrong? What I am looking for also is if the problem is LDAPS port or HTTPS port, so that we are not fixing wrong service. DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1154687 Further hardening comes with FreeIPA 4.3.1+: https://fedorahosted.org/freeipa/ticket/5684 https://fedorahosted.org/freeipa/ticket/5589 (it should appear in RHEL-7.3+) Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From gnotrica at candeal.com Wed Apr 27 17:02:01 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 27 Apr 2016 17:02:01 +0000 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <5720DA04.3090506@redhat.com> References: <0984AB34E553F54B8705D776686863E70AC01F50@cd-exchange01.CD-PRD.candeal.ca> <3df3e2c9-4249-8b3f-ddd2-739d9720f9aa@redhat.com> <0984AB34E553F54B8705D776686863E70AC01FCA@cd-exchange01.CD-PRD.candeal.ca> <571F74D5.1070102@redhat.com> <0984AB34E553F54B8705D776686863E70AC021BC@cd-exchange01.CD-PRD.candeal.ca> <0984AB34E553F54B8705D776686863E70AC0274D@cd-exchange01.CD-PRD.candeal.ca> <571FB6FB.3010906@redhat.com> <0984AB34E553F54B8705D776686863E70AC0291E@cd-exchange01.CD-PRD.candeal.ca> <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> <5720D35C.8050304@redhat.com> <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> <5720D80E.7070003@redhat.com> <0984AB34E553F54B8705D776686863E70AC034DC@cd-exchange01.CD-PRD.candeal.ca> <5720DA04.3090506@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70AC036FA@cd-exchange01.CD-PRD.candeal.ca> Hello Ludwig, Is there a reason why my AD show offline? [root at cd-p-ipa1 /]# wbinfo --online-status BUILTIN : online IPA : online CD-PRD : offline [cid:image004.png at 01D1A084.FAE146D0] But I can see the trust. And DNS is resolving. [root at cd-p-ipa1 /]# ipa trust-find --------------- 1 trust matched --------------- Realm name: CD-PRD.domain.com Domain NetBIOS name: CD-PRD Domain Security Identifier: S-1-5-21-1645522239-1450960922-839522115 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- [root at cd-p-ipa1 /]# ipa trust-show Realm name: CD-PRD.domain.com Realm name: CD-PRD.domain.com Domain NetBIOS name: CD-PRD Domain Security Identifier: S-1-5-21-1645522239-1450960922-839522115 Trust direction: Two-way trust Trust type: Active Directory domain [root at cd-p-ipa1 /]# ipa user-show gnotrica at CD-PRD.domain.com ipa: ERROR: gnotrica at cd-prd.domain.com: user not found [root at cd-p-ipa1 /]# dig SRV _ldap._tcp.cd-prd.domain.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> SRV _ldap._tcp.cd-prd.domain.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13868 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.cd-prd.domain.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.cd-prd.domain.com. 600 IN SRV 0 100 389 cd-dc2.cd-prd.domain.com. _ldap._tcp.cd-prd.domain.com. 600 IN SRV 0 100 389 cd-dc1.cd-prd.domain.com. Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 11:26 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting you can try: cp /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif and start dirsrv again, On 04/27/2016 05:19 PM, Gady Notrica wrote: Yes I have few files? see here?: [root at cd-p-ipa1 log]# ls -l /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* -rw------- 1 dirsrv root 153365 Jan 15 11:59 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.2a425e90d7bf6f15 -rw------- 1 dirsrv root 187894 Feb 17 11:51 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.359903482c3cf7aa -rw------- 1 dirsrv root 191405 Apr 14 09:36 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.37a6887eb1084abe -rw------- 1 dirsrv root 191427 Mar 11 09:40 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.95bd550f879430c2 -rw------- 1 dirsrv root 191427 Mar 7 15:17 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.e21fffebbee53edb -rw-r--r-- 1 dirsrv root 191566 Apr 14 09:37 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.modified.out -rw------- 1 dirsrv dirsrv 191405 Apr 23 11:39 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK -r--r----- 1 dirsrv dirsrv 36003 Jan 15 11:46 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse_original.ldif Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 11:18 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 05:10 PM, Gady Notrica wrote: Oh! No? Is there a way I can pull those files from the secondary server and put them on the primary? do you have any file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* ? There might be some older states to try If you want to use a dse.ldif from another server, it could only work if the other server is really the same, same backends, indexes,,.... and you would have to do a lot of editing to adapt the file to the local system, eg replication agreements .... And then it is not sure if something else could be broken Or I can run the re-installation ipa-server-install with repair option and copy the data back from the secondary server? I'm not so sure about the IPA reinstall/repair process, maybe soemone else can step in Thanks, Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 10:58 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 04:36 PM, Gady Notrica wrote: No changes to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am tailing the log file and running those commands doesn?t generate any log, nothing. [root at cd-p-ipa1 log]# ipactl start Starting Directory Service Job for dirsrv at IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. Failed to start Directory Service: Command ''/bin/systemctl' 'start' 'dirsrv at IPA-CANDEAL-CA.service'' returned non-zero exit status 1 Logs from /var/log/messages Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server IPA-CANDEAL-CA.... Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1 Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] config - The given config file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, Netscape Portable Runtime error -5950 (File not found.) this is BAD, looks like you completely lost your configuration file for DS, so it doesn't even know where to log anything. When you lost your VM and rebooted there must hav ebeen some data loss. It could be only dse.ldif, but also other files. [root at cd-p-ipa1 log]# systemctl start dirsrv at IPA-CANDEAL-CA.service Job for dirsrv at IPA-CANDEAL-CA.service failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service" and "journalctl -xe" for details. [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service -l ? dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA. Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 3s ago Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [root at cd-p-ipa1 log]# Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 10:06 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/27/2016 03:48 PM, Gady Notrica wrote: Hello Ludwig, I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 [26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person" [cid:image003.jpg at 01D1A080.869A6B20] I don?t know if that helps. no. And it is weird that there should be no logs, there were definitely messages logged around 8:50, you provided them via systemctl status dirsrv... And at least the startup messages should b there Can you try to start dirsrv again. and check what config settings for errorlog are in your dse.ldif Gady From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: April 27, 2016 3:18 AM To: Gady Notrica Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On 04/26/2016 09:09 PM, Gady Notrica wrote: HERE.. [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests [23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 these are old logs, the problem you were reporting was on Apr, 26: Apr 26 08:50:21 cd-p-ipa1.ipa.domain.com ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" Apr 26 08:50:21 cd-p-ipa1.ipa.domain.com ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. we need the logs from that time Gady -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: April 26, 2016 2:44 PM To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting Gady Notrica wrote: > Hey world, > > Any ideas? What about the first part of Ludwig's question: Is there anything in the 389-ds error log? rob > > Gady > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica > Sent: April 26, 2016 10:10 AM > To: Ludwig Krispenz; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > No, no changes. Lost connectivity with my VMs during the night > (networking issues in datacenter) > > Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though. > > Gady Notrica > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz > Sent: April 26, 2016 10:02 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: >> Here... >> >> [root at cd-p-ipa1 log]# ipactl status >> Directory Service: STOPPED >> Directory Service must be running in order to obtain status of other >> services >> ipa: INFO: The ipactl command was successful >> >> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-DOMAIN-LOCAL.service >> -l ? dirsrv at IPA-DOMAIN-LOCAL.service - 389 Directory Server IPA-DOMAIN-LOCAL. >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled) >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) >> >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016! :08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server. > this says the server doesn't know a syntax oid, but it is a known one. > It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-/errors ? > > And, did you do any changes to the system before this problem started ? >> [root at cd-p-ipa1 log]# >> >> Gady >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin >> Babinsky >> Sent: April 26, 2016 9:17 AM >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] krb5kdc service not starting >> >> On 04/26/2016 03:13 PM, Gady Notrica wrote: >>> Hello world, >>> >>> >>> >>> I am having issues this morning with my primary IPA. See below the >>> details in the logs and command result. Basically, krb5kdc service >>> not starting - krb5kdc: Server error - while fetching master key. >>> >>> >>> >>> DNS is functioning. See below dig result. I have a trust with Windows AD. >>> >>> >>> >>> Please help?! >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l >>> >>> ? krb5kdc.service - Kerberos 5 KDC >>> >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:52 EDT; 41min ago >>> >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting >>> Kerberos >>> 5 KDC... >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> Kerberos 5 KDC. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> krb5kdc.service entered failed state. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> Errors in /var/log/krb5kdc.log >>> >>> >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> >>> >>> [root at cd-ipa1 log]# systemctl status httpd -l >>> >>> ? httpd.service - The Apache HTTP Server >>> >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; >>> vendor >>> preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:21 EDT; 39min ago >>> >>> Docs: man:httpd(8) >>> >>> man:apachectl(8) >>> >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >>> (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line >>> 1579, in __wait_for_connection >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> wait_for_open_socket(lurl.hostport, timeout) >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line >>> 1200, in wait_for_open_socket >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> raise e >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> error: [Errno 2] No such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> ipa : ERROR Unknown error while retrieving setting from >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No >>> such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> The Apache HTTP Server. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> httpd.service entered failed state. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >>> >>> [root at cd-ipa1 log]# >>> >>> >>> >>> >>> >>> DNS Result for dig redhat.com >>> >>> >>> >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >>> >>> ;; global options: +cmd >>> >>> ;; Got answer: >>> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >>> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: >>> 2 >>> >>> >>> >>> ;; OPT PSEUDOSECTION: >>> >>> ; EDNS: version: 0, flags:; udp: 4096 >>> >>> ;; QUESTION SECTION: >>> >>> ;redhat.com. IN A >>> >>> >>> >>> ;; ANSWER SECTION: >>> >>> redhat.com. 60 IN A 209.132.183.105 >>> >>> >>> >>> ;; AUTHORITY SECTION: >>> >>> . 849 IN NS f.root-servers.net. >>> >>> . 849 IN NS e.root-servers.net. >>> >>> . 849 IN NS k.root-servers.net. >>> >>> . 849 IN NS m.root-servers.net. >>> >>> . 849 IN NS b.root-servers.net. >>> >>> . 849 IN NS g.root-servers.net. >>> >>> . 849 IN NS c.root-servers.net. >>> >>> . 849 IN NS h.root-servers.net. >>> >>> . 849 IN NS l.root-servers.net. >>> >>> . 849 IN NS a.root-servers.net. >>> >>> . 849 IN NS j.root-servers.net. >>> >>> . 849 IN NS i.root-servers.net. >>> >>> . 849 IN NS d.root-servers.net. >>> >>> >>> >>> ;; ADDITIONAL SECTION: >>> >>> j.root-servers.net. 3246 IN A 192.58.128.30 >>> >>> >>> >>> ;; Query time: 79 msec >>> >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) >>> >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >>> >>> ;; MSG SIZE rcvd: 282 >>> >>> >>> >>> Gady >>> >>> >>> >>> >>> >> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-DOMAIN-LOCAL.service'? >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 11810 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 11586 bytes Desc: image002.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 7126 bytes Desc: image003.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 3301 bytes Desc: image004.png URL: From rcritten at redhat.com Wed Apr 27 17:11:07 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 27 Apr 2016 12:11:07 -0500 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <5720D0A8.505@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> Message-ID: <5720F2AB.3000300@redhat.com> Bret Wortman wrote: > So in lieu of fixing these certs, is there an acceptable way to dump > them all and start over /without losing the contents of the IPA > database/? Or otherwise really screwing ourselves? I don't believe there is a way. > We have a replica that's still up and running and we've switched > everyone over to talking to it, but we're at risk with just the one. I'd ignore the two unknown certs for now. They look like someone was experimenting with issuing a cert and didn't quite get things working. The CA seems to be throwing an error. I'd check the syslog for messages from certmonger and look at the CA debug log and selftest log. rob > > Thanks! > > > On 04/27/2016 06:05 AM, Bret Wortman wrote: >> Was this at all informative? >> >> On 04/26/2016 02:06 PM, Bret Wortman wrote: >>> >>> >>> On 04/26/2016 01:45 PM, Rob Crittenden wrote: >>>> Bret Wortman wrote: >>>>> I think I've found a deeper problem, in that I can't update these >>>>> because IPA simply won't start at all now. >>>>> >>>>> I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and >>>>> 2016-04-01 is actually 2036-04-01. >>>>> >>>>> As for the unknowns, the first says status: CA_REJECTED and the error >>>>> says "hostname in subject of request 'zw198.private.net' does not >>>>> match >>>>> principal hostname 'private.net'", with stuck: yes. >>>>> >>>>> The second is similar, but for a different host. >>>> >>>> Is it really a different host and why? I think we'd need to see the >>>> full output to know what's going on. >>>> >>> >>> Full output: >>> >>> Number of certificates and requests being tracked: 10. >>> Request ID '20140428181940': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS >>> Certificate DB',pinfile='/etc/dirsrv/slapd-PRIVATE-NET/pwdfile.txt' >>> certificate: >>> type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS >>> Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=PRIVATE.NET >>> subject: CN=zsipa.private.net,O=PRIVATE.NET >>> expires: 2018-04-02 13:04:51 UTC >>> principal name: ldap/zsipa.private.net at PRIVATE.NET >>> key usage: >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> Request ID '20140428182016': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=PRIVATE.NET >>> subject: CN=zsipa.private.net,O=PRIVATE.NET >>> expires: 2018-04-02 13:04:31 UTC >>> principal name: HTTP/zsipa.private.net at PRIVATE.NET >>> key usage: >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> Request ID '20150211141945': >>> status: CA_REJECTED >>> ca-error: Server at https://zsipa.private.net/ipa/xml denied our >>> request, giving up: 2100 (RPC failed at server. Insufficient access: >>> hostname in subject of request 'zw198.private.net' does not match >>> principal hostname 'private.net'). >>> stuck: yes >>> key pair storage: >>> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate >>> DB' >>> certificate: >>> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' >>> CA: IPA >>> issuer: >>> subject: >>> expires: unknown >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> Request ID '20150816194107': >>> status: CA_UNREACHABLE >>> ca-error: Internal error >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>> cert-pki-ca',token='NSS Certificate DB',pin='424151811070' >>> certificate: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=PRIVATE.NET >>> subject: CN=CA Audit,O=PRIVATE.NET >>> expires: 2016-04-17 18:19:19 UTC >>> key usage: digitalSignature,nonRepudiation >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> Request ID '20150816194108': >>> status: CA_UNREACHABLE >>> ca-error: Internal error >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>> cert-pki-ca',token='NSS Certificate DB',pin='424151811070' >>> certificate: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=PRIVATE.NET >>> subject: CN=OCSP Subsystem,O=PRIVATE.NET >>> expires: 2016-04-17 18:19:18 UTC >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> eku: id-kp-OCSPSigning >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> Request ID '20150816194109': >>> status: CA_UNREACHABLE >>> ca-error: Internal error >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate DB',pin='424151811070' >>> certificate: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=PRIVATE.NET >>> subject: CN=CA Subsystem,O=PRIVATE.NET >>> expires: 2016-04-17 18:19:19 UTC >>> key usage: >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> Request ID '20150816194110': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>> cert-pki-ca',token='NSS Certificate DB',pin='424151811070' >>> certificate: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=PRIVATE.NET >>> subject: CN=Certificate Authority,O=PRIVATE.NET >>> expires: 2036-04-01 20:16:39 UTC >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> Request ID '20150816194111': >>> status: CA_UNREACHABLE >>> ca-error: Internal error >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=PRIVATE.NET >>> subject: CN=IPA RA,O=PRIVATE.NET >>> expires: 2016-04-17 18:19:35 UTC >>> key usage: >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> Request ID '20150816194112': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate DB',pin='424151811070' >>> certificate: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=PRIVATE.NET >>> subject: CN=zsipa.private.net,O=PRIVATE.NET >>> expires: 2018-03-11 13:04:29 UTC >>> key usage: >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> Request ID '20151214165433': >>> status: CA_REJECTED >>> ca-error: Server at https://zsipa.private.net/ipa/xml denied our >>> request, giving up: 2100 (RPC failed at server. Insufficient access: >>> hostname in subject of request 'zsipa.private.net' does not match >>> principal hostname 'www.private.net'). >>> stuck: yes >>> key pair storage: >>> type=FILE,location='/etc/pki/tls/private/www.private.net.key' >>> certificate: >>> type=FILE,location='/etc/pki/tls/certs/www.private.net.crt' >>> CA: IPA >>> issuer: >>> subject: >>> expires: unknown >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> >>> >>>> A given host can only get certificates for itself or those delegated >>>> to it. Hostnames are used for this enforcement so if they don't line >>>> up you'll see this type of rejection. >>>> >>>>> >>>>> No idea what's wrong with the rest, or why nothing will start. Near >>>>> as I >>>>> can tell, Kerberos is failing to start, which is causing everything >>>>> else >>>>> to go toes up. >>>>> >>>>> Early in the startup, in /var/log/messages, there's: >>>>> >>>>> ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may >>>>> provide >>>>> more information (No Kerberos credentials available) >>>> >>>> Without more context it's hard to say. 389 is rather chatty about >>>> things and of course when it starts it has no ticket so it logs a >>>> bunch of stuff, eventually (hopefully) gets one, and then shuts up. >>>> >>>>> >>>>> After that, I get a jar file read pboelm on log4j.jar, then a >>>>> series of >>>>> property setting attempts that don't find matching properties. Then >>>>> some >>>>> cipher errors, then it looks like named starts up okay, and everything >>>>> pauses for about 5 minutes before it all comes crashing back down. >>>>> >>>> >>>> I wouldn't get too hung up on particular services just yet. Without >>>> valid certs things will fail and those problems will cascade. I >>>> think we just need more details at this point. >>>> >>>> rob >>>> >>>>> >>>>> Bret >>>>> >>>>> On 04/26/2016 12:40 PM, Petr Vobornik wrote: >>>>>> On 04/26/2016 06:00 PM, Bret Wortman wrote: >>>>>>> # getcert list | grep expires >>>>>>> expires: 2018-04-02 13:04:51 UTC >>>>>>> expires: 2018-04-02 13:04:31 UTC >>>>>>> expires: unknown >>>>>>> expires: 2016-04-17 18:19:19 UTC >>>>>>> expires: 2016-04-17 18:19:18 UTC >>>>>>> expires: 2016-04-17 18:19:19 UTC >>>>>>> expires: 2016-04-01 20:16:39 UTC >>>>>>> expires: 2016-04-17 18:19:35 UTC >>>>>>> expires: 2016-03-11 13:04:29 UTC >>>>>>> expires: unknown >>>>>>> # >>>>>>> >>>>>>> So some got updated and most didn't. Is there a recommended way >>>>>>> to update these >>>>>>> all? The system is still backdated to 3 April (ntpd disabled) at >>>>>>> this point. >>>>>> It's usually good to start renewing(when it doesn't happen >>>>>> automatically >>>>>> from some reason) with the cert which is about to expired first, i.e. >>>>>> the one with "2016-03-11 13:04:29" >>>>>> >>>>>> The process is: >>>>>> - move date before the cert is about to expired >>>>>> - leave it up to certmonger or manually force resubmit by `getcert >>>>>> resubmit -i $REQUEST_ID`, where request ID is in `getcert list` >>>>>> output. >>>>>> >>>>>> I'm little worried about the fact that CA cert was renewed at date >>>>>> which >>>>>> is after expiration of the other certs. >>>>>> >>>>>> Also the `expires: unknown` doesn't look good. Check `getcert list` >>>>>> output for errors related to the cert. >>>>>> >>>>>> >>>>>>> >>>>>>> Bret >>>>>>> >>>>>>> >>>>>>> On 04/26/2016 11:46 AM, Petr Vobornik wrote: >>>>>>>> On 04/26/2016 03:26 PM, Bret Wortman wrote: >>>>>>>>> On our non-CA IPA server, this is happening, in case it's >>>>>>>>> related and illustrative: >>>>>>>>> >>>>>>>>> # ipa host-del zw113.private.net >>>>>>>>> ipa: ERROR: Certificate format error: >>>>>>>>> (SEC_ERROR_LEGACY_DATABASE) The >>>>>>>>> certificate/key database is in an old, unsupported format. >>>>>>>>> # >>>>>>>> I would start with checking on all IPA servers if and what >>>>>>>> certificates >>>>>>>> are expired: >>>>>>>> # getcert list >>>>>>>> or short version to check if there are any: >>>>>>>> # getcert list | grep expires >>>>>>>> >>>>>>>> When CA cert is renewed, it is not automatically transfered to >>>>>>>> clients. >>>>>>>> There one must run: >>>>>>>> # ipa-certupdate >>>>>>>> >>>>>>>>> On 04/26/2016 09:24 AM, Bret Wortman wrote: >>>>>>>>>> I rolled the date on the IPA server in question back to April >>>>>>>>>> 1 and ran >>>>>>>>>> "ipa-cacert-manage renew", which said it completed >>>>>>>>>> successfully. I rolled the >>>>>>>>>> date back to current and tried restarting ipa using ipactl >>>>>>>>>> stop && ipactl >>>>>>>>>> start, but no joy. No more ca renewal errors, but right after >>>>>>>>>> the pause I see >>>>>>>>>> this in /var/log/messages: >>>>>>>>>> >>>>>>>>>> systemd: kadmin.service: main process exited, code=exited, >>>>>>>>>> status=2/INVALIDARGUMENT >>>>>>>>>> systemd: Unit kadmin.service entered failed state. >>>>>>>>>> systemd: kadmin.service failed. >>>>>>>>>> >>>>>>>>>> I rebooted the server just in case, and it's still getting >>>>>>>>>> stuck at the same >>>>>>>>>> place. ipa-otpd doesn't get around to starting. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Bret >>>>>>>>>> >>>>>>>>>> After the several-minutes-long pause after ipactl start >>>>>>>>>> outputs "Starting >>>>>>>>>> pki-tomcatd Service", I get the >>>>>>>>>> >>>>>>>>>> On 04/26/2016 08:14 AM, Bret Wortman wrote: >>>>>>>>>>> I have an IPA server on a private network which has >>>>>>>>>>> apparently run into >>>>>>>>>>> certificate issues this morning. It's been running without >>>>>>>>>>> issue for quite a >>>>>>>>>>> while, and is on 4.1.4-1 on fedora 21. >>>>>>>>>>> >>>>>>>>>>> This morning, the gui started giving: >>>>>>>>>>> >>>>>>>>>>> IPA Error 907: NetworkError with description "cannot connect to >>>>>>>>>>> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': >>>>>>>>>>> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your >>>>>>>>>>> certificate as expired." >>>>>>>>>>> >>>>>>>>>>> I dug into the logs and after trying to restart ipa using >>>>>>>>>>> ipactl, there was a >>>>>>>>>>> length pause, then: >>>>>>>>>>> >>>>>>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not >>>>>>>>>>> available >>>>>>>>>>> certmonger: Certificate named "ipaCert" in token "NSS >>>>>>>>>>> Certificate DB" in >>>>>>>>>>> database "/etc/httpd/alias" is no longer valid. >>>>>>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not >>>>>>>>>>> available >>>>>>>>>>> certmonger: Certificate named "ocspSigningCert cert-pki-ca" >>>>>>>>>>> in token "NSS >>>>>>>>>>> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no >>>>>>>>>>> longer valid. >>>>>>>>>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not >>>>>>>>>>> available. >>>>>>>>>>> named-pkcs11[3437]: client 192.168.208.205#57832: update >>>>>>>>>>> '208.168.192.in-addr.arpa/IN' denied >>>>>>>>>>> >>>>>>>>>>> and then things start shutting down. I can't start ipa at all >>>>>>>>>>> using ipactl. >>>>>>>>>>> >>>>>>>>>>> So at present, our DNS is down. Authentication should work >>>>>>>>>>> for a while, but >>>>>>>>>>> I'd like to get this working again as quickly as possible. >>>>>>>>>>> Any ideas? I deal >>>>>>>>>>> with certificates so infrequently (like only when something >>>>>>>>>>> like this >>>>>>>>>>> happens) that I'm not sure where to start. >>>>>>>>>>> >>>>>>>>>>> Thanks! >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> *Bret Wortman* >>>>>>>>>>> /Coming soon to Kickstarter.../ >>>>>>>>>>> >>>>>>>>>>> http://wrapbuddies.co/ >>>>>>>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>> >> > > > From abokovoy at redhat.com Wed Apr 27 17:18:59 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Apr 2016 20:18:59 +0300 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <0984AB34E553F54B8705D776686863E70AC036FA@cd-exchange01.CD-PRD.candeal.ca> References: <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> <5720D35C.8050304@redhat.com> <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> <5720D80E.7070003@redhat.com> <0984AB34E553F54B8705D776686863E70AC034DC@cd-exchange01.CD-PRD.candeal.ca> <5720DA04.3090506@redhat.com> <0984AB34E553F54B8705D776686863E70AC036FA@cd-exchange01.CD-PRD.candeal.ca> Message-ID: <20160427171859.h5g7ync3m3adcjwu@redhat.com> On Wed, 27 Apr 2016, Gady Notrica wrote: >Hello Ludwig, > >Is there a reason why my AD show offline? > >[root at cd-p-ipa1 /]# wbinfo --online-status >BUILTIN : online >IPA : online >CD-PRD : offline wbinfo output is irrelevant for RHEL 7.2-based IPA trusts. You need to make sure that 'getent passwd CD-PRD\\Administrator' resolves via SSSD. -- / Alexander Bokovoy From schogan at us.ibm.com Wed Apr 27 17:22:32 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Wed, 27 Apr 2016 10:22:32 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <20160427065215.3owetlgimd6yujes@redhat.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <20160427065215.3owetlgimd6yujes@redhat.com> Message-ID: Hello Alexander I knew the below which is why I added my DS rpm version in the orig email which made sense to me but per 389 DS docs alloowweakcipher starts in 1.3.3.2 in case anyone else reads this. At least thats what the docs say but you may know something where it actually does not work til 1.3.4.0. I dunno http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html Additionally I want to clarify the comment 4.3.1 has this as default setup. Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a stronger ssl config and that anyone who needs tighter cipher control needs to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7 Sean Hogan From: Alexander Bokovoy To: Sean Hogan/Durham/IBM at IBMUS Cc: freeipa-users Date: 04/26/2016 11:52 PM Subject: Re: [Freeipa-users] IPA vulnerability management SSL On Tue, 26 Apr 2016, Sean Hogan wrote: > > >Hello, > > We currently have 7 ipa servers in multi master running: > >ipa-server-3.0.0-47.el6_7.1.x86_64 >389-ds-base-1.2.11.15-68.el6_7.x86_64 > >Tenable is showing the use of weak ciphers along with freak >vulnerabilities. I have followed >https://access.redhat.com/solutions/675183 however issues remain in the >ciphers being used. $ git log --oneline 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1 5f3c87e Ticket #47838 - harden the list of ciphers available by default $ git tag --contains 5f3c87e1380e56d76d4a4bef3af07633a8589891|head -1 389-ds-base-1.3.4.0 This means allowweakcipher feature is only in 389-ds-base >= 1.3.4.0. This should explain your failures below. > >I have also modified dse.ldif with the following from > http://freeipa-users.redhat.narkive.com/XGR9YzyN/weak-and-null-ciphers-detected-on-ldap-ports > >With ipa stopped I modified dse with below > >odifyTimestamp: 20150420131906Z >nsSSL3Ciphers: +all,-rsa_null_sha >allowWeakCipher: off >numSubordinates: 1 > >I turn on ipa and get >Starting Directory Service >Starting dirsrv: > PKI-IPA...[27/Apr/2016:01:23:21 -0400] - Entry >"cn=encryption,cn=config" -- attribute "allowweakcipher" not allowed > >So I go back into the file and allowWeakCipher now shows allowweakcipher >(caps for W and C are now lower case) attribute names are case-insensitive and normalized to a lower case. Anyway, just don't use allowweakcipher in older 389-ds-base version. > >nss.conf > > ># new config to stop using weak ciphers. >NSSCipherSuite >-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_256_sha > SSL Protocol: ># Cryptographic protocols that provide communication security. ># NSS handles the specified protocols as "ranges", and automatically ># negotiates the use of the strongest protocol for a connection starting ># with the maximum specified protocol and downgrading as necessary to the ># minimum specified protocol that can be used between two processes. ># Since all protocol ranges are completely inclusive, and no protocol in >the >NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > >server.xml > > clientAuth="true" > sslOptions="ssl2=off,ssl3=off,tls=true" > >ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" > >ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" > >tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,-SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,-SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" > > > > > >Is there a config for this version of IPA/DS somewhere that will pass >poodle, freak, null ciphers scanning or only allow strong ciphers? FreeIPA 4.3.1 has default setup that gives A on these tests with SSL Labs. https://www.ssllabs.com/ssltest/analyze.html?d=ipa.demo1.freeipa.org&hideResults=on Follow https://fedorahosted.org/freeipa/ticket/5589 for Apache changes and for the script to generate proper lists. -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From abokovoy at redhat.com Wed Apr 27 17:35:02 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Apr 2016 20:35:02 +0300 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <20160427065215.3owetlgimd6yujes@redhat.com> Message-ID: <20160427173502.36trmhjxmdr4eegn@redhat.com> On Wed, 27 Apr 2016, Sean Hogan wrote: > >Hello Alexander > > >I knew the below which is why I added my DS rpm version in the orig email >which made sense to me but per 389 DS docs alloowweakcipher starts in >1.3.3.2 in case anyone else reads this. At least thats what the docs say >but you may know something where it actually does not work til 1.3.4.0. I >dunno >http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html > > >Additionally I want to clarify the comment 4.3.1 has this as default setup. >Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a >stronger ssl config and that anyone who needs tighter cipher control needs >to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7 All I said is that we fixed this particular issue to make sure defaults in 4.3.1 reflect current status quo on SSL ciphers. If you want to have a similar setup with 3.0.47, you are welcome to improve the configuration based on the effort we did for 4.3.1. Notice that I said nothing about incapability of either deployment to handle this, not sure where you were able to read that from. -- / Alexander Bokovoy From gnotrica at candeal.com Wed Apr 27 17:41:07 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Wed, 27 Apr 2016 17:41:07 +0000 Subject: [Freeipa-users] krb5kdc service not starting In-Reply-To: <20160427171859.h5g7ync3m3adcjwu@redhat.com> References: <5720678C.8090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC032CC@cd-exchange01.CD-PRD.candeal.ca> <5720C747.7090709@redhat.com> <0984AB34E553F54B8705D776686863E70AC033CA@cd-exchange01.CD-PRD.candeal.ca> <5720D35C.8050304@redhat.com> <0984AB34E553F54B8705D776686863E70AC0346D@cd-exchange01.CD-PRD.candeal.ca> <5720D80E.7070003@redhat.com> <0984AB34E553F54B8705D776686863E70AC034DC@cd-exchange01.CD-PRD.candeal.ca> <5720DA04.3090506@redhat.com> <0984AB34E553F54B8705D776686863E70AC036FA@cd-exchange01.CD-PRD.candeal.ca> <20160427171859.h5g7ync3m3adcjwu@redhat.com> Message-ID: <0984AB34E553F54B8705D776686863E70AC0379B@cd-exchange01.CD-PRD.candeal.ca> All good!!! Gady -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: April 27, 2016 1:19 PM To: Gady Notrica Cc: Ludwig Krispenz; freeipa-users at redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting On Wed, 27 Apr 2016, Gady Notrica wrote: >Hello Ludwig, > >Is there a reason why my AD show offline? > >[root at cd-p-ipa1 /]# wbinfo --online-status BUILTIN : online IPA : >online CD-PRD : offline wbinfo output is irrelevant for RHEL 7.2-based IPA trusts. You need to make sure that 'getent passwd CD-PRD\\Administrator' resolves via SSSD. -- / Alexander Bokovoy From schogan at us.ibm.com Wed Apr 27 17:53:22 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Wed, 27 Apr 2016 10:53:22 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <20160427173502.36trmhjxmdr4eegn@redhat.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <20160427065215.3owetlgimd6yujes@redhat.com> <20160427173502.36trmhjxmdr4eegn@redhat.com> Message-ID: <201604271754.u3RHscaD029388@d01av03.pok.ibm.com> Hi Alex, Just wanted to make sure.. needed to know if I had to upgrade or spend more time trial and erroring this out. So since my nmap is showing this [bob at server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636 `hostname` Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:42 EDT Nmap scan report for Host is up (0.000090s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds I decided to remove TLS_RSA_EXPORT1024_WITH_RC4_56_SHA so looked up what DS actually names this to be and it looks like these have to be removed TLS_RSA_EXPORT1024_WITH_RC4_56_SHA rsa_rc4_56_sha tls_dhe_dss_1024_rc4_sha tls_rsa_export1024_with_rc4_56_sh I stopped IPA with ipactl stop modified dse.ldif with this nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 _56_sha,-tls_dhe_dss_1024_rc4_sha allowweakcipher: off numSubordinates: 1 Reran nmap and it still shows TLS_RSA_EXPORT1024_WITH_RC4_56_SHA bob at server slapd-PKI-IPA]# nmap --script ssl-enum-ciphers -p 636 `hostname` Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 13:48 EDT Nmap scan report for Host is up (0.000078s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds Am I doing something wrong here? Sean Hogan From: Alexander Bokovoy To: Sean Hogan/Durham/IBM at IBMUS Cc: freeipa-users Date: 04/27/2016 10:35 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL On Wed, 27 Apr 2016, Sean Hogan wrote: > >Hello Alexander > > >I knew the below which is why I added my DS rpm version in the orig email >which made sense to me but per 389 DS docs alloowweakcipher starts in >1.3.3.2 in case anyone else reads this. At least thats what the docs say >but you may know something where it actually does not work til 1.3.4.0. I >dunno > http://directory.fedoraproject.org/docs/389ds/design/nss-cipher-design.html > > >Additionally I want to clarify the comment 4.3.1 has this as default setup. >Are you suggesting that IPA 3.0.47 for rhel6 is incapable of getting a >stronger ssl config and that anyone who needs tighter cipher control needs >to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7 All I said is that we fixed this particular issue to make sure defaults in 4.3.1 reflect current status quo on SSL ciphers. If you want to have a similar setup with 3.0.47, you are welcome to improve the configuration based on the effort we did for 4.3.1. Notice that I said nothing about incapability of either deployment to handle this, not sure where you were able to read that from. -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From bret.wortman at damascusgrp.com Wed Apr 27 18:24:14 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Wed, 27 Apr 2016 14:24:14 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <5720F2AB.3000300@redhat.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> Message-ID: <572103CE.6030404@damascusgrp.com> I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It looks logical to me, but I can't spot anything that looks like a root cause error. The selftests are all okay, I think. The debug log might have something, but it might also just be complaining about ldap not being up because it's not. On 04/27/2016 01:11 PM, Rob Crittenden wrote: > Bret Wortman wrote: >> So in lieu of fixing these certs, is there an acceptable way to dump >> them all and start over /without losing the contents of the IPA >> database/? Or otherwise really screwing ourselves? > > I don't believe there is a way. > >> We have a replica that's still up and running and we've switched >> everyone over to talking to it, but we're at risk with just the one. > > I'd ignore the two unknown certs for now. They look like someone was > experimenting with issuing a cert and didn't quite get things working. > > The CA seems to be throwing an error. I'd check the syslog for > messages from certmonger and look at the CA debug log and selftest log. > > rob > [snip] From dsullivan2 at bsd.uchicago.edu Wed Apr 27 19:10:06 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Wed, 27 Apr 2016 19:10:06 +0000 Subject: [Freeipa-users] Question regarding modifying attributes Message-ID: <3B83963C-5BF5-45C9-BC9C-F63AEA26933D@bsd.uchicago.edu> Hi, I have a trusted AD domain that I am enumerating object via IPA. I wanted to know if i should be able to manipulate the uidNumber and gidNumber stored in the default ID view via by using the ldapmodify command, for example, for this DN (not local): uid=user at domain.edu,cn=users,cn=compat,dc=ipatst,dc=cri,dc=uchicago,dc=edu Should it be possible to modify this via IPA?s LDAP implementation (using ldapmodify)? I appreciate you taking the time to answer my question. Thank you, Dan Sullivan ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From anthony.wan.cheng at gmail.com Wed Apr 27 19:54:57 2016 From: anthony.wan.cheng at gmail.com (Anthony Cheng) Date: Wed, 27 Apr 2016 19:54:57 +0000 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. Message-ID: Hi list, I am trying to renew expired certificates following the manual renewal procedure here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even with resetting the system/hardware clock to a time before expires, I am getting the error "ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great." With NTP disable and clock reset why would it complain about clock skew and how does it even know about the current time? [root at test certs]# getcert list Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:46 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true ". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664 ' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=CA Audit,O=sample.NET expires: 2017-10-13 14:10:49 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true ". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664 ' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=OCSP Subsystem,O=sample.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true ". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664 ' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=CA Subsystem,O=sample.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130744': status: MONITORING ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=RA Subsystem,O=sample.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20130519130745': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true ". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664 ' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes[root at test certs]# getcert list Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:46 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true ". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664 ' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=CA Audit,O=sample.NET expires: 2017-10-13 14:10:49 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true ". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664 ' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=OCSP Subsystem,O=sample.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true ". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664 ' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=CA Subsystem,O=sample.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130744': status: MONITORING ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=RA Subsystem,O=sample.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20130519130745': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to " http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true ". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664 ' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes -- Thanks, Anthony -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Apr 27 20:00:42 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 27 Apr 2016 23:00:42 +0300 Subject: [Freeipa-users] Question regarding modifying attributes In-Reply-To: <3B83963C-5BF5-45C9-BC9C-F63AEA26933D@bsd.uchicago.edu> References: <3B83963C-5BF5-45C9-BC9C-F63AEA26933D@bsd.uchicago.edu> Message-ID: <20160427200042.jpzesbzajhmsdzqi@redhat.com> On Wed, 27 Apr 2016, Sullivan, Daniel [AAA] wrote: >Hi, > >I have a trusted AD domain that I am enumerating object via IPA. I >wanted to know if i should be able to manipulate the uidNumber and >gidNumber stored in the default ID view via by using the ldapmodify >command, for example, for this DN (not local): > >uid=user at domain.edu,cn=users,cn=compat,dc=ipatst,dc=cri,dc=uchicago,dc=edu > >Should it be possible to modify this via IPA?s LDAP implementation >(using ldapmodify)? I appreciate you taking the time to answer my >question. No. The subtree in cn=compat,$SUFFIX is read-only and is generated every time you restart LDAP server. uid/gid in default ID View are managed via idoverrideuser/idoverridegroup set of commands. See 'ipa help idviews' for details. -- / Alexander Bokovoy From sergey57 at gmail.com Wed Apr 27 20:14:03 2016 From: sergey57 at gmail.com (sergey ivanov) Date: Wed, 27 Apr 2016 16:14:03 -0400 Subject: [Freeipa-users] does ptr records an admin have to take care of manually? testing! Message-ID: sitest2 Regards, Sergey Ivanov | sergey57 at gmail.com bitmessage: BM-NBaNYkjtB5QBtoqvNYHvoEbNQqVMPBZD digitalnote: ddeDtD1zUPvLBsxC5K8NSiAiXJeKeGpH1fd4ad41UuBU\ EUyKzT7JoND26FrJNdsies7EwoiSTKhMi5KEqyn525ZD2LAA3JCjQ On Wed, Apr 27, 2016 at 9:12 AM, lejeczek wrote: > hi, > > regular server install with --setup-dns > then clients to follow, but I see there: > > Missing reverse record(s) for address(es): > > does that mean that by default server install process does not include > reverse zones? > These need to be set up manually/independently ? > > many thanks > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From dsullivan2 at bsd.uchicago.edu Wed Apr 27 20:45:30 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Wed, 27 Apr 2016 20:45:30 +0000 Subject: [Freeipa-users] Question regarding modifying attributes In-Reply-To: <20160427200042.jpzesbzajhmsdzqi@redhat.com> References: <3B83963C-5BF5-45C9-BC9C-F63AEA26933D@bsd.uchicago.edu> <20160427200042.jpzesbzajhmsdzqi@redhat.com> Message-ID: <0C2EA546-2895-4C15-BF52-6362711DE1B3@bsd.uchicago.edu> Thank you. Dan > On Apr 27, 2016, at 3:00 PM, Alexander Bokovoy wrote: > > On Wed, 27 Apr 2016, Sullivan, Daniel [AAA] wrote: >> Hi, >> >> I have a trusted AD domain that I am enumerating object via IPA. I >> wanted to know if i should be able to manipulate the uidNumber and >> gidNumber stored in the default ID view via by using the ldapmodify >> command, for example, for this DN (not local): >> >> uid=user at domain.edu,cn=users,cn=compat,dc=ipatst,dc=cri,dc=uchicago,dc=edu >> >> Should it be possible to modify this via IPA?s LDAP implementation >> (using ldapmodify)? I appreciate you taking the time to answer my >> question. > No. The subtree in cn=compat,$SUFFIX is read-only and is generated every > time you restart LDAP server. > > uid/gid in default ID View are managed via > idoverrideuser/idoverridegroup set of commands. > > See 'ipa help idviews' for details. > > -- > / Alexander Bokovoy ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From schogan at us.ibm.com Wed Apr 27 23:23:50 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Wed, 27 Apr 2016 16:23:50 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> Message-ID: <201604272323.u3RNNvQA031628@d03av03.boulder.ibm.com> Hi Martin, No joy on placing - in front of the RC4s I modified my nss.conf to now read # SSL 3 ciphers. SSL 2 is disabled by default. NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha # SSL Protocol: # Cryptographic protocols that provide communication security. # NSS handles the specified protocols as "ranges", and automatically # negotiates the use of the strongest protocol for a connection starting # with the maximum specified protocol and downgrading as necessary to the # minimum specified protocol that can be used between two processes. # Since all protocol ranges are completely inclusive, and no protocol in the NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 dse.ldif dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20150420131850Z modifyTimestamp: 20150420131906Z nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 _56_sha,-tls_dhe_dss_1024_rc4_sha numSubordinates: 1 But I still get this with nmap.. I thought the above would remove -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I am not offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really understanding where it is coming from cept the +all from DS but the - should be negating that? Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 17:37 EDT Nmap scan report for rtpvxl0077.watson.local (10.110.76.242) Host is up (0.000086s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds It seems no matter what config I put into nss.conf or dse.ldif nothing changes with my nmap results. Is there supposed to be a be a section to add TLS ciphers instead of SSL Sean Hogan From: Sean Hogan/Durham/IBM To: Martin Kosek Cc: freeipa-users Date: 04/27/2016 09:59 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL I ran the following: nmap --script ssl-enum-ciphers -p 636 `hostname` Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 12:48 EDT Nmap scan report for bob Host is up (0.000078s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds Tenable is barking about the following.. only listing 636 but the same applies for 389 Plugin ID: 65821 Port 636 Synopsis: The remote service supports the use of the RC4 cipher. Description The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness. And 636 and 389 for Plugin ID: 81606 port 389 Synopsis: The remote host supports a set of weak ciphers. Description The remote host supports EXPORT_RSA cipher suites with keys less than or equal to 512 bits. An attacker can factor a 512-bit RSA modulus in a short amount of time. A man-in-the middle attacker may be able to downgrade the session to use EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to remove support for weak cipher suites. So I do see RC4 and the exports so I guess I can - those in the dse.ldif From: Sean Hogan/Durham/IBM To: Martin Kosek Cc: freeipa-users Date: 04/27/2016 09:33 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Hi Martin, Thanks for the response. We are at RHEL 6.7... getting the hits on 389 and 636 so its the Directory server ports which I assume is dse.ldif. Sean Hogan From: Martin Kosek To: Sean Hogan/Durham/IBM at IBMUS, freeipa-users Date: 04/27/2016 01:43 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL On 04/27/2016 07:27 AM, Sean Hogan wrote: > Hello, > > We currently have 7 ipa servers in multi master running: > > ipa-server-3.0.0-47.el6_7.1.x86_64 > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > Tenable is showing the use of weak ciphers along with freak vulnerabilities. I > have followed > https://access.redhat.com/solutions/675183 however issues remain in the ciphers > being used. Can you show the full report, so that we can see what's wrong? What I am looking for also is if the problem is LDAPS port or HTTPS port, so that we are not fixing wrong service. DS ciphers were hardened in RHEL-6.x and RHEL-7.x already as part of this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1154687 Further hardening comes with FreeIPA 4.3.1+: https://fedorahosted.org/freeipa/ticket/5684 https://fedorahosted.org/freeipa/ticket/5589 (it should appear in RHEL-7.3+) Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From kliu at alumni.warwick.ac.uk Thu Apr 28 06:00:01 2016 From: kliu at alumni.warwick.ac.uk (Barry) Date: Thu, 28 Apr 2016 14:00:01 +0800 Subject: [Freeipa-users] can live turn off nsslapd-security: to off ? In-Reply-To: References: <14d0beeb-0f35-593f-19bc-4cebe1c051d7@redhat.com> <42dfccde-ad58-e4ca-80ae-2e6a460186b3@redhat.com> Message-ID: NOT work tried ..cannot bind the command 389 or 636 ,,,but telnet work EOFnsslapd-security: offreplace: nsslapd-securitychangetype: modifydn: cn=configldapmodify -h ms -p 636 -D cn="Directory Manager" -w << EOF ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) 2016-04-27 19:29 GMT+08:00 : > thx let me try as i dont want stop dirsrv but live disable nsslapd > security. > 2016?4?27? ??7:26 ? "David Kupka" ??? > >> On 27/04/16 13:15, barrykfl at gmail.com wrote: >> >>> Do u meant use ldapmodify? >>> I tried update the dse.ldif but it will fall back after a while. >>> >>> 2016?4?27? ??7:10 ? "David Kupka" >> > ??? >>> >>> On 27/04/16 12:48, barrykfl at gmail.com >>> wrote: >>> >>> Hi: >>> >>> Without restarting dirsrv possible do that ? >>> >>> >>> thx Regards >>> >>> barry >>> >>> >>> >>> >>> Hello Barry, >>> >>> this ldapsearch should list all attributes that needs restart after >>> modification: >>> >>> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config >>> nsslapd-requiresrestart >>> >>> I don't see nsslapd-security listed so it should be possible to >>> change it in >>> runtime. >>> >>> -- >>> David Kupka >>> >>> >> Yes, I mean ldapmodify. >> >> Editing dse.ldif while dirsrv is running has no effect because it is read >> only at start and written at least before exit. >> >> If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it >> and start dirsrv again. >> >> -- >> David Kupka >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Thu Apr 28 07:21:08 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 28 Apr 2016 09:21:08 +0200 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: References: Message-ID: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> On 27/04/16 21:54, Anthony Cheng wrote: > Hi list, > > I am trying to renew expired certificates following the manual renewal procedure > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even with > resetting the system/hardware clock to a time before expires, I am getting the > error "ca-error: Error setting up ccache for local "host" service using default > keytab: Clock skew too great." > > With NTP disable and clock reset why would it complain about clock skew and how > does it even know about the current time? > > [root at test certs]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net ,O=sample.NET > expires: 2016-01-29 14:09:46 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net ,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net ,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Audit,O=sample.NET > expires: 2017-10-13 14:10:49 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=OCSP Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=RA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130519130745': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net ,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes[root at test certs]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net ,O=sample.NET > expires: 2016-01-29 14:09:46 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net ,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net ,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Audit,O=sample.NET > expires: 2017-10-13 14:10:49 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=OCSP Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=RA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130519130745': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net ,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > -- > > Thanks, Anthony > > > Hello Anthony! After stopping NTP (or other time synchronizing service) and setting time manually server really don't have a way to determine that its time differs from the real one. I think this might be issue with Kerberos ticket. You can show content of root's ticket cache using klist. If there is anything clean it with kdestroy and try to resubmit the request again. -- David Kupka From sbose at redhat.com Thu Apr 28 07:23:19 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 28 Apr 2016 09:23:19 +0200 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: References: Message-ID: <20160428072318.GC11731@p.redhat.com> On Wed, Apr 27, 2016 at 07:54:57PM +0000, Anthony Cheng wrote: > Hi list, > > I am trying to renew expired certificates following the manual renewal > procedure here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but > even with resetting the system/hardware clock to a time before expires, I > am getting the error "ca-error: Error setting up ccache for local "host" > service using default keytab: Clock skew too great." This is a Kerberos error message which it not related to the certificate lifetime. Please try to make sure that client and server use the same time. bye, Sumit > > With NTP disable and clock reset why would it complain about clock skew and > how does it even know about the current time? > > [root at test certs]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2016-01-29 14:09:46 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Audit,O=sample.NET > expires: 2017-10-13 14:10:49 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=OCSP Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=RA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130519130745': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes[root at test certs]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2016-01-29 14:09:46 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: MONITORING > ca-error: Error setting up ccache for local "host" service using > default keytab: Clock skew too great. > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Audit,O=sample.NET > expires: 2017-10-13 14:10:49 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=OCSP Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=CA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=RA Subsystem,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130519130745': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > ' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > -- > > Thanks, Anthony > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mbasti at redhat.com Thu Apr 28 08:15:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 28 Apr 2016 10:15:37 +0200 Subject: [Freeipa-users] can live turn off nsslapd-security: to off ? In-Reply-To: References: <14d0beeb-0f35-593f-19bc-4cebe1c051d7@redhat.com> <42dfccde-ad58-e4ca-80ae-2e6a460186b3@redhat.com> Message-ID: <5721C6A9.6080204@redhat.com> On 28.04.2016 08:00, Barry wrote: > NOT work tried ..cannot bind the command 389 or 636 ,,,but telnet work > > EOFnsslapd-security: offreplace: nsslapd-securitychangetype: modifydn: > cn=configldapmodify -h ms -p 636 -D cn="Directory Manager" -w << EOF > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > can you please try to put FQDN name of LDAP server to option -h ? I have doubts that -h 'ms' is server name Martin > > 2016-04-27 19:29 GMT+08:00 >: > > thx let me try as i dont want stop dirsrv but live disable nsslapd > security. > > 2016?4?27? ??7:26 ? "David Kupka" > ??? > > On 27/04/16 13:15, barrykfl at gmail.com > wrote: > > Do u meant use ldapmodify? > I tried update the dse.ldif but it will fall back after a > while. > > 2016?4?27? ??7:10 ? "David Kupka" > >> ??? > > On 27/04/16 12:48, barrykfl at gmail.com > > wrote: > > Hi: > > Without restarting dirsrv possible do that ? > > > thx Regards > > barry > > > > > Hello Barry, > > this ldapsearch should list all attributes that needs > restart after > modification: > > $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b > cn=config > nsslapd-requiresrestart > > I don't see nsslapd-security listed so it should be > possible to change it in > runtime. > > -- > David Kupka > > > Yes, I mean ldapmodify. > > Editing dse.ldif while dirsrv is running has no effect because > it is read only at start and written at least before exit. > > If you REALLY need to edit dse.ldif be sure to stop dirsrv > then edit it and start dirsrv again. > > -- > David Kupka > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kliu at alumni.warwick.ac.uk Thu Apr 28 09:03:12 2016 From: kliu at alumni.warwick.ac.uk (Barry) Date: Thu, 28 Apr 2016 17:03:12 +0800 Subject: [Freeipa-users] can live turn off nsslapd-security: to off ? In-Reply-To: <5721C6A9.6080204@redhat.com> References: <14d0beeb-0f35-593f-19bc-4cebe1c051d7@redhat.com> <42dfccde-ad58-e4ca-80ae-2e6a460186b3@redhat.com> <5721C6A9.6080204@redhat.com> Message-ID: Already set nsslapd:sceruity off on server 1 <> server 2 BUt still produce error on replication. Is it possible to ignore any cert / start tLS ? /var/log/dirsrv/slapd-PKI-IPA [28/Apr/2016:16:51:15 +0800] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [26/Apr/2016:18:35:31 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) 2016-04-28 16:15 GMT+08:00 Martin Basti : > > > On 28.04.2016 08:00, Barry wrote: > > NOT work tried ..cannot bind the command 389 or 636 ,,,but telnet work > > EOFnsslapd-security: offreplace: nsslapd-securitychangetype: modifydn: > cn=configldapmodify -h ms -p 636 -D cn="Directory Manager" -w << EOF > > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > can you please try to put FQDN name of LDAP server to option -h ? > I have doubts that -h 'ms' is server name > > Martin > > > > 2016-04-27 19:29 GMT+08:00 : > >> thx let me try as i dont want stop dirsrv but live disable nsslapd >> security. >> 2016?4?27? ??7:26 ? "David Kupka" ??? >> >>> On 27/04/16 13:15, barrykfl at gmail.com wrote: >>> >>>> Do u meant use ldapmodify? >>>> I tried update the dse.ldif but it will fall back after a while. >>>> >>>> 2016?4?27? ??7:10 ? "David Kupka" >>> > ??? >>>> >>>> On 27/04/16 12:48, barrykfl at gmail.com >>>> wrote: >>>> >>>> Hi: >>>> >>>> Without restarting dirsrv possible do that ? >>>> >>>> >>>> thx Regards >>>> >>>> barry >>>> >>>> >>>> >>>> >>>> Hello Barry, >>>> >>>> this ldapsearch should list all attributes that needs restart after >>>> modification: >>>> >>>> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config >>>> nsslapd-requiresrestart >>>> >>>> I don't see nsslapd-security listed so it should be possible to >>>> change it in >>>> runtime. >>>> >>>> -- >>>> David Kupka >>>> >>>> >>> Yes, I mean ldapmodify. >>> >>> Editing dse.ldif while dirsrv is running has no effect because it is >>> read only at start and written at least before exit. >>> >>> If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it >>> and start dirsrv again. >>> >>> -- >>> David Kupka >>> >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Terry.John at completeautomotivesolutions.co.uk Thu Apr 28 09:08:18 2016 From: Terry.John at completeautomotivesolutions.co.uk (Terry John) Date: Thu, 28 Apr 2016 09:08:18 +0000 Subject: [Freeipa-users] Announcing SSSD 1.13.4 In-Reply-To: <20160414151708.GW15447@hendrix.redhat.com> References: <20160414151708.GW15447@hendrix.redhat.com> Message-ID: I am plagued by the "sssd dereference processing failed : Input/output error" problem. Is there any news when this version of sssd will be released for RedHat/Centos? My current version is: 1.12.4-47.el6 Terry -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek Sent: 14 April 2016 16:17 To: sssd-devel at lists.fedorahosted.org; sssd-users at lists.fedorahosted.org; freeipa-users at redhat.com; freeipa-interest at redhat.com Subject: [Freeipa-users] Announcing SSSD 1.13.4 == SSSD 1.13.4 === The SSSD team is proud to announce the release of version 1.13.4 of the System Security Services Daemon. As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * The IPA sudo provider was reimplemented. The new version reads the data from IPA's LDAP tree (as opposed to the compat tree populated by the slapi-nis plugin that was used previously). The benefit is that deployments which don't require the compat tree for other purposes, such as support for non-SSSD clients can disable those autogenerated LDAP trees to conserve resources that slapi-nis otherwise requires. There should be no visible changes to the end user. * SSSD now has the ability to renew the machine credentials (keytabs) when the ad provider is used. Please note that a recent version of the adcli (0.8 or newer) package is required for this feature to work. * The automatic ID mapping feature was improved so that the administrator is no longer required to manually set the range size in case a RID in the AD domain is larger than the default range size * A potential infinite loop in the NFS ID mapping plugin that was resulting in an excessive memory usage was fixed * Clients that are pinned to a particular AD site using the ad_site option no longer communicate with DCs outside that site during service discovery. * The IPA identity provider is now able to resolve external (typically coming from a trusted AD forest) group members during get-group-information requests. Please note that resolving external group memberships for AD users during the initgroup requests used to work even prior to this update. This feature is mostly useful for cases where an IPA client is using the compat tree to resolve AD trust users. * The IPA ID views feature now works correctly even for deployments without a trust relationship. Previously, the subdomains IPA provider failed to read the views data if no master domain record was created on the IPA server during trust establishment. * A race condition in the client libraries between the SSSD closing the socket as idle and the client application using the socket was fixed. This bug manifested with a Broken Pipe error message on the client. * SSSD is now able to resolve users with the same usernames in different OUs of an AD domain * The smartcard authentication now works properly with gnome-screensaver == Packaging Changes == * The krb5.include.d directory is now owned by the sssd user and packaged in the krb5-common subpackage == Documentation Changes == * A new option ldap_idmap_helper_table_size was added. This option can help tune allocation of new ID mapping slices for AD domains with a high RID values. Most deployments can use the default value of this option. * Several PAM services were added to the lists that are used to map Windows logon services to Linux PAM services. The newly added PAM services include login managers (lightdm, lxdm, sddm and xdm) as well as the cockpit service. * The AD machine credentials renewal task can be fine-tuned using the ad_machine_account_password_renewal_opts to change the initial delay and period of the credentials renewal task. In addition, the new ad_maximum_machine_account_password_age option allows the administrator to select how old the machine credential must be before trying to renew it. * The administrator can use the new option pam_account_locked_message to set a custom informational message when the account logging in is locked. == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1041 [RFE] Support Automatic Renewing of Kerberos Host Keytabs https://fedorahosted.org/sssd/ticket/1108 [RFE] SUDO: Support the IPA schema https://fedorahosted.org/sssd/ticket/2188 automatically assign new slices for any AD domain https://fedorahosted.org/sssd/ticket/2522 [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid https://fedorahosted.org/sssd/ticket/2626 Retry EPIPE from clients https://fedorahosted.org/sssd/ticket/2764 the colondb intreface has no unit tests https://fedorahosted.org/sssd/ticket/2765 ad_site parameter does not work https://fedorahosted.org/sssd/ticket/2785 incompatibility between sparkleshare and sss_ssh_knownhostsproxy due to setlocale() https://fedorahosted.org/sssd/ticket/2791 sssd dereference processing failed : Input/output error https://fedorahosted.org/sssd/ticket/2829 collapse_srv_lookups frees fo_server structure that is returned by fail over API https://fedorahosted.org/sssd/ticket/2839 Allow SSSD to notify user of denial due to AD account lockout https://fedorahosted.org/sssd/ticket/2849 cache_req: don't search override values in LDAP when using LOCAL view https://fedorahosted.org/sssd/ticket/2865 sssd_nss memory usage keeps growing on sssd-1.12.4-47.el6.x86_64 (RHEL6.7) when trying to retrieve non-existing netgroups https://fedorahosted.org/sssd/ticket/2881 MAN: Clarify that subdomains always use service discovery https://fedorahosted.org/sssd/ticket/2888 SRV lookups with id_provider=proxy and auth_provider=krb5 https://fedorahosted.org/sssd/ticket/2899 [sssd] Trusted (AD) user's info stays in sssd cache for much more than expected. https://fedorahosted.org/sssd/ticket/2902 Review and update wiki pages for 1.13.4 https://fedorahosted.org/sssd/ticket/2904 sssd_be AD segfaults on missing A record https://fedorahosted.org/sssd/ticket/2906 Cannot retrieve users after upgrade from 1.12 to 1.13 https://fedorahosted.org/sssd/ticket/2909 extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members https://fedorahosted.org/sssd/ticket/2910 sssd mixup nested group from AD trusted domains https://fedorahosted.org/sssd/ticket/2912 refresh_expired_interval stops sss_cache from working https://fedorahosted.org/sssd/ticket/2917 Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore https://fedorahosted.org/sssd/ticket/2922 ID mapping - bug in computing max id for slice range https://fedorahosted.org/sssd/ticket/2925 Add gnome-screensaver to the list of PAM services considered for Smartcard authentication https://fedorahosted.org/sssd/ticket/2931 Warn if user cannot read krb5.conf https://fedorahosted.org/sssd/ticket/2934 After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user https://fedorahosted.org/sssd/ticket/2937 sss_obfuscate: SyntaxError: Missing parentheses in call to 'print' https://fedorahosted.org/sssd/ticket/2938 Cannot start sssd after switching to non-root https://fedorahosted.org/sssd/ticket/2959 The delete operation of the memberof plugin allocates memory on NULL context https://fedorahosted.org/sssd/ticket/2960 IPA view: view name not stored properly with default FreeIPA installation https://fedorahosted.org/sssd/ticket/2961 Initgroups in AD provider might fail if user is stored in a non-default ou https://fedorahosted.org/sssd/ticket/2962 GPO: Access denied in non-root mode https://fedorahosted.org/sssd/ticket/2964 GPO: Access denied after blocking connection to AD. https://fedorahosted.org/sssd/ticket/2969 sudorule not working with ipa sudo_provider on older freeipa https://fedorahosted.org/sssd/ticket/2970 sudo smart refresh does not work correctly on openldap https://fedorahosted.org/sssd/ticket/2971 SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo https://fedorahosted.org/sssd/ticket/2972 IPA sudo: support the externalUser attribute https://fedorahosted.org/sssd/ticket/2980 sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000] == Detailed Changelog == Dan Lavu (1): * PAM: Fix man for pam_account_{expired,locked}_message David Disseldorp (1): * build: detect endianness at configure time Jakub Hrozek (17): * Upgrading the version for the 1.13.4 release * SDAP: Make it possible to silence errors from dereference * Add a new option ldap_group_external_member * IPA: Add interface to call into IPA provider from LDAP provider * LDAP: Use the IPA provider interface to resolve external group members * FO: Don't free rc-allocated structure * tests: Reduce failover code duplication * FO: Use refcount to keep track of servers returned to callers * FO: Use tevent_req_defer_callback() when notifying callers * memberof: Don't allocate on a NULL context * tests: Add a unit test for the external groups resolution * MAN: Remove duplicate description of the pam_account_locked_message option * AD: Recognize Windows Server 2016 * memberof: Fix a memory leak when removing ghost users * memberof: Don't allocate on NULL when deleting memberUids * tests: Check NULL context in sysdb-tests when removing group members * Updating translations for the 1.13.4 release Lukas Slebodnik (33): * SPEC: Change package ownership of %{pubconfpath}/krb5.include.d * CONFIGURE: Replace obsoleted macro AC_PROG_LIBTOOL * TESTS: Fix race condition in python test * PYTHON: sss_obfuscate should work with python3 * PYTHON: Fix pep8 errors in sss_obfuscate * UTIL: Backport error code ERR_ACCOUNT_LOCKED * sss_idmap-tests: Fix segmentation fault * krb5_child: Warn if user cannot read krb5.conf * Fix typos reported by lintian * UTIL: Use prefix for debug function * UTIL: Provide varargs version of debug_fn * UTIL: Use sss_vdebug_fn for callbacks * Revert "DEBUG: Preventing chown_debug_file if journald on" * DEBUG: Ignore ENOENT for change owner of log files * TOOLS: Fix minor memory leak in sss_colondb_writeline * CI: Use yum-deprecated instead of dnf * FAIL_OVER: Fix warning value computed is not used * UTIL: Fix indentation in dlinklist.h * UTIL: Fix warning misleading-indentation * CLIENT: Reduce code duplication * CLIENT: Retry request after EPIPE * UTIL: Move debug part from util.h -> new debug.h * UTIL: Allow to append new line in sss_vdebug_fn * AUTOMAKE: Force usage of parallel test harness * CI: Use make check instead of make-check-wrap * test_ipa_subdom_server: Workaround for slow krb5 + SELinux * SPEC: Run extra unit tests with epel * GPO: Soften umask in gpo_child * GPO_CHILD: Create directories in gpo_cache with right permissions * GPO: Process GPOS in offline mode if ldap search failed * IPA: Check RDN in ipa_add_ad_memberships_get_next * dp_ptask: Fix memory leak in synchronous ptask * test_be_ptask: Check leaks in tests Michal ?idek (6): * NSS: do not skip cache check for netgoups * util: Continue if setlocale fails * server_setup: Log failed attempt to set locale * tests: Run intgcheck without libsemanage * tests: Regression test with wrong LC_ALL * GPO: log specific ini parse error messages Pavel B?ezina (37): * AD SRV: prefer site-local DCs in LDAP ping * SDAP: do not fail if refs are found but not processed * SDAP: Add request that iterates over all search bases * SDAP: rename sdap_get_id_specific_filter * SDAP: support empty filters in sdap_combine_filters() * SUDO: use sdap_search_bases instead custom sb iterator * SUDO: make sudo sysdb interface more reusable * SUDO: move code shared between ldap and ipa to separate module * SUDO: allow to disable ptask * SUDO: fail on failed request that cannot be retry * IPA: add ipa_get_rdn and ipa_check_rdn * SDAP: use ipa_get_rdn() in nested groups * IPA SUDO: choose between IPA and LDAP schema * IPA SUDO: Add ipasudorule mapping * IPA SUDO: Add ipasudocmdgrp mapping * IPA SUDO: Add ipasudocmd mapping * IPA SUDO: Implement sudo handler * IPA SUDO: Implement full refresh * IPA SUDO: Implement rules refresh * IPA SUDO: Remember USN * SDAP: Add sdap_or_filters * IPA SUDO: Implement smart refresh * SUDO: sdap_sudo_set_usn() do not steal usn * SUDO: remove full_refresh_in_progress * SUDO: assume zero if usn is unknown * SUDO: allow disabling full refresh * SUDO: remember usn as number instead of string * SUDO: simplify usn filter * IPA SUDO: Add support for ipaSudoRunAsExt* attributes * sdap_connect_send: fail if uri or sockaddr is NULL * cache_req: simplify cache_req_cache_check() * cache_req: do not lookup views if possible * remove user certificate if not found on the server * IPA SUDO: download externalUser attribute * IPA SUDO: fix typo * IPA SUDO: support old ipasudocmd rdn * SUDO: be able to parse modifyTimestamp correctly Pavel Reichl (11): * sudo: remove unused param name in sdap_sudo_get_usn() * sudo: remove unused param. in ldap_get_sudo_options * IDMAP: Fix computing max id for slice range * IDMAP: New structure for domain range params * IDMAP: Add support for automatic adding of ranges * IDMAP: Fix minor memory leak * IDMAP: Man change for ldap_idmap_range_size option * NSS: Fix memory leak netgroup * IDMAP: Add test to validate off by one bug * SDAP: Add return code ERR_ACCOUNT_LOCKED * PAM: Pass account lockout status and display message Petr Cech (6): * KRB5: Adding DNS SRV lookup for krb5 provider * TOOLS: Fix memory leak after getline() failed * TOOLS: Add comments on functions in colondb * TEST_TOOLS_COLONDB: Add tests for sss_colondb_* * REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK) * REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK) Stephen Gallagher (2): * GPO: Add Cockpit to the Remote Interactive defaults * GPO: Add other display managers to interactive logon Sumit Bose (20): * nfs idmap: fix infinite loop * Use right domain for user lookups * sdap_save_grpmem: determine domain by SID if possible * ipa_s2n_save_objects(): use configured user and group timeout * ldap: remove originalMeberOf if there is no memberOf * UTIL: allow to skip default options for child processes * DP_TASK: add be_ptask_get_timeout() * AD: add task to renew the machine account password if needed * FO: add fo_get_active_server() * FO: add be_fo_get_active_server_name() * AD: try to use current server in the renewal task * p11: add gnome-screensaver to list of allowed services * IPA: lookup idview name even if there is no master domain record * IPA: invalidate override data if original view is missing * sdap: improve filtering of multiple results in GC lookups * pam_sss: reorder pam_message array * sss_override: do not generate DN, search object * tools: read additional data of the master domain * sss_override: only add domain if name is not fully qualified * intg: local override for user with mixed case name -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project The Manheim group of companies within the UK comprises: Manheim Europe Limited (registered number: 03183918), Manheim Auctions Limited (registered number: 00448761), Manheim Retail Services Limited (registered number: 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time Communications Limited (registered number: 04277845) and Complete Automotive Solutions Limited (registered number: 05302535). Each of these companies is registered in England and Wales with the registered office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various brand/trading names including Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions. V:0CF72C13B2AC From rakesh.rajasekharan at gmail.com Thu Apr 28 09:13:25 2016 From: rakesh.rajasekharan at gmail.com (Rakesh Rajasekharan) Date: Thu, 28 Apr 2016 14:43:25 +0530 Subject: [Freeipa-users] ipa-client password authentication failed In-Reply-To: <70BBF132-4288-4550-B875-D774ED73FB20@redhat.com> References: <20160422151651.GH620@hendrix> <70BBF132-4288-4550-B875-D774ED73FB20@redhat.com> Message-ID: somehow, i am no longer facing this issue.. the only change I did was, corrected the /etc/openldap/ldap.conf file to point to the ipa master dns rather than the older ldap dns. the file had "#File modified by ipa-client-install" but it did not change the ldap dns and still pointed to older entry. I jsut corrected it and restarted sssd. It though did not work initially after changing , however, I am no longer facing that issue now. may be it was a caching issue Thanks, Rakesh On Sun, Apr 24, 2016 at 5:01 PM, Jakub Hrozek wrote: > > > On 22 Apr 2016, at 19:21, Rakesh Rajasekharan < > rakesh.rajasekharan at gmail.com> wrote: > > > > Hi Jakub > > > > > > the child only had that much info.. > > > > from the domain logs. it looks that it was able to resolve the master . > However, the ldap results say found nothing. > > > > I was earlier running an openldap client on this host and then migrated > to IPA. > > > > /etc/openldap/ldap.conf was still pointing to the older ldap master.. > > > > #File modified by ipa-client-install > > > > URI ldaps://older-ldap-master.com:636/ > > BASE dc=xyz,dc=com > > TLS_CACERT /etc/ipa/ca.crt > > > > TLS_CACERTDIR /etc/openldap/cacerts] > > > > I corrected that to point to IPA and noticed that getent passwd now > successfully lists all the users. > > However, the authentication does not work yet. ( ldapsearch -x though > shows all the users ). > > > > I re-tested it now... > > below is the domain log > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): start > ldb transaction (nesting: 3) > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added > timed event "ltdb_callback": 0x118fab0 > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added > timed event "ltdb_timeout": 0x11925f0 > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Running > timer event 0x118fab0 "ltdb_callback" > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): > Destroying timer event 0x11925f0 "ltdb_timeout" > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Ending > timer event 0x118fab0 "ltdb_callback" > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): cancel > ldb transaction (nesting: 3) > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): commit > ldb transaction (nesting: 2) > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): commit > ldb transaction (nesting: 1) > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_save_users] > (0x4000): User 0 processed! > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): commit > ldb transaction (nesting: 0) > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_get_users_done] > (0x4000): Saving 1 Users - Done > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_id_op_done] > (0x4000): releasing operation connection > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added > timed event "ltdb_callback": 0x118fd20 > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Added > timed event "ltdb_timeout": 0x1182770 > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Running > timer event 0x118fd20 "ltdb_callback" > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): > Destroying timer event 0x1182770 "ltdb_timeout" > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [ldb] (0x4000): Ending > timer event 0x118fd20 "ltdb_callback" > > > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] > [sdap_id_op_connect_step] (0x4000): reusing cached connection > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] > [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in > view [Default Trust View] with filter > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:xyz.com:8 > c7e86dc-0536-11e6-94f8-0e49bd988575))]. > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_print_server] > (0x2000): Searching 10.0.4.175 > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:xyz.com:8c7e86dc-0536-11e6-94f8-0e49bd988575))][cn=Default > Trust View,cn=views,cn=accounts,dc=xyz,dc=com]. > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 105 > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x1173050], connected[1], ops[0x115c810], > ldap[0x1164b30] > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > > (Fri Apr 22 16:57:21 2016) [sssd[be[xyz.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x1173050], connected[1], ops[0x115c810], ldap[0x1164b30 > > > > This log snippet is again completely unrelated to login. It just says > there are no overrides applicable for this user. Please run: > > date; ssh $user@$host; date; > > and attach all logs between the two date outputs. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Apr 28 09:15:54 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 28 Apr 2016 11:15:54 +0200 Subject: [Freeipa-users] Announcing SSSD 1.13.4 In-Reply-To: References: <20160414151708.GW15447@hendrix.redhat.com> Message-ID: <20160428091554.GL12779@hendrix> On Thu, Apr 28, 2016 at 09:08:18AM +0000, Terry John wrote: > I am plagued by the "sssd dereference processing failed : Input/output error" problem. Is there any news when this version of sssd will be released for RedHat/Centos? > > My current version is: 1.12.4-47.el6 RHEL-6.8. But please note that in most cases it's just a harmless error message. Do you actually see some issue or just an annoying message in the logs? > > Terry > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek > Sent: 14 April 2016 16:17 > To: sssd-devel at lists.fedorahosted.org; sssd-users at lists.fedorahosted.org; freeipa-users at redhat.com; freeipa-interest at redhat.com > Subject: [Freeipa-users] Announcing SSSD 1.13.4 > > == SSSD 1.13.4 === > > The SSSD team is proud to announce the release of version 1.13.4 of the System Security Services Daemon. > > As always, the source is available from https://fedorahosted.org/sssd > > RPM packages will be made available for Fedora shortly. > > == Feedback == > Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > == Highlights == > * The IPA sudo provider was reimplemented. The new version reads the > data from IPA's LDAP tree (as opposed to the compat tree populated by > the slapi-nis plugin that was used previously). The benefit is that > deployments which don't require the compat tree for other purposes, > such as support for non-SSSD clients can disable those autogenerated > LDAP trees to conserve resources that slapi-nis otherwise requires. There > should be no visible changes to the end user. > * SSSD now has the ability to renew the machine credentials (keytabs) > when the ad provider is used. Please note that a recent version of > the adcli (0.8 or newer) package is required for this feature to work. > * The automatic ID mapping feature was improved so that the administrator > is no longer required to manually set the range size in case a RID in > the AD domain is larger than the default range size > * A potential infinite loop in the NFS ID mapping plugin that was > resulting in an excessive memory usage was fixed > * Clients that are pinned to a particular AD site using the ad_site > option no longer communicate with DCs outside that site during service > discovery. > * The IPA identity provider is now able to resolve external > (typically coming from a trusted AD forest) group members during > get-group-information requests. Please note that resolving external > group memberships for AD users during the initgroup requests used to > work even prior to this update. This feature is mostly useful for cases > where an IPA client is using the compat tree to resolve AD trust users. > * The IPA ID views feature now works correctly even for deployments > without a trust relationship. Previously, the subdomains IPA provider > failed to read the views data if no master domain record was created > on the IPA server during trust establishment. > * A race condition in the client libraries between the SSSD closing > the socket as idle and the client application using the socket was > fixed. This bug manifested with a Broken Pipe error message on the > client. > * SSSD is now able to resolve users with the same usernames in different > OUs of an AD domain > * The smartcard authentication now works properly with gnome-screensaver > > == Packaging Changes == > * The krb5.include.d directory is now owned by the sssd user and > packaged in the krb5-common subpackage > > == Documentation Changes == > * A new option ldap_idmap_helper_table_size was added. This option can > help tune allocation of new ID mapping slices for AD domains with a high > RID values. Most deployments can use the default value of this option. > * Several PAM services were added to the lists that are used to map > Windows logon services to Linux PAM services. The newly added PAM > services include login managers (lightdm, lxdm, sddm and xdm) as well > as the cockpit service. > * The AD machine credentials renewal task can be fine-tuned using > the ad_machine_account_password_renewal_opts to change the initial > delay and period of the credentials renewal task. In addition, the new > ad_maximum_machine_account_password_age option allows the administrator > to select how old the machine credential must be before trying to > renew it. > * The administrator can use the new option pam_account_locked_message to > set a custom informational message when the account logging in is locked. > > == Tickets Fixed == > https://fedorahosted.org/sssd/ticket/1041 > [RFE] Support Automatic Renewing of Kerberos Host Keytabs > https://fedorahosted.org/sssd/ticket/1108 > [RFE] SUDO: Support the IPA schema > https://fedorahosted.org/sssd/ticket/2188 > automatically assign new slices for any AD domain > https://fedorahosted.org/sssd/ticket/2522 > [RFE] IPA: resolve external group memberships of IPA groups during > getgrnam and getgrgid > https://fedorahosted.org/sssd/ticket/2626 > Retry EPIPE from clients > https://fedorahosted.org/sssd/ticket/2764 > the colondb intreface has no unit tests > https://fedorahosted.org/sssd/ticket/2765 > ad_site parameter does not work > https://fedorahosted.org/sssd/ticket/2785 > incompatibility between sparkleshare and sss_ssh_knownhostsproxy due > to setlocale() > https://fedorahosted.org/sssd/ticket/2791 > sssd dereference processing failed : Input/output error > https://fedorahosted.org/sssd/ticket/2829 > collapse_srv_lookups frees fo_server structure that is returned by > fail over API > https://fedorahosted.org/sssd/ticket/2839 > Allow SSSD to notify user of denial due to AD account lockout > https://fedorahosted.org/sssd/ticket/2849 > cache_req: don't search override values in LDAP when using LOCAL view > https://fedorahosted.org/sssd/ticket/2865 > sssd_nss memory usage keeps growing on sssd-1.12.4-47.el6.x86_64 > (RHEL6.7) when trying to retrieve non-existing netgroups > https://fedorahosted.org/sssd/ticket/2881 > MAN: Clarify that subdomains always use service discovery > https://fedorahosted.org/sssd/ticket/2888 > SRV lookups with id_provider=proxy and auth_provider=krb5 > https://fedorahosted.org/sssd/ticket/2899 > [sssd] Trusted (AD) user's info stays in sssd cache for much more > than expected. > https://fedorahosted.org/sssd/ticket/2902 > Review and update wiki pages for 1.13.4 > https://fedorahosted.org/sssd/ticket/2904 > sssd_be AD segfaults on missing A record > https://fedorahosted.org/sssd/ticket/2906 > Cannot retrieve users after upgrade from 1.12 to 1.13 > https://fedorahosted.org/sssd/ticket/2909 > extreme memory usage in libnfsidmap sss.so plug-in when resolving > groups with many members > https://fedorahosted.org/sssd/ticket/2910 > sssd mixup nested group from AD trusted domains > https://fedorahosted.org/sssd/ticket/2912 > refresh_expired_interval stops sss_cache from working > https://fedorahosted.org/sssd/ticket/2917 > Properly remove OriginalMemberOf attribute in SSSD cache if user has > no secondary groups anymore > https://fedorahosted.org/sssd/ticket/2922 > ID mapping - bug in computing max id for slice range > https://fedorahosted.org/sssd/ticket/2925 > Add gnome-screensaver to the list of PAM services considered for > Smartcard authentication > https://fedorahosted.org/sssd/ticket/2931 > Warn if user cannot read krb5.conf > https://fedorahosted.org/sssd/ticket/2934 > After removing certificate from user in IPA and even after sss_cache, > FindByCertificate still finds the user > https://fedorahosted.org/sssd/ticket/2937 > sss_obfuscate: SyntaxError: Missing parentheses in call to 'print' > https://fedorahosted.org/sssd/ticket/2938 > Cannot start sssd after switching to non-root > https://fedorahosted.org/sssd/ticket/2959 > The delete operation of the memberof plugin allocates memory on > NULL context > https://fedorahosted.org/sssd/ticket/2960 > IPA view: view name not stored properly with default FreeIPA installation > https://fedorahosted.org/sssd/ticket/2961 > Initgroups in AD provider might fail if user is stored in a non-default ou > https://fedorahosted.org/sssd/ticket/2962 > GPO: Access denied in non-root mode > https://fedorahosted.org/sssd/ticket/2964 > GPO: Access denied after blocking connection to AD. > https://fedorahosted.org/sssd/ticket/2969 > sudorule not working with ipa sudo_provider on older freeipa > https://fedorahosted.org/sssd/ticket/2970 > sudo smart refresh does not work correctly on openldap > https://fedorahosted.org/sssd/ticket/2971 > SSSD PAM module does not support multiple password prompts (e.g. Password > + Token) with sudo > https://fedorahosted.org/sssd/ticket/2972 > IPA sudo: support the externalUser attribute > https://fedorahosted.org/sssd/ticket/2980 > sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 > error 4 in libsss_ipa.so[7ff889fcf000+5d000] > > == Detailed Changelog == > Dan Lavu (1): > * PAM: Fix man for pam_account_{expired,locked}_message > > David Disseldorp (1): > * build: detect endianness at configure time > > Jakub Hrozek (17): > * Upgrading the version for the 1.13.4 release > * SDAP: Make it possible to silence errors from dereference > * Add a new option ldap_group_external_member > * IPA: Add interface to call into IPA provider from LDAP provider > * LDAP: Use the IPA provider interface to resolve external group members > * FO: Don't free rc-allocated structure > * tests: Reduce failover code duplication > * FO: Use refcount to keep track of servers returned to callers > * FO: Use tevent_req_defer_callback() when notifying callers > * memberof: Don't allocate on a NULL context > * tests: Add a unit test for the external groups resolution > * MAN: Remove duplicate description of the pam_account_locked_message option > * AD: Recognize Windows Server 2016 > * memberof: Fix a memory leak when removing ghost users > * memberof: Don't allocate on NULL when deleting memberUids > * tests: Check NULL context in sysdb-tests when removing group members > * Updating translations for the 1.13.4 release > > Lukas Slebodnik (33): > * SPEC: Change package ownership of %{pubconfpath}/krb5.include.d > * CONFIGURE: Replace obsoleted macro AC_PROG_LIBTOOL > * TESTS: Fix race condition in python test > * PYTHON: sss_obfuscate should work with python3 > * PYTHON: Fix pep8 errors in sss_obfuscate > * UTIL: Backport error code ERR_ACCOUNT_LOCKED > * sss_idmap-tests: Fix segmentation fault > * krb5_child: Warn if user cannot read krb5.conf > * Fix typos reported by lintian > * UTIL: Use prefix for debug function > * UTIL: Provide varargs version of debug_fn > * UTIL: Use sss_vdebug_fn for callbacks > * Revert "DEBUG: Preventing chown_debug_file if journald on" > * DEBUG: Ignore ENOENT for change owner of log files > * TOOLS: Fix minor memory leak in sss_colondb_writeline > * CI: Use yum-deprecated instead of dnf > * FAIL_OVER: Fix warning value computed is not used > * UTIL: Fix indentation in dlinklist.h > * UTIL: Fix warning misleading-indentation > * CLIENT: Reduce code duplication > * CLIENT: Retry request after EPIPE > * UTIL: Move debug part from util.h -> new debug.h > * UTIL: Allow to append new line in sss_vdebug_fn > * AUTOMAKE: Force usage of parallel test harness > * CI: Use make check instead of make-check-wrap > * test_ipa_subdom_server: Workaround for slow krb5 + SELinux > * SPEC: Run extra unit tests with epel > * GPO: Soften umask in gpo_child > * GPO_CHILD: Create directories in gpo_cache with right permissions > * GPO: Process GPOS in offline mode if ldap search failed > * IPA: Check RDN in ipa_add_ad_memberships_get_next > * dp_ptask: Fix memory leak in synchronous ptask > * test_be_ptask: Check leaks in tests > > Michal ?idek (6): > * NSS: do not skip cache check for netgoups > * util: Continue if setlocale fails > * server_setup: Log failed attempt to set locale > * tests: Run intgcheck without libsemanage > * tests: Regression test with wrong LC_ALL > * GPO: log specific ini parse error messages > > Pavel B?ezina (37): > * AD SRV: prefer site-local DCs in LDAP ping > * SDAP: do not fail if refs are found but not processed > * SDAP: Add request that iterates over all search bases > * SDAP: rename sdap_get_id_specific_filter > * SDAP: support empty filters in sdap_combine_filters() > * SUDO: use sdap_search_bases instead custom sb iterator > * SUDO: make sudo sysdb interface more reusable > * SUDO: move code shared between ldap and ipa to separate module > * SUDO: allow to disable ptask > * SUDO: fail on failed request that cannot be retry > * IPA: add ipa_get_rdn and ipa_check_rdn > * SDAP: use ipa_get_rdn() in nested groups > * IPA SUDO: choose between IPA and LDAP schema > * IPA SUDO: Add ipasudorule mapping > * IPA SUDO: Add ipasudocmdgrp mapping > * IPA SUDO: Add ipasudocmd mapping > * IPA SUDO: Implement sudo handler > * IPA SUDO: Implement full refresh > * IPA SUDO: Implement rules refresh > * IPA SUDO: Remember USN > * SDAP: Add sdap_or_filters > * IPA SUDO: Implement smart refresh > * SUDO: sdap_sudo_set_usn() do not steal usn > * SUDO: remove full_refresh_in_progress > * SUDO: assume zero if usn is unknown > * SUDO: allow disabling full refresh > * SUDO: remember usn as number instead of string > * SUDO: simplify usn filter > * IPA SUDO: Add support for ipaSudoRunAsExt* attributes > * sdap_connect_send: fail if uri or sockaddr is NULL > * cache_req: simplify cache_req_cache_check() > * cache_req: do not lookup views if possible > * remove user certificate if not found on the server > * IPA SUDO: download externalUser attribute > * IPA SUDO: fix typo > * IPA SUDO: support old ipasudocmd rdn > * SUDO: be able to parse modifyTimestamp correctly > > Pavel Reichl (11): > * sudo: remove unused param name in sdap_sudo_get_usn() > * sudo: remove unused param. in ldap_get_sudo_options > * IDMAP: Fix computing max id for slice range > * IDMAP: New structure for domain range params > * IDMAP: Add support for automatic adding of ranges > * IDMAP: Fix minor memory leak > * IDMAP: Man change for ldap_idmap_range_size option > * NSS: Fix memory leak netgroup > * IDMAP: Add test to validate off by one bug > * SDAP: Add return code ERR_ACCOUNT_LOCKED > * PAM: Pass account lockout status and display message > > Petr Cech (6): > * KRB5: Adding DNS SRV lookup for krb5 provider > * TOOLS: Fix memory leak after getline() failed > * TOOLS: Add comments on functions in colondb > * TEST_TOOLS_COLONDB: Add tests for sss_colondb_* > * REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK) > * REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK) > > Stephen Gallagher (2): > * GPO: Add Cockpit to the Remote Interactive defaults > * GPO: Add other display managers to interactive logon > > Sumit Bose (20): > * nfs idmap: fix infinite loop > * Use right domain for user lookups > * sdap_save_grpmem: determine domain by SID if possible > * ipa_s2n_save_objects(): use configured user and group timeout > * ldap: remove originalMeberOf if there is no memberOf > * UTIL: allow to skip default options for child processes > * DP_TASK: add be_ptask_get_timeout() > * AD: add task to renew the machine account password if needed > * FO: add fo_get_active_server() > * FO: add be_fo_get_active_server_name() > * AD: try to use current server in the renewal task > * p11: add gnome-screensaver to list of allowed services > * IPA: lookup idview name even if there is no master domain record > * IPA: invalidate override data if original view is missing > * sdap: improve filtering of multiple results in GC lookups > * pam_sss: reorder pam_message array > * sss_override: do not generate DN, search object > * tools: read additional data of the master domain > * sss_override: only add domain if name is not fully qualified > * intg: local override for user with mixed case name > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > The Manheim group of companies within the UK comprises: Manheim Europe Limited (registered number: 03183918), Manheim Auctions Limited (registered number: 00448761), Manheim Retail Services Limited (registered number: 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time Communications Limited (registered number: 04277845) and Complete Automotive Solutions Limited (registered number: 05302535). Each of these companies is registered in England and Wales with the registered office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various brand/trading names including Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions. > > V:0CF72C13B2AC > > From mkosek at redhat.com Thu Apr 28 10:06:07 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 28 Apr 2016 12:06:07 +0200 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> Message-ID: <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> On 04/28/2016 01:23 AM, Sean Hogan wrote: > Hi Martin, > > No joy on placing - in front of the RC4s > > > I modified my nss.conf to now read > # SSL 3 ciphers. SSL 2 is disabled by default. > NSSCipherSuite > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha > > # SSL Protocol: > # Cryptographic protocols that provide communication security. > # NSS handles the specified protocols as "ranges", and automatically > # negotiates the use of the strongest protocol for a connection starting > # with the maximum specified protocol and downgrading as necessary to the > # minimum specified protocol that can be used between two processes. > # Since all protocol ranges are completely inclusive, and no protocol in the > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > dse.ldif > > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: off > creatorsName: cn=server,cn=plugins,cn=config > modifiersName: cn=directory manager > createTimestamp: 20150420131850Z > modifyTimestamp: 20150420131906Z > nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 > _56_sha,-tls_dhe_dss_1024_rc4_sha > numSubordinates: 1 > > > > But I still get this with nmap.. I thought the above would remove > -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I am not > offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really understanding > where it is coming from cept the +all from DS but the - should be negating that? > > Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 17:37 EDT > Nmap scan report for rtpvxl0077.watson.local (10.110.76.242) > Host is up (0.000086s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2 > | Ciphers (13) > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA256 > | TLS_RSA_WITH_AES_128_GCM_SHA256 > | TLS_RSA_WITH_AES_256_CBC_SHA > | TLS_RSA_WITH_AES_256_CBC_SHA256 > | TLS_RSA_WITH_DES_CBC_SHA > | TLS_RSA_WITH_RC4_128_MD5 > | TLS_RSA_WITH_RC4_128_SHA > | Compressors (1) > |_ uncompressed > > Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds > > > > It seems no matter what config I put into nss.conf or dse.ldif nothing changes > with my nmap results. Is there supposed to be a be a section to add TLS ciphers > instead of SSL Not sure now, CCing Ludwig who was involved in the original RHEL-6 implementation. Just to be sure, when you are modifying dse.ldif, the procedure should be always following: 1) Stop Directory Server service 2) Modify dse.ldif 3) Start Directory Server service Otherwise it won't get applied and will get overwritten later. In any case, the ciphers with RHEL-6 should be secure enough, the ones in FreeIPA 4.3.1 should be even better. This is for example an nmap taken on FreeIPA Demo instance that runs on FreeIPA 4.3.1: $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99) Host is up (0.18s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds Martin From pvoborni at redhat.com Thu Apr 28 10:49:53 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 28 Apr 2016 12:49:53 +0200 Subject: [Freeipa-users] Replication error In-Reply-To: <1461672172950.27500@levi9.com> References: <1461672172950.27500@levi9.com> Message-ID: On 04/26/2016 02:02 PM, Anton Rubets wrote: > Hhi all > > I have issues with replication between to FreeIPA server > > In maters log > > [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap2.domain:389/o%3Dipaca) failed. > [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap2.domain:389/o%3Dipaca) failed. > [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap2.domain389/o%3Dipaca) failed. > [26/Apr/2016:10:39:35 +0200] slapi_ldap_bind - Error: could not send startTLS > request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) > > > On replica server > > > [26/Apr/2016:08:38:12 +0000] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap1.domain:389/o%3Dipaca) failed. > [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap1domain:389/o%3Dipaca) failed. > [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap1.domain:389/o%3Dipaca) failed. > [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap1.domain:389/o%3Dipaca) failed. This is a symptom of dangling RUVs (replica update vector) of previously removed replicas. It happens when replica is removed using: # ipa-replica-manage del $replica # ipa-server-install --uninstall (on replica) without running: # ipa-csreplica-manage del $replica first resolution is to clear the RUVs manually using clean ruv DS task becase ipa-csreplica-manage doesn't have support for it. FreeIPA 4.4 will receive a new command which will handle bot suffixes automatically - #5411. The instructions can found on the list: * https://www.redhat.com/archives/freeipa-users/2015-June/msg00386.html * https://www.redhat.com/archives/freeipa-users/2015-June/msg00416.html and * http://www.port389.org/docs/389ds/FAQ/troubleshoot-cleanallruv.html * or general procedure for future feature: https://fedorahosted.org/freeipa/ticket/5411#comment:7 Important: Be very careful not to remove RUVs of existing replicas. > > > And i can't find source of this problem. I have checked permission and etc. As > i see replica is working but this message disturb my email every few minutes and > i wanna somehow fix this. Also I just migrate from 3.0 to 4.2. > Info: > Master : > rpm -qa | grep ipa > ipa-server-dns-4.2.0-15.0.1.el7.centos.6.x86_64 > ipa-admintools-4.2.0-15.0.1.el7.centos.6.x86_64 > sssd-ipa-1.13.0-40.el7_2.2.x86_64 > ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64 > libipa_hbac-1.13.0-40.el7_2.2.x86_64 > python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 > python-iniparse-0.4-9.el7.noarch > ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64 > ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64? > > Replica: > rpm -qa | grep ipa > sssd-ipa-1.13.0-40.el7_2.2.x86_64 > ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 > libipa_hbac-1.13.0-40.el7_2.2.x86_64 > ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 > python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 > python-iniparse-0.4-9.el7.noarch > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64? > > > Best Regards > Anton Rubets -- Petr Vobornik From lkrispen at redhat.com Thu Apr 28 11:26:04 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 28 Apr 2016 13:26:04 +0200 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> Message-ID: <5721F34C.9010107@redhat.com> On 04/28/2016 12:06 PM, Martin Kosek wrote: > On 04/28/2016 01:23 AM, Sean Hogan wrote: >> Hi Martin, >> >> No joy on placing - in front of the RC4s >> >> >> I modified my nss.conf to now read >> # SSL 3 ciphers. SSL 2 is disabled by default. >> NSSCipherSuite >> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha >> >> # SSL Protocol: >> # Cryptographic protocols that provide communication security. >> # NSS handles the specified protocols as "ranges", and automatically >> # negotiates the use of the strongest protocol for a connection starting >> # with the maximum specified protocol and downgrading as necessary to the >> # minimum specified protocol that can be used between two processes. >> # Since all protocol ranges are completely inclusive, and no protocol in the >> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >> >> dse.ldif >> >> dn: cn=encryption,cn=config >> objectClass: top >> objectClass: nsEncryptionConfig >> cn: encryption >> nsSSLSessionTimeout: 0 >> nsSSLClientAuth: allowed >> nsSSL2: off >> nsSSL3: off >> creatorsName: cn=server,cn=plugins,cn=config >> modifiersName: cn=directory manager >> createTimestamp: 20150420131850Z >> modifyTimestamp: 20150420131906Z >> nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 >> _56_sha,-tls_dhe_dss_1024_rc4_sha >> numSubordinates: 1 >> >> >> >> But I still get this with nmap.. I thought the above would remove >> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I am not >> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really understanding >> where it is coming from cept the +all from DS but the - should be negating that? >> >> Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 17:37 EDT >> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242) >> Host is up (0.000086s latency). >> PORT STATE SERVICE >> 636/tcp open ldapssl >> | ssl-enum-ciphers: >> | TLSv1.2 >> | Ciphers (13) >> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA >> | SSL_RSA_FIPS_WITH_DES_CBC_SHA >> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >> | TLS_RSA_WITH_3DES_EDE_CBC_SHA >> | TLS_RSA_WITH_AES_128_CBC_SHA >> | TLS_RSA_WITH_AES_128_CBC_SHA256 >> | TLS_RSA_WITH_AES_128_GCM_SHA256 >> | TLS_RSA_WITH_AES_256_CBC_SHA >> | TLS_RSA_WITH_AES_256_CBC_SHA256 >> | TLS_RSA_WITH_DES_CBC_SHA >> | TLS_RSA_WITH_RC4_128_MD5 >> | TLS_RSA_WITH_RC4_128_SHA >> | Compressors (1) >> |_ uncompressed >> >> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds >> >> >> >> It seems no matter what config I put into nss.conf or dse.ldif nothing changes >> with my nmap results. Is there supposed to be a be a section to add TLS ciphers >> instead of SSL > Not sure now, CCing Ludwig who was involved in the original RHEL-6 > implementation. If I remember correctly we did the change in default ciphers and the option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, adding Noriko to get confirmation. but the below comments about changing ciphers in dse.ldif could help in using the "old" way to set ciphers > Just to be sure, when you are modifying dse.ldif, the procedure > should be always following: > > 1) Stop Directory Server service > 2) Modify dse.ldif > 3) Start Directory Server service > > Otherwise it won't get applied and will get overwritten later. > > In any case, the ciphers with RHEL-6 should be secure enough, the ones in > FreeIPA 4.3.1 should be even better. This is for example an nmap taken on > FreeIPA Demo instance that runs on FreeIPA 4.3.1: > > $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org > > Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST > Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99) > Host is up (0.18s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2: > | ciphers: > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A > | compressors: > | NULL > | cipher preference: server > |_ least strength: A > > Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds > > Martin -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill From lkrispen at redhat.com Thu Apr 28 11:34:14 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 28 Apr 2016 13:34:14 +0200 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <5721F34C.9010107@redhat.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> <5721F34C.9010107@redhat.com> Message-ID: <5721F536.1000807@redhat.com> wanted to add Noriko, but hit send to quickly On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > On 04/28/2016 12:06 PM, Martin Kosek wrote: >> On 04/28/2016 01:23 AM, Sean Hogan wrote: >>> Hi Martin, >>> >>> No joy on placing - in front of the RC4s >>> >>> >>> I modified my nss.conf to now read >>> # SSL 3 ciphers. SSL 2 is disabled by default. >>> NSSCipherSuite >>> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha >>> >>> >>> # SSL Protocol: >>> # Cryptographic protocols that provide communication security. >>> # NSS handles the specified protocols as "ranges", and automatically >>> # negotiates the use of the strongest protocol for a connection >>> starting >>> # with the maximum specified protocol and downgrading as necessary >>> to the >>> # minimum specified protocol that can be used between two processes. >>> # Since all protocol ranges are completely inclusive, and no >>> protocol in the >>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >>> >>> dse.ldif >>> >>> dn: cn=encryption,cn=config >>> objectClass: top >>> objectClass: nsEncryptionConfig >>> cn: encryption >>> nsSSLSessionTimeout: 0 >>> nsSSLClientAuth: allowed >>> nsSSL2: off >>> nsSSL3: off >>> creatorsName: cn=server,cn=plugins,cn=config >>> modifiersName: cn=directory manager >>> createTimestamp: 20150420131850Z >>> modifyTimestamp: 20150420131906Z >>> nsSSL3Ciphers: >>> +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 >>> _56_sha,-tls_dhe_dss_1024_rc4_sha >>> numSubordinates: 1 >>> >>> >>> >>> But I still get this with nmap.. I thought the above would remove >>> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the >>> fact that I am not >>> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really >>> understanding >>> where it is coming from cept the +all from DS but the - should be >>> negating that? >>> >>> Starting Nmap 5.51 ( http://nmap.org ) at >>> 2016-04-27 17:37 EDT >>> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242) >>> Host is up (0.000086s latency). >>> PORT STATE SERVICE >>> 636/tcp open ldapssl >>> | ssl-enum-ciphers: >>> | TLSv1.2 >>> | Ciphers (13) >>> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA >>> | SSL_RSA_FIPS_WITH_DES_CBC_SHA >>> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >>> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA >>> | TLS_RSA_WITH_AES_128_CBC_SHA >>> | TLS_RSA_WITH_AES_128_CBC_SHA256 >>> | TLS_RSA_WITH_AES_128_GCM_SHA256 >>> | TLS_RSA_WITH_AES_256_CBC_SHA >>> | TLS_RSA_WITH_AES_256_CBC_SHA256 >>> | TLS_RSA_WITH_DES_CBC_SHA >>> | TLS_RSA_WITH_RC4_128_MD5 >>> | TLS_RSA_WITH_RC4_128_SHA >>> | Compressors (1) >>> |_ uncompressed >>> >>> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds >>> >>> >>> >>> It seems no matter what config I put into nss.conf or dse.ldif >>> nothing changes >>> with my nmap results. Is there supposed to be a be a section to add >>> TLS ciphers >>> instead of SSL >> Not sure now, CCing Ludwig who was involved in the original RHEL-6 >> implementation. > If I remember correctly we did the change in default ciphers and the > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > adding Noriko to get confirmation. > > but the below comments about changing ciphers in dse.ldif could help > in using the "old" way to set ciphers >> Just to be sure, when you are modifying dse.ldif, the procedure >> should be always following: >> >> 1) Stop Directory Server service >> 2) Modify dse.ldif >> 3) Start Directory Server service >> >> Otherwise it won't get applied and will get overwritten later. >> >> In any case, the ciphers with RHEL-6 should be secure enough, the >> ones in >> FreeIPA 4.3.1 should be even better. This is for example an nmap >> taken on >> FreeIPA Demo instance that runs on FreeIPA 4.3.1: >> >> $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org >> >> Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST >> Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99) >> Host is up (0.18s latency). >> PORT STATE SERVICE >> 636/tcp open ldapssl >> | ssl-enum-ciphers: >> | TLSv1.2: >> | ciphers: >> | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >> | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A >> | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A >> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >> | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A >> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >> | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A >> | compressors: >> | NULL >> | cipher preference: server >> |_ least strength: A >> >> Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds >> >> Martin > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill From lslebodn at redhat.com Thu Apr 28 12:56:10 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 28 Apr 2016 14:56:10 +0200 Subject: [Freeipa-users] Announcing SSSD 1.13.4 In-Reply-To: References: <20160414151708.GW15447@hendrix.redhat.com> Message-ID: <20160428125610.GL3149@10.4.128.1> On (28/04/16 09:08), Terry John wrote: >I am plagued by the "sssd dereference processing failed : Input/output error" >problem. Is there any news when this version of sssd will be released >for RedHat/Centos? > If you are interested in testing of sssd-1.13.4 then you can test upstream(backported from fedora) version in copr. https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/ LS From anthony.wan.cheng at gmail.com Thu Apr 28 13:20:52 2016 From: anthony.wan.cheng at gmail.com (Anthony Cheng) Date: Thu, 28 Apr 2016 13:20:52 +0000 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> References: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> Message-ID: klist is actually empty; kinit admin fails. Sounds like then getcert resubmit has a dependency on kerberoes. I can get a backup image that has a valid ticket but it is only good for 1 day (and dated pasted the cert expire). Also I had asked awhile back about whether there is dependency on DIRSRV to renew the cert; didn't get any response but I suspect there is a dependency. Regarding the clock skew, I found out from /var/log/message that shows me this so it may be from named: Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew too great) Jan 28 14:10:42 test named[2911]: loading configuration: failure Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Creden tials cache file '/tmp/krb5cc_496' not found) I don't have a krb5cc_496 file (since klist is empty), so sounds to me I need to get a kerberoes ticket before going any further. Also is the file /etc/krb5.keytab access/modification time important? I had changed time back to before the cert expiration date and reboot and try renew but the error message about clock skew is still there. That seems strange. Lastly, as a absolute last resort, can I regenerate a new cert myself? https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html [root at test /]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root at test /]# service ipa start Starting Directory Service Starting dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting DNS Service Starting named: [FAILED] Failed to start DNS Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping named: [ OK ] Stopping httpd: [ OK ] Stopping pki-ca: [ OK ] Shutting down dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Aborting ipactl [root at test /]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root at test /]# service ipa status Directory Service: STOPPED Failed to get list of services to probe status: Directory Server is stopped On Thu, Apr 28, 2016 at 3:21 AM David Kupka wrote: > On 27/04/16 21:54, Anthony Cheng wrote: > > Hi list, > > > > I am trying to renew expired certificates following the manual renewal > procedure > > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even > with > > resetting the system/hardware clock to a time before expires, I am > getting the > > error "ca-error: Error setting up ccache for local "host" service using > default > > keytab: Clock skew too great." > > > > With NTP disable and clock reset why would it complain about clock skew > and how > > does it even know about the current time? > > > > [root at test certs]# getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net >,O=sample.NET > > expires: 2016-01-29 14:09:46 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net >,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223316': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net >,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=CA Audit,O=sample.NET > > expires: 2017-10-13 14:10:49 UTC > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=OCSP Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=CA Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=RA Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net >,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes[root at test certs]# getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net >,O=sample.NET > > expires: 2016-01-29 14:09:46 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net >,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223316': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net >,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=CA Audit,O=sample.NET > > expires: 2017-10-13 14:10:49 UTC > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=OCSP Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=CA Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=RA Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > " > http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net >,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > -- > > > > Thanks, Anthony > > > > > > > > Hello Anthony! > > After stopping NTP (or other time synchronizing service) and setting > time manually server really don't have a way to determine that its time > differs from the real one. > > I think this might be issue with Kerberos ticket. You can show content > of root's ticket cache using klist. If there is anything clean it with > kdestroy and try to resubmit the request again. > > -- > David Kupka > -- Thanks, Anthony -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Thu Apr 28 14:07:54 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 28 Apr 2016 10:07:54 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <572103CE.6030404@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> Message-ID: <5722193A.40101@damascusgrp.com> Okay. This morning, I turned back time to 4/1 and started up IPA. It didn't work, but I got something new and interesting in the debug log, which I've posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came pouring out which doesn't happen when I'm set to real time. Is /this/ significant? On 04/27/2016 02:24 PM, Bret Wortman wrote: > I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It > looks logical to me, but I can't spot anything that looks like a root > cause error. The selftests are all okay, I think. The debug log might > have something, but it might also just be complaining about ldap not > being up because it's not. > > > On 04/27/2016 01:11 PM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> So in lieu of fixing these certs, is there an acceptable way to dump >>> them all and start over /without losing the contents of the IPA >>> database/? Or otherwise really screwing ourselves? >> >> I don't believe there is a way. >> >>> We have a replica that's still up and running and we've switched >>> everyone over to talking to it, but we're at risk with just the one. >> >> I'd ignore the two unknown certs for now. They look like someone was >> experimenting with issuing a cert and didn't quite get things working. >> >> The CA seems to be throwing an error. I'd check the syslog for >> messages from certmonger and look at the CA debug log and selftest log. >> >> rob >> > [snip] > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matrix.zj at qq.com Thu Apr 28 14:44:17 2016 From: matrix.zj at qq.com (=?ISO-8859-1?B?TWF0cml4?=) Date: Thu, 28 Apr 2016 22:44:17 +0800 Subject: [Freeipa-users] is it possible to use 'ipa-replica' to sync user between different suffix AD and IPA domain? Message-ID: Hi, all I am trying to do a centrelized solution AD domain is 'examplemedia.net' IPA domain is 'example.net' After ipa-replica has been established, i found that nothing has been synced from AD to IPA. IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 I doubt that for different suffix is supported ? If so, anyone can show some hint for me to investigate more? Thanks for your kindly help. Matrix -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu Apr 28 15:07:08 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 28 Apr 2016 17:07:08 +0200 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <5722193A.40101@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> Message-ID: <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> On 04/28/2016 04:07 PM, Bret Wortman wrote: > Okay. This morning, I turned back time to 4/1 and started up IPA. It didn't > work, but I got something new and interesting in the debug log, which I've > posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came pouring out > which doesn't happen when I'm set to real time. Is /this/ significant? Anything in systemctl status pki-tomcatd at pki-tomcat.service or rather: journalctl -u pki-tomcatd at pki-tomcat.service ? Just to be sure, it might be also worth to check if CA subsystem users have correct certs assigned: * https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html * https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html > > > On 04/27/2016 02:24 PM, Bret Wortman wrote: >> I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It looks >> logical to me, but I can't spot anything that looks like a root cause error. >> The selftests are all okay, I think. The debug log might have something, but >> it might also just be complaining about ldap not being up because it's not. >> >> >> On 04/27/2016 01:11 PM, Rob Crittenden wrote: >>> Bret Wortman wrote: >>>> So in lieu of fixing these certs, is there an acceptable way to dump >>>> them all and start over /without losing the contents of the IPA >>>> database/? Or otherwise really screwing ourselves? >>> >>> I don't believe there is a way. >>> >>>> We have a replica that's still up and running and we've switched >>>> everyone over to talking to it, but we're at risk with just the one. >>> >>> I'd ignore the two unknown certs for now. They look like someone was >>> experimenting with issuing a cert and didn't quite get things working. >>> >>> The CA seems to be throwing an error. I'd check the syslog for messages from >>> certmonger and look at the CA debug log and selftest log. >>> >>> rob >>> >> [snip] >> > > > -- Petr Vobornik From Terry.John at completeautomotivesolutions.co.uk Thu Apr 28 15:17:34 2016 From: Terry.John at completeautomotivesolutions.co.uk (Terry John) Date: Thu, 28 Apr 2016 15:17:34 +0000 Subject: [Freeipa-users] Announcing SSSD 1.13.4 In-Reply-To: <20160428125610.GL3149@10.4.128.1> References: <20160414151708.GW15447@hendrix.redhat.com> <20160428125610.GL3149@10.4.128.1> Message-ID: >>I am plagued by the "sssd dereference processing failed : Input/output error" >>problem. Is there any news when this version of sssd will be released for RedHat/Centos? >If you are interested in testing of sssd-1.13.4 then you can test upstream(backported from fedora) version in copr. >https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/ Ok thanks I'll see if I can give it a try Terry The Manheim group of companies within the UK comprises: Manheim Europe Limited (registered number: 03183918), Manheim Auctions Limited (registered number: 00448761), Manheim Retail Services Limited (registered number: 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time Communications Limited (registered number: 04277845) and Complete Automotive Solutions Limited (registered number: 05302535). Each of these companies is registered in England and Wales with the registered office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various brand/trading names including Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions. V:0CF72C13B2AC From schogan at us.ibm.com Thu Apr 28 15:20:44 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Thu, 28 Apr 2016 08:20:44 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <5721F536.1000807@redhat.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com><6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com><201604272324.u3RNOR6U009479@d01av01.pok.ibm.com><2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com><5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> Message-ID: <201604281520.u3SFKsQB027852@d03av03.boulder.ibm.com> Yes sir.. I am stopping DS with ipactl stop before making changes.. .I often times have to really play with the ciphers cause many times when I restart DS I get unknown cipher and IPA fails to start. Go back into dse.ldif and modify til it comes back up. Sean Hogan Security Engineer Watson Security & Risk Assurance Watson Cloud Technology and Support email: schogan at us.ibm.com | Tel 919 486 1397 From: Ludwig Krispenz To: freeipa-users at redhat.com, Noriko Hosoi Date: 04/28/2016 04:46 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sent by: freeipa-users-bounces at redhat.com wanted to add Noriko, but hit send to quickly On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > On 04/28/2016 12:06 PM, Martin Kosek wrote: >> On 04/28/2016 01:23 AM, Sean Hogan wrote: >>> Hi Martin, >>> >>> No joy on placing - in front of the RC4s >>> >>> >>> I modified my nss.conf to now read >>> # SSL 3 ciphers. SSL 2 is disabled by default. >>> NSSCipherSuite >>> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha >>> >>> >>> # SSL Protocol: >>> # Cryptographic protocols that provide communication security. >>> # NSS handles the specified protocols as "ranges", and automatically >>> # negotiates the use of the strongest protocol for a connection >>> starting >>> # with the maximum specified protocol and downgrading as necessary >>> to the >>> # minimum specified protocol that can be used between two processes. >>> # Since all protocol ranges are completely inclusive, and no >>> protocol in the >>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >>> >>> dse.ldif >>> >>> dn: cn=encryption,cn=config >>> objectClass: top >>> objectClass: nsEncryptionConfig >>> cn: encryption >>> nsSSLSessionTimeout: 0 >>> nsSSLClientAuth: allowed >>> nsSSL2: off >>> nsSSL3: off >>> creatorsName: cn=server,cn=plugins,cn=config >>> modifiersName: cn=directory manager >>> createTimestamp: 20150420131850Z >>> modifyTimestamp: 20150420131906Z >>> nsSSL3Ciphers: >>> +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 >>> _56_sha,-tls_dhe_dss_1024_rc4_sha >>> numSubordinates: 1 >>> >>> >>> >>> But I still get this with nmap.. I thought the above would remove >>> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the >>> fact that I am not >>> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really >>> understanding >>> where it is coming from cept the +all from DS but the - should be >>> negating that? >>> >>> Starting Nmap 5.51 ( http://nmap.org ) at >>> 2016-04-27 17:37 EDT >>> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242) >>> Host is up (0.000086s latency). >>> PORT STATE SERVICE >>> 636/tcp open ldapssl >>> | ssl-enum-ciphers: >>> | TLSv1.2 >>> | Ciphers (13) >>> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA >>> | SSL_RSA_FIPS_WITH_DES_CBC_SHA >>> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >>> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA >>> | TLS_RSA_WITH_AES_128_CBC_SHA >>> | TLS_RSA_WITH_AES_128_CBC_SHA256 >>> | TLS_RSA_WITH_AES_128_GCM_SHA256 >>> | TLS_RSA_WITH_AES_256_CBC_SHA >>> | TLS_RSA_WITH_AES_256_CBC_SHA256 >>> | TLS_RSA_WITH_DES_CBC_SHA >>> | TLS_RSA_WITH_RC4_128_MD5 >>> | TLS_RSA_WITH_RC4_128_SHA >>> | Compressors (1) >>> |_ uncompressed >>> >>> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds >>> >>> >>> >>> It seems no matter what config I put into nss.conf or dse.ldif >>> nothing changes >>> with my nmap results. Is there supposed to be a be a section to add >>> TLS ciphers >>> instead of SSL >> Not sure now, CCing Ludwig who was involved in the original RHEL-6 >> implementation. > If I remember correctly we did the change in default ciphers and the > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > adding Noriko to get confirmation. > > but the below comments about changing ciphers in dse.ldif could help > in using the "old" way to set ciphers >> Just to be sure, when you are modifying dse.ldif, the procedure >> should be always following: >> >> 1) Stop Directory Server service >> 2) Modify dse.ldif >> 3) Start Directory Server service >> >> Otherwise it won't get applied and will get overwritten later. >> >> In any case, the ciphers with RHEL-6 should be secure enough, the >> ones in >> FreeIPA 4.3.1 should be even better. This is for example an nmap >> taken on >> FreeIPA Demo instance that runs on FreeIPA 4.3.1: >> >> $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org >> >> Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST >> Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99) >> Host is up (0.18s latency). >> PORT STATE SERVICE >> 636/tcp open ldapssl >> | ssl-enum-ciphers: >> | TLSv1.2: >> | ciphers: >> | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >> | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A >> | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A >> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >> | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A >> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >> | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A >> | compressors: >> | NULL >> | cipher preference: server >> |_ least strength: A >> >> Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds >> >> Martin > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0D263737.jpg Type: image/jpeg Size: 27085 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0D812637.gif Type: image/gif Size: 1650 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From pvoborni at redhat.com Thu Apr 28 15:21:35 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 28 Apr 2016 17:21:35 +0200 Subject: [Freeipa-users] is it possible to use 'ipa-replica' to sync user between different suffix AD and IPA domain? In-Reply-To: References: Message-ID: <410229fc-04a8-9774-6759-6881cb996765@redhat.com> On 04/28/2016 04:44 PM, Matrix wrote: > Hi, all > > I am trying to do a centrelized solution > > AD domain is 'examplemedia.net' > > IPA domain is 'example.net' > > After ipa-replica has been established, i found that nothing has been synced > from AD to IPA. > > IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > I doubt that for different suffix is supported ? If so, anyone can show some > hint for me to investigate more? > > Thanks for your kindly help. > > Matrix Hello, what is your goal and current setup? By "ipa-replica has been established" do you mean that you installed a new currently standalone IPA server? And connected it somehow with AD? Or did you run `ipa-replica-manage connect --winsync ...` It would be good to mention that IPA server[1] cannot be a replica of an AD server. But it can integrate with it. Either by using winsync(synchronization) or the recommended solution: Trusts [2]. Documentation: [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html HTH -- Petr Vobornik From dsullivan2 at bsd.uchicago.edu Wed Apr 27 18:58:35 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Wed, 27 Apr 2016 18:58:35 +0000 Subject: [Freeipa-users] Quick question regarding modifying attributes Message-ID: <4D672522-7239-4023-8BA6-B2A15152A4D9@bsd.uchicago.edu> Hi, I have a trusted AD domain that I am enumerating object via IPA. I wanted to know if i should be able to manipulate the uidNumber and gidNumber stored in the default ID view via by using the ldapmodify command, for example, for this DN (not local): uid=user at domain.edu,cn=users,cn=compat,dc=ipatst,dc=cri,dc=uchicago,dc=edu Should it be possible to modify this via IPA?s LDAP implementation (using ldapmodify)? I appreciate you taking the time to answer my question. Thank you, Dan Sullivan ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From matrix.zj at qq.com Thu Apr 28 15:30:09 2016 From: matrix.zj at qq.com (=?ISO-8859-1?B?TWF0cml4?=) Date: Thu, 28 Apr 2016 23:30:09 +0800 Subject: [Freeipa-users] is it possible to use 'ipa-replica' to sync userbetween different suffix AD and IPA domain? In-Reply-To: <410229fc-04a8-9774-6759-6881cb996765@redhat.com> References: <410229fc-04a8-9774-6759-6881cb996765@redhat.com> Message-ID: Hi, Petr Thanks for your quickly reply. I want to integrated linux servers with existed AD, centralized manage HBAC/Sudo rules. So i have setup a standalone IPA server with domain 'example.net', trying to sync users from existed AD to it with following cmd: ipa-replica-manage connect --winsync --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='XXXX' --passsync='XXXX' --cacert='/etc/openldap/cacerts/ipaad.cer' --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net After it has been successfully established, users in AD did not sync to IPA. For 'trusts' integration method, since user did not sync to IPA at all, how to set sudo/HBAC rules for users? I have not tried it. Matrix ------------------ Original ------------------ From: "Petr Vobornik";; Date: Thu, Apr 28, 2016 11:21 PM To: "Matrix"; "freeipa-users"; Subject: Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync userbetween different suffix AD and IPA domain? On 04/28/2016 04:44 PM, Matrix wrote: > Hi, all > > I am trying to do a centrelized solution > > AD domain is 'examplemedia.net' > > IPA domain is 'example.net' > > After ipa-replica has been established, i found that nothing has been synced > from AD to IPA. > > IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > I doubt that for different suffix is supported ? If so, anyone can show some > hint for me to investigate more? > > Thanks for your kindly help. > > Matrix Hello, what is your goal and current setup? By "ipa-replica has been established" do you mean that you installed a new currently standalone IPA server? And connected it somehow with AD? Or did you run `ipa-replica-manage connect --winsync ...` It would be good to mention that IPA server[1] cannot be a replica of an AD server. But it can integrate with it. Either by using winsync(synchronization) or the recommended solution: Trusts [2]. Documentation: [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html HTH -- Petr Vobornik -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Thu Apr 28 15:34:34 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Thu, 28 Apr 2016 08:34:34 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com><6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com><201604272324.u3RNOR6U009479@d01av01.pok.ibm.com><2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com><5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> Message-ID: Tenable is barking about the following.. only listing 636 but the same applies for 389 Plugin ID: 65821 Port 636 Synopsis: The remote service supports the use of the RC4 cipher. Description The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness. And 636 and 389 for Plugin ID: 81606 port 389 Synopsis: The remote host supports a set of weak ciphers. Description The remote host supports EXPORT_RSA cipher suites with keys less than or equal to 512 bits. An attacker can factor a 512-bit RSA modulus in a short amount of time. A man-in-the middle attacker may be able to downgrade the session to use EXPORT_RSA cipher suites (e.g. CVE-2015-0204). Thus, it is recommended to remove support for weak cipher suites. This is whay I was trying to remove -tls_rsa_export1024_with_rc4_56_sha Sean Hogan From: Sean Hogan/Durham/IBM To: Ludwig Krispenz Cc: freeipa-users at redhat.com, Noriko Hosoi Date: 04/28/2016 08:20 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Yes sir.. I am stopping DS with ipactl stop before making changes.. .I often times have to really play with the ciphers cause many times when I restart DS I get unknown cipher and IPA fails to start. Go back into dse.ldif and modify til it comes back up. Sean Hogan Security Engineer Watson Security & Risk Assurance Watson Cloud Technology and Support email: schogan at us.ibm.com | Tel 919 486 1397 From: Ludwig Krispenz To: freeipa-users at redhat.com, Noriko Hosoi Date: 04/28/2016 04:46 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sent by: freeipa-users-bounces at redhat.com wanted to add Noriko, but hit send to quickly On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > On 04/28/2016 12:06 PM, Martin Kosek wrote: >> On 04/28/2016 01:23 AM, Sean Hogan wrote: >>> Hi Martin, >>> >>> No joy on placing - in front of the RC4s >>> >>> >>> I modified my nss.conf to now read >>> # SSL 3 ciphers. SSL 2 is disabled by default. >>> NSSCipherSuite >>> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha >>> >>> >>> # SSL Protocol: >>> # Cryptographic protocols that provide communication security. >>> # NSS handles the specified protocols as "ranges", and automatically >>> # negotiates the use of the strongest protocol for a connection >>> starting >>> # with the maximum specified protocol and downgrading as necessary >>> to the >>> # minimum specified protocol that can be used between two processes. >>> # Since all protocol ranges are completely inclusive, and no >>> protocol in the >>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >>> >>> dse.ldif >>> >>> dn: cn=encryption,cn=config >>> objectClass: top >>> objectClass: nsEncryptionConfig >>> cn: encryption >>> nsSSLSessionTimeout: 0 >>> nsSSLClientAuth: allowed >>> nsSSL2: off >>> nsSSL3: off >>> creatorsName: cn=server,cn=plugins,cn=config >>> modifiersName: cn=directory manager >>> createTimestamp: 20150420131850Z >>> modifyTimestamp: 20150420131906Z >>> nsSSL3Ciphers: >>> +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 >>> _56_sha,-tls_dhe_dss_1024_rc4_sha >>> numSubordinates: 1 >>> >>> >>> >>> But I still get this with nmap.. I thought the above would remove >>> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the >>> fact that I am not >>> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really >>> understanding >>> where it is coming from cept the +all from DS but the - should be >>> negating that? >>> >>> Starting Nmap 5.51 ( http://nmap.org ) at >>> 2016-04-27 17:37 EDT >>> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242) >>> Host is up (0.000086s latency). >>> PORT STATE SERVICE >>> 636/tcp open ldapssl >>> | ssl-enum-ciphers: >>> | TLSv1.2 >>> | Ciphers (13) >>> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA >>> | SSL_RSA_FIPS_WITH_DES_CBC_SHA >>> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >>> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA >>> | TLS_RSA_WITH_AES_128_CBC_SHA >>> | TLS_RSA_WITH_AES_128_CBC_SHA256 >>> | TLS_RSA_WITH_AES_128_GCM_SHA256 >>> | TLS_RSA_WITH_AES_256_CBC_SHA >>> | TLS_RSA_WITH_AES_256_CBC_SHA256 >>> | TLS_RSA_WITH_DES_CBC_SHA >>> | TLS_RSA_WITH_RC4_128_MD5 >>> | TLS_RSA_WITH_RC4_128_SHA >>> | Compressors (1) >>> |_ uncompressed >>> >>> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds >>> >>> >>> >>> It seems no matter what config I put into nss.conf or dse.ldif >>> nothing changes >>> with my nmap results. Is there supposed to be a be a section to add >>> TLS ciphers >>> instead of SSL >> Not sure now, CCing Ludwig who was involved in the original RHEL-6 >> implementation. > If I remember correctly we did the change in default ciphers and the > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > adding Noriko to get confirmation. > > but the below comments about changing ciphers in dse.ldif could help > in using the "old" way to set ciphers >> Just to be sure, when you are modifying dse.ldif, the procedure >> should be always following: >> >> 1) Stop Directory Server service >> 2) Modify dse.ldif >> 3) Start Directory Server service >> >> Otherwise it won't get applied and will get overwritten later. >> >> In any case, the ciphers with RHEL-6 should be secure enough, the >> ones in >> FreeIPA 4.3.1 should be even better. This is for example an nmap >> taken on >> FreeIPA Demo instance that runs on FreeIPA 4.3.1: >> >> $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org >> >> Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST >> Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99) >> Host is up (0.18s latency). >> PORT STATE SERVICE >> 636/tcp open ldapssl >> | ssl-enum-ciphers: >> | TLSv1.2: >> | ciphers: >> | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >> | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A >> | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A >> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >> | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A >> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >> | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A >> | compressors: >> | NULL >> | cipher preference: server >> |_ least strength: A >> >> Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds >> >> Martin > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0F651912.jpg Type: image/jpeg Size: 27085 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0F461292.gif Type: image/gif Size: 1650 bytes Desc: not available URL: From mrorourke at earthlink.net Thu Apr 28 15:36:45 2016 From: mrorourke at earthlink.net (Michael ORourke) Date: Thu, 28 Apr 2016 11:36:45 -0400 (GMT-04:00) Subject: [Freeipa-users] AD Integration - /etc/krb5.conf requirements Message-ID: <30726621.1461857806448.JavaMail.wam@elwamui-norfolk.atl.sa.earthlink.net> I'm just looking for some clarification from the documentation: http://www.freeipa.org/page/Active_Directory_trust_setup In the section that starts with "Edit /etc/krb5.conf", they mention a manual configuration to the krb5.conf file for machines that will be leveraging AD users: [realms] IPA_DOMAIN = { .... auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/ auth_to_local = DEFAULT } Is this still required for sssd 1.13.0 and above? Thanks, Mike From abokovoy at redhat.com Thu Apr 28 15:49:30 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 28 Apr 2016 18:49:30 +0300 Subject: [Freeipa-users] AD Integration - /etc/krb5.conf requirements In-Reply-To: <30726621.1461857806448.JavaMail.wam@elwamui-norfolk.atl.sa.earthlink.net> References: <30726621.1461857806448.JavaMail.wam@elwamui-norfolk.atl.sa.earthlink.net> Message-ID: <20160428154930.kw5hyyxr2tfdj2xy@redhat.com> On Thu, 28 Apr 2016, Michael ORourke wrote: >I'm just looking for some clarification from the documentation: >http://www.freeipa.org/page/Active_Directory_trust_setup > >In the section that starts with "Edit /etc/krb5.conf", they mention a manual configuration to the krb5.conf file for machines that will be leveraging AD users: >[realms] >IPA_DOMAIN = { >.... > auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/ > auth_to_local = DEFAULT >} > >Is this still required for sssd 1.13.0 and above? The actual requirement is MIT Kerberos 1.12+ where localauth plugin support was added. Then, of course, SSSD with localauth plugin implementation, which is SSSD 1.12.1+. -- / Alexander Bokovoy From bret.wortman at damascusgrp.com Thu Apr 28 15:49:47 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 28 Apr 2016 11:49:47 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> Message-ID: <5722311B.7040806@damascusgrp.com> My system shows pki-server is installed and V10.2.1-3.fc21, but I don't have the pki-server binary itself. Will reinstalling this rpm hurt me in any way? Without it, I'm not sure how to check my system against the messages you provided below. On 04/28/2016 11:07 AM, Petr Vobornik wrote: > On 04/28/2016 04:07 PM, Bret Wortman wrote: >> Okay. This morning, I turned back time to 4/1 and started up IPA. It didn't >> work, but I got something new and interesting in the debug log, which I've >> posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came pouring out >> which doesn't happen when I'm set to real time. Is /this/ significant? > Anything in > systemctl status pki-tomcatd at pki-tomcat.service > or rather: > journalctl -u pki-tomcatd at pki-tomcat.service > ? > > Just to be sure, it might be also worth to check if CA subsystem users > have correct certs assigned: > * https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html > * https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html > >> >> On 04/27/2016 02:24 PM, Bret Wortman wrote: >>> I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It looks >>> logical to me, but I can't spot anything that looks like a root cause error. >>> The selftests are all okay, I think. The debug log might have something, but >>> it might also just be complaining about ldap not being up because it's not. >>> >>> >>> On 04/27/2016 01:11 PM, Rob Crittenden wrote: >>>> Bret Wortman wrote: >>>>> So in lieu of fixing these certs, is there an acceptable way to dump >>>>> them all and start over /without losing the contents of the IPA >>>>> database/? Or otherwise really screwing ourselves? >>>> I don't believe there is a way. >>>> >>>>> We have a replica that's still up and running and we've switched >>>>> everyone over to talking to it, but we're at risk with just the one. >>>> I'd ignore the two unknown certs for now. They look like someone was >>>> experimenting with issuing a cert and didn't quite get things working. >>>> >>>> The CA seems to be throwing an error. I'd check the syslog for messages from >>>> certmonger and look at the CA debug log and selftest log. >>>> >>>> rob >>>> >>> [snip] >>> >> >> > From abokovoy at redhat.com Thu Apr 28 15:58:58 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 28 Apr 2016 18:58:58 +0300 Subject: [Freeipa-users] AD Integration - /etc/krb5.conf requirements In-Reply-To: <20160428154930.kw5hyyxr2tfdj2xy@redhat.com> References: <30726621.1461857806448.JavaMail.wam@elwamui-norfolk.atl.sa.earthlink.net> <20160428154930.kw5hyyxr2tfdj2xy@redhat.com> Message-ID: <20160428155858.3xhrv2gcqtqkqwwe@redhat.com> On Thu, 28 Apr 2016, Alexander Bokovoy wrote: >On Thu, 28 Apr 2016, Michael ORourke wrote: >>I'm just looking for some clarification from the documentation: >>http://www.freeipa.org/page/Active_Directory_trust_setup >> >>In the section that starts with "Edit /etc/krb5.conf", they mention a manual configuration to the krb5.conf file for machines that will be leveraging AD users: >>[realms] >>IPA_DOMAIN = { >>.... >> auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/ >> auth_to_local = DEFAULT >>} >> >>Is this still required for sssd 1.13.0 and above? >The actual requirement is MIT Kerberos 1.12+ where localauth plugin >support was added. Then, of course, SSSD with localauth plugin >implementation, which is SSSD 1.12.1+. I've updated the section http://www.freeipa.org/page/Active_Directory_trust_setup#Edit_.2Fetc.2Fkrb5.conf with the information about SSSD support for localauth plugin. Thanks for reporting it, Michael! -- / Alexander Bokovoy From pvoborni at redhat.com Thu Apr 28 16:04:30 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 28 Apr 2016 18:04:30 +0200 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <5722311B.7040806@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> Message-ID: <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> On 04/28/2016 05:49 PM, Bret Wortman wrote: > My system shows pki-server is installed and V10.2.1-3.fc21, but I don't > have the pki-server binary itself. Will reinstalling this rpm hurt me in > any way? Without it, I'm not sure how to check my system against the > messages you provided below. Not sure what you mean. Running doesn't require any additional packages. It is just to get additional logs. systemctl status pki-tomcatd at pki-tomcat.service journalctl -u pki-tomcatd at pki-tomcat.service And the links below are about checking if CA users have correctly mapped certificates in LDAP database in ou=people,o=ipaca for that you need only ldapsearch command and start directory server: systemctl start dirsrv at YOUR-REALM-TEST.service Proper name for dirsrv at YOUR-REALM-TEST.service can be found using: systemctl | grep dirsrv@ > > On 04/28/2016 11:07 AM, Petr Vobornik wrote: >> On 04/28/2016 04:07 PM, Bret Wortman wrote: >>> Okay. This morning, I turned back time to 4/1 and started up IPA. It >>> didn't >>> work, but I got something new and interesting in the debug log, which >>> I've >>> posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came >>> pouring out >>> which doesn't happen when I'm set to real time. Is /this/ significant? >> Anything in >> systemctl status pki-tomcatd at pki-tomcat.service >> or rather: >> journalctl -u pki-tomcatd at pki-tomcat.service >> ? >> >> Just to be sure, it might be also worth to check if CA subsystem users >> have correct certs assigned: >> * >> https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html >> * >> https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html >> >>> >>> On 04/27/2016 02:24 PM, Bret Wortman wrote: >>>> I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It >>>> looks >>>> logical to me, but I can't spot anything that looks like a root >>>> cause error. >>>> The selftests are all okay, I think. The debug log might have >>>> something, but >>>> it might also just be complaining about ldap not being up because >>>> it's not. >>>> >>>> >>>> On 04/27/2016 01:11 PM, Rob Crittenden wrote: >>>>> Bret Wortman wrote: >>>>>> So in lieu of fixing these certs, is there an acceptable way to dump >>>>>> them all and start over /without losing the contents of the IPA >>>>>> database/? Or otherwise really screwing ourselves? >>>>> I don't believe there is a way. >>>>> >>>>>> We have a replica that's still up and running and we've switched >>>>>> everyone over to talking to it, but we're at risk with just the one. >>>>> I'd ignore the two unknown certs for now. They look like someone was >>>>> experimenting with issuing a cert and didn't quite get things working. >>>>> >>>>> The CA seems to be throwing an error. I'd check the syslog for >>>>> messages from >>>>> certmonger and look at the CA debug log and selftest log. >>>>> >>>>> rob >>>>> >>>> [snip] >>>> >>> >>> >> > -- Petr Vobornik From bret.wortman at damascusgrp.com Thu Apr 28 16:15:16 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 28 Apr 2016 12:15:16 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> Message-ID: <57223714.60500@damascusgrp.com> Okay. I got hung up on the first link doing some checking using pki-server. I don't see any reference to ldapsearch in either message, but I'll do what I can. On 04/28/2016 12:04 PM, Petr Vobornik wrote: > On 04/28/2016 05:49 PM, Bret Wortman wrote: >> My system shows pki-server is installed and V10.2.1-3.fc21, but I don't >> have the pki-server binary itself. Will reinstalling this rpm hurt me in >> any way? Without it, I'm not sure how to check my system against the >> messages you provided below. > Not sure what you mean. Running doesn't require any additional packages. > It is just to get additional logs. > systemctl status pki-tomcatd at pki-tomcat.service > journalctl -u pki-tomcatd at pki-tomcat.service > > And the links below are about checking if CA users have correctly mapped > certificates in LDAP database in ou=people,o=ipaca for that you need > only ldapsearch command and start directory server: > systemctl start dirsrv at YOUR-REALM-TEST.service > > Proper name for dirsrv at YOUR-REALM-TEST.service can be found using: > systemctl | grep dirsrv@ > > >> On 04/28/2016 11:07 AM, Petr Vobornik wrote: >>> On 04/28/2016 04:07 PM, Bret Wortman wrote: >>>> Okay. This morning, I turned back time to 4/1 and started up IPA. It >>>> didn't >>>> work, but I got something new and interesting in the debug log, which >>>> I've >>>> posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came >>>> pouring out >>>> which doesn't happen when I'm set to real time. Is /this/ significant? >>> Anything in >>> systemctl status pki-tomcatd at pki-tomcat.service >>> or rather: >>> journalctl -u pki-tomcatd at pki-tomcat.service >>> ? >>> >>> Just to be sure, it might be also worth to check if CA subsystem users >>> have correct certs assigned: >>> * >>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html >>> * >>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html >>> >>>> On 04/27/2016 02:24 PM, Bret Wortman wrote: >>>>> I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It >>>>> looks >>>>> logical to me, but I can't spot anything that looks like a root >>>>> cause error. >>>>> The selftests are all okay, I think. The debug log might have >>>>> something, but >>>>> it might also just be complaining about ldap not being up because >>>>> it's not. >>>>> >>>>> >>>>> On 04/27/2016 01:11 PM, Rob Crittenden wrote: >>>>>> Bret Wortman wrote: >>>>>>> So in lieu of fixing these certs, is there an acceptable way to dump >>>>>>> them all and start over /without losing the contents of the IPA >>>>>>> database/? Or otherwise really screwing ourselves? >>>>>> I don't believe there is a way. >>>>>> >>>>>>> We have a replica that's still up and running and we've switched >>>>>>> everyone over to talking to it, but we're at risk with just the one. >>>>>> I'd ignore the two unknown certs for now. They look like someone was >>>>>> experimenting with issuing a cert and didn't quite get things working. >>>>>> >>>>>> The CA seems to be throwing an error. I'd check the syslog for >>>>>> messages from >>>>>> certmonger and look at the CA debug log and selftest log. >>>>>> >>>>>> rob >>>>>> >>>>> [snip] >>>>> >>>> > From jhrozek at redhat.com Thu Apr 28 16:29:33 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 28 Apr 2016 18:29:33 +0200 Subject: [Freeipa-users] Quick question regarding modifying attributes In-Reply-To: <4D672522-7239-4023-8BA6-B2A15152A4D9@bsd.uchicago.edu> References: <4D672522-7239-4023-8BA6-B2A15152A4D9@bsd.uchicago.edu> Message-ID: <20160428162933.GZ12779@hendrix> On Wed, Apr 27, 2016 at 06:58:35PM +0000, Sullivan, Daniel [AAA] wrote: > Hi, > > I have a trusted AD domain that I am enumerating object via IPA. I wanted to know if i should be able to manipulate the uidNumber and gidNumber stored in the default ID view via by using the ldapmodify command, for example, for this DN (not local): > > uid=user at domain.edu,cn=users,cn=compat,dc=ipatst,dc=cri,dc=uchicago,dc=edu The compat tree is autogenerated and can't be modified. If you want ID views to be applicable to clients using the compat tree, you can define the overrides using the standard IPA CLI tools in the "default Trust View", because that one is applied on the server itself and the compat tree is autogenerated from the data that SSSD on the server delivers. From bret.wortman at damascusgrp.com Thu Apr 28 16:30:58 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 28 Apr 2016 12:30:58 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> Message-ID: <57223AC2.4020603@damascusgrp.com> Look, I'll be honest. When IPA is in this much of a knot, I don't know how to do the simplest things with its various components. For example, I've no clue how to search the ldap database for anything. Or even how to authenticate since Kerberos isn't running. IPA has sheltered me from ldap for so long that it's a problem at times like this. That being said, here are the things I /was/ able to handle: Apr 01 11:02:40 zsipa.private.net server[6896]: Java virtual machine used: /usr/lib/jvm/jre/bin/java Apr 01 11:02:40 zsipa.private.net server[6896]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.j Apr 01 11:02:40 zsipa.private.net server[6896]: main class used: org.apache.catalina.startup.Bootstrap Apr 01 11:02:40 zsipa.private.net server[6896]: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy Apr 01 11:02:40 zsipa.private.net server[6896]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io. Apr 01 11:02:40 zsipa.private.net server[6896]: arguments used: start Apr 01 11:02:40 zsipa.private.net server[6896]: Apr 01, 2016 11:02:40 AM org.apache.catalina.startup.ClassLoaderFactory validateFile Apr 01 11:02:40 zsipa.private.net server[6896]: WARNING: Problem with JAR file [/var/lib/pki/pki-tomcat/lib/log4j.jar], exists: [false], canRead: [false] Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matchi Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://zsipa.private.net:9 Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCe Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matc Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not f Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matc Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=true,ssl3=true,tls=true Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NUL Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128 Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tom Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/co Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.ne Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' di Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.catalina.startup.SetAllPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AE Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.tomcat.util.digester.SetPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matc Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.tomcat.util.digester.SetPropertiesRule begin Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM org.apache.coyote.AbstractProtocol init Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initializing ProtocolHandler ["http-bio-8080"] Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM org.apache.coyote.AbstractProtocol init Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initializing ProtocolHandler ["http-bio-8443"] Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" unsupported by NSS Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM org.apache.coyote.AbstractProtocol init Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM org.apache.catalina.startup.Catalina load Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initialization processed in 988 ms Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM org.apache.catalina.core.StandardService startInternal Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Starting service Catalina Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM org.apache.catalina.core.StandardEngine startInternal Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Starting Servlet Engine: Apache Tomcat/7.0.59 Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM org.apache.catalina.startup.HostConfig deployDescriptor Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Apr 01 11:02:43 zsipa.private.net server[6896]: Apr 01, 2016 11:02:43 AM org.apache.catalina.startup.HostConfig deployDescriptor Apr 01 11:02:43 zsipa.private.net server[6896]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 1,194 ms Apr 01 11:02:43 zsipa.private.net server[6896]: Apr 01, 2016 11:02:43 AM org.apache.catalina.startup.HostConfig deployDescriptor Apr 01 11:02:43 zsipa.private.net server[6896]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Apr 01 11:02:43 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Apr 01 11:02:43 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback: Setting container Apr 01 11:02:45 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback: Initializing authenticators Apr 01 11:02:45 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback: Starting authenticators Apr 01 11:02:51 zsipa.private.net server[6896]: Server is started. Apr 01 11:02:51 zsipa.private.net server[6896]: Apr 01, 2016 11:02:51 AM org.apache.catalina.startup.HostConfig deployDescriptor Apr 01 11:02:51 zsipa.private.net server[6896]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 7,993 ms Apr 01 11:02:51 zsipa.private.net server[6896]: Apr 01, 2016 11:02:51 AM org.apache.catalina.startup.HostConfig deployDescriptor Apr 01 11:02:51 zsipa.private.net server[6896]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM org.apache.catalina.startup.HostConfig deployDescriptor Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has finished in 661 ms Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM org.apache.coyote.AbstractProtocol start Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Starting ProtocolHandler ["http-bio-8080"] Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM org.apache.coyote.AbstractProtocol start Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Starting ProtocolHandler ["http-bio-8443"] Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM org.apache.coyote.AbstractProtocol start Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM org.apache.catalina.startup.Catalina start Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Server startup in 9918 ms Apr 01 11:07:53 zsipa.private.net server[7974]: Java virtual machine used: /usr/lib/jvm/jre/bin/java Apr 01 11:07:53 zsipa.private.net server[7974]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.j Apr 01 11:07:53 zsipa.private.net server[7974]: main class used: org.apache.catalina.startup.Bootstrap Apr 01 11:07:53 zsipa.private.net server[7974]: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy Apr 01 11:07:53 zsipa.private.net server[7974]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io. Apr 01 11:07:53 zsipa.private.net server[7974]: arguments used: stop Apr 01 11:07:53 zsipa.private.net server[7974]: Apr 01, 2016 11:07:53 AM org.apache.catalina.startup.ClassLoaderFactory validateFile Apr 01 11:07:53 zsipa.private.net server[7974]: WARNING: Problem with JAR file [/var/lib/pki/pki-tomcat/lib/log4j.jar], exists: [false], canRead: [false] Apr 01 11:07:54 zsipa.private.net server[6896]: Apr 01, 2016 11:07:54 AM org.apache.catalina.core.StandardServer await Apr 01 11:07:54 zsipa.private.net server[6896]: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Apr 01 11:07:54 zsipa.private.net server[6896]: Apr 01, 2016 11:07:54 AM org.apache.coyote.AbstractProtocol pause Apr 01 11:07:54 zsipa.private.net server[6896]: INFO: Pausing ProtocolHandler ["http-bio-8080"] # systemctl status pki-tomcatd at pki-tomcat.service -l ? pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled) Active: inactive (dead) Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM org.apache.catalina.core.StandardServer await Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM org.apache.coyote.AbstractProtocol pause Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler ["http-bio-8080"] Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM org.apache.coyote.AbstractProtocol pause Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler ["http-bio-8443"] Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM org.apache.coyote.AbstractProtocol pause Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM org.apache.catalina.core.StandardService stopInternal Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Stopping service Catalina # systemctl | grep dirsrv@ dirsrv at PRIVATE-NET.service loaded active running 389 Directory Server PRIVATE-NET. On 04/28/2016 12:04 PM, Petr Vobornik wrote: > On 04/28/2016 05:49 PM, Bret Wortman wrote: >> My system shows pki-server is installed and V10.2.1-3.fc21, but I don't >> have the pki-server binary itself. Will reinstalling this rpm hurt me in >> any way? Without it, I'm not sure how to check my system against the >> messages you provided below. > Not sure what you mean. Running doesn't require any additional packages. > It is just to get additional logs. > systemctl status pki-tomcatd at pki-tomcat.service > journalctl -u pki-tomcatd at pki-tomcat.service > > And the links below are about checking if CA users have correctly mapped > certificates in LDAP database in ou=people,o=ipaca for that you need > only ldapsearch command and start directory server: > systemctl start dirsrv at YOUR-REALM-TEST.service > > Proper name for dirsrv at YOUR-REALM-TEST.service can be found using: > systemctl | grep dirsrv@ > > >> On 04/28/2016 11:07 AM, Petr Vobornik wrote: >>> On 04/28/2016 04:07 PM, Bret Wortman wrote: >>>> Okay. This morning, I turned back time to 4/1 and started up IPA. It >>>> didn't >>>> work, but I got something new and interesting in the debug log, which >>>> I've >>>> posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came >>>> pouring out >>>> which doesn't happen when I'm set to real time. Is /this/ significant? >>> Anything in >>> systemctl status pki-tomcatd at pki-tomcat.service >>> or rather: >>> journalctl -u pki-tomcatd at pki-tomcat.service >>> ? >>> >>> Just to be sure, it might be also worth to check if CA subsystem users >>> have correct certs assigned: >>> * >>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html >>> * >>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html >>> >>>> On 04/27/2016 02:24 PM, Bret Wortman wrote: >>>>> I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It >>>>> looks >>>>> logical to me, but I can't spot anything that looks like a root >>>>> cause error. >>>>> The selftests are all okay, I think. The debug log might have >>>>> something, but >>>>> it might also just be complaining about ldap not being up because >>>>> it's not. >>>>> >>>>> >>>>> On 04/27/2016 01:11 PM, Rob Crittenden wrote: >>>>>> Bret Wortman wrote: >>>>>>> So in lieu of fixing these certs, is there an acceptable way to dump >>>>>>> them all and start over /without losing the contents of the IPA >>>>>>> database/? Or otherwise really screwing ourselves? >>>>>> I don't believe there is a way. >>>>>> >>>>>>> We have a replica that's still up and running and we've switched >>>>>>> everyone over to talking to it, but we're at risk with just the one. >>>>>> I'd ignore the two unknown certs for now. They look like someone was >>>>>> experimenting with issuing a cert and didn't quite get things working. >>>>>> >>>>>> The CA seems to be throwing an error. I'd check the syslog for >>>>>> messages from >>>>>> certmonger and look at the CA debug log and selftest log. >>>>>> >>>>>> rob >>>>>> >>>>> [snip] >>>>> >>>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Thu Apr 28 17:09:50 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Thu, 28 Apr 2016 10:09:50 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com><6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com><201604272324.u3RNOR6U009479@d01av01.pok.ibm.com><2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com><5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> Message-ID: <201604281709.u3SH9upJ019210@d03av04.boulder.ibm.com> Hey guys.. yes I so want to upgrade to 4.x however not in my control right now and can not really discuss. I see us stuck at 3.x for a while. Sean Hogan From: Sean Hogan/Durham/IBM To: Ludwig Krispenz Cc: freeipa-users at redhat.com, Noriko Hosoi Date: 04/28/2016 08:20 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Yes sir.. I am stopping DS with ipactl stop before making changes.. .I often times have to really play with the ciphers cause many times when I restart DS I get unknown cipher and IPA fails to start. Go back into dse.ldif and modify til it comes back up. Sean Hogan From: Ludwig Krispenz To: freeipa-users at redhat.com, Noriko Hosoi Date: 04/28/2016 04:46 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sent by: freeipa-users-bounces at redhat.com wanted to add Noriko, but hit send to quickly On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > On 04/28/2016 12:06 PM, Martin Kosek wrote: >> On 04/28/2016 01:23 AM, Sean Hogan wrote: >>> Hi Martin, >>> >>> No joy on placing - in front of the RC4s >>> >>> >>> I modified my nss.conf to now read >>> # SSL 3 ciphers. SSL 2 is disabled by default. >>> NSSCipherSuite >>> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha >>> >>> >>> # SSL Protocol: >>> # Cryptographic protocols that provide communication security. >>> # NSS handles the specified protocols as "ranges", and automatically >>> # negotiates the use of the strongest protocol for a connection >>> starting >>> # with the maximum specified protocol and downgrading as necessary >>> to the >>> # minimum specified protocol that can be used between two processes. >>> # Since all protocol ranges are completely inclusive, and no >>> protocol in the >>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >>> >>> dse.ldif >>> >>> dn: cn=encryption,cn=config >>> objectClass: top >>> objectClass: nsEncryptionConfig >>> cn: encryption >>> nsSSLSessionTimeout: 0 >>> nsSSLClientAuth: allowed >>> nsSSL2: off >>> nsSSL3: off >>> creatorsName: cn=server,cn=plugins,cn=config >>> modifiersName: cn=directory manager >>> createTimestamp: 20150420131850Z >>> modifyTimestamp: 20150420131906Z >>> nsSSL3Ciphers: >>> +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 >>> _56_sha,-tls_dhe_dss_1024_rc4_sha >>> numSubordinates: 1 >>> >>> >>> >>> But I still get this with nmap.. I thought the above would remove >>> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the >>> fact that I am not >>> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really >>> understanding >>> where it is coming from cept the +all from DS but the - should be >>> negating that? >>> >>> Starting Nmap 5.51 ( http://nmap.org ) at >>> 2016-04-27 17:37 EDT >>> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242) >>> Host is up (0.000086s latency). >>> PORT STATE SERVICE >>> 636/tcp open ldapssl >>> | ssl-enum-ciphers: >>> | TLSv1.2 >>> | Ciphers (13) >>> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA >>> | SSL_RSA_FIPS_WITH_DES_CBC_SHA >>> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >>> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA >>> | TLS_RSA_WITH_AES_128_CBC_SHA >>> | TLS_RSA_WITH_AES_128_CBC_SHA256 >>> | TLS_RSA_WITH_AES_128_GCM_SHA256 >>> | TLS_RSA_WITH_AES_256_CBC_SHA >>> | TLS_RSA_WITH_AES_256_CBC_SHA256 >>> | TLS_RSA_WITH_DES_CBC_SHA >>> | TLS_RSA_WITH_RC4_128_MD5 >>> | TLS_RSA_WITH_RC4_128_SHA >>> | Compressors (1) >>> |_ uncompressed >>> >>> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds >>> >>> >>> >>> It seems no matter what config I put into nss.conf or dse.ldif >>> nothing changes >>> with my nmap results. Is there supposed to be a be a section to add >>> TLS ciphers >>> instead of SSL >> Not sure now, CCing Ludwig who was involved in the original RHEL-6 >> implementation. > If I remember correctly we did the change in default ciphers and the > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > adding Noriko to get confirmation. > > but the below comments about changing ciphers in dse.ldif could help > in using the "old" way to set ciphers >> Just to be sure, when you are modifying dse.ldif, the procedure >> should be always following: >> >> 1) Stop Directory Server service >> 2) Modify dse.ldif >> 3) Start Directory Server service >> >> Otherwise it won't get applied and will get overwritten later. >> >> In any case, the ciphers with RHEL-6 should be secure enough, the >> ones in >> FreeIPA 4.3.1 should be even better. This is for example an nmap >> taken on >> FreeIPA Demo instance that runs on FreeIPA 4.3.1: >> >> $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org >> >> Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST >> Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99) >> Host is up (0.18s latency). >> PORT STATE SERVICE >> 636/tcp open ldapssl >> | ssl-enum-ciphers: >> | TLSv1.2: >> | ciphers: >> | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A >> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >> | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A >> | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A >> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >> | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A >> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >> | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A >> | compressors: >> | NULL >> | cipher preference: server >> |_ least strength: A >> >> Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds >> >> Martin > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From rmj at ast.cam.ac.uk Thu Apr 28 17:16:20 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Thu, 28 Apr 2016 18:16:20 +0100 Subject: [Freeipa-users] freeipa update changed my cipher set Message-ID: <57224564.9080305@ast.cam.ac.uk> Hi RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 A couple of months ago I updated /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite in use by freeipa (see previous thread on this list). When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and reverted some, but not all of, my changed settings in dse.ldif. I'd like to understand what is expected to happen to this file on a package upgrade (rpm reports that this file is not owned by any package so I guess its manipulated by a scriplet) since at least one of my changes was preserved. Also, if I need to maintain a customised cipher suite for ipa, am I required to only do yum updates of the ipa-server package by hand and manually merge back in my changes, or is there a better way? Thanks Roderick Johnstone From bret.wortman at damascusgrp.com Thu Apr 28 17:53:57 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 28 Apr 2016 13:53:57 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> Message-ID: <57224E35.40600@damascusgrp.com> Okay, I ran 'ldapsearch -x -h zsipa -p 389 -b 'ou=people,o=ipaca' and dumped that to a file. I'm still not clear on what I'm supposed to be looking for in the output, though. The result of systemctl | grep dirsrv@ was pretty uninformative. If the answer was "dirsrv", then I don't find that in the ldapsearch results. Assuming that was the ldapsearch command I needed to run.... On 04/28/2016 12:04 PM, Petr Vobornik wrote: > On 04/28/2016 05:49 PM, Bret Wortman wrote: >> My system shows pki-server is installed and V10.2.1-3.fc21, but I don't >> have the pki-server binary itself. Will reinstalling this rpm hurt me in >> any way? Without it, I'm not sure how to check my system against the >> messages you provided below. > Not sure what you mean. Running doesn't require any additional packages. > It is just to get additional logs. > systemctl status pki-tomcatd at pki-tomcat.service > journalctl -u pki-tomcatd at pki-tomcat.service > > And the links below are about checking if CA users have correctly mapped > certificates in LDAP database in ou=people,o=ipaca for that you need > only ldapsearch command and start directory server: > systemctl start dirsrv at YOUR-REALM-TEST.service > > Proper name for dirsrv at YOUR-REALM-TEST.service can be found using: > systemctl | grep dirsrv@ > > >> On 04/28/2016 11:07 AM, Petr Vobornik wrote: >>> On 04/28/2016 04:07 PM, Bret Wortman wrote: >>>> Okay. This morning, I turned back time to 4/1 and started up IPA. It >>>> didn't >>>> work, but I got something new and interesting in the debug log, which >>>> I've >>>> posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came >>>> pouring out >>>> which doesn't happen when I'm set to real time. Is /this/ significant? >>> Anything in >>> systemctl status pki-tomcatd at pki-tomcat.service >>> or rather: >>> journalctl -u pki-tomcatd at pki-tomcat.service >>> ? >>> >>> Just to be sure, it might be also worth to check if CA subsystem users >>> have correct certs assigned: >>> * >>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html >>> * >>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html >>> >>>> On 04/27/2016 02:24 PM, Bret Wortman wrote: >>>>> I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It >>>>> looks >>>>> logical to me, but I can't spot anything that looks like a root >>>>> cause error. >>>>> The selftests are all okay, I think. The debug log might have >>>>> something, but >>>>> it might also just be complaining about ldap not being up because >>>>> it's not. >>>>> >>>>> >>>>> On 04/27/2016 01:11 PM, Rob Crittenden wrote: >>>>>> Bret Wortman wrote: >>>>>>> So in lieu of fixing these certs, is there an acceptable way to dump >>>>>>> them all and start over /without losing the contents of the IPA >>>>>>> database/? Or otherwise really screwing ourselves? >>>>>> I don't believe there is a way. >>>>>> >>>>>>> We have a replica that's still up and running and we've switched >>>>>>> everyone over to talking to it, but we're at risk with just the one. >>>>>> I'd ignore the two unknown certs for now. They look like someone was >>>>>> experimenting with issuing a cert and didn't quite get things working. >>>>>> >>>>>> The CA seems to be throwing an error. I'd check the syslog for >>>>>> messages from >>>>>> certmonger and look at the CA debug log and selftest log. >>>>>> >>>>>> rob >>>>>> >>>>> [snip] >>>>> >>>> > From dsullivan2 at bsd.uchicago.edu Thu Apr 28 18:31:20 2016 From: dsullivan2 at bsd.uchicago.edu (Sullivan, Daniel [AAA]) Date: Thu, 28 Apr 2016 18:31:20 +0000 Subject: [Freeipa-users] Quick question regarding modifying attributes In-Reply-To: <20160428162933.GZ12779@hendrix> References: <4D672522-7239-4023-8BA6-B2A15152A4D9@bsd.uchicago.edu> <20160428162933.GZ12779@hendrix> Message-ID: <879C1889-45C7-4922-B794-87A52B851197@bsd.uchicago.edu> Jakub, Thank you for your reply. I did not know that the compat tree was populated from sssd; Do you have any experience and or recommendation on using the full_name_format variable of sssd.conf to manipulate how cn?s are populated in anchor records? Basically I?m interested in trying to get IPA to provision anchor records for a trusted domain without the @f.d.q.n appended to usernames. It seems like having a custom full_name_format (sssd.conf) possibly in conjunction with default_domain_suffix (sssd.conf) might achieve this (have already done some internal testing with partial results, running into some issues but interested in yours and the groups opinion on the viability of this). I appreciate your help. Best, Dan > On Apr 28, 2016, at 11:29 AM, Jakub Hrozek wrote: > > On Wed, Apr 27, 2016 at 06:58:35PM +0000, Sullivan, Daniel [AAA] wrote: >> Hi, >> >> I have a trusted AD domain that I am enumerating object via IPA. I wanted to know if i should be able to manipulate the uidNumber and gidNumber stored in the default ID view via by using the ldapmodify command, for example, for this DN (not local): >> >> uid=user at domain.edu,cn=users,cn=compat,dc=ipatst,dc=cri,dc=uchicago,dc=edu > > The compat tree is autogenerated and can't be modified. > > If you want ID views to be applicable to clients using the compat tree, > you can define the overrides using the standard IPA CLI tools in the > "default Trust View", because that one is applied on the server itself > and the compat tree is autogenerated from the data that SSSD on the > server delivers. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project ******************************************************************************** This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this e-mail message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is prohibited. If you have received this e-mail in error, please notify the sender and destroy all copies of the transmittal. Thank you University of Chicago Medicine and Biological Sciences ******************************************************************************** From nhosoi at redhat.com Thu Apr 28 18:06:08 2016 From: nhosoi at redhat.com (Noriko Hosoi) Date: Thu, 28 Apr 2016 11:06:08 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <5721F536.1000807@redhat.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> <5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> Message-ID: <57225110.1000708@redhat.com> Thank you for including me in the loop, Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > If I remember correctly we did the change in default ciphers and the option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, adding Noriko to get confirmation. Ludwig is right. The way how to set nsSSL3Ciphers has been changed since 1.3.3 which is available on RHEL-7. This is one of the newly supported values of nsSSL3Ciphers: Notes: if the value contains +all, then *-* is removed from the list. http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1 On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if "+all" is found in the value, all the available ciphers are enabled. To workaround it, could you try explicitely setting ciphers as follows? nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha, +tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha, +tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha Thanks, --noriko On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > wanted to add Noriko, but hit send to quickly > > On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: >> >> On 04/28/2016 12:06 PM, Martin Kosek wrote: >>> On 04/28/2016 01:23 AM, Sean Hogan wrote: >>>> Hi Martin, >>>> >>>> No joy on placing - in front of the RC4s >>>> >>>> >>>> I modified my nss.conf to now read >>>> # SSL 3 ciphers. SSL 2 is disabled by default. >>>> NSSCipherSuite >>>> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha >>>> >>>> >>>> # SSL Protocol: >>>> # Cryptographic protocols that provide communication security. >>>> # NSS handles the specified protocols as "ranges", and automatically >>>> # negotiates the use of the strongest protocol for a connection >>>> starting >>>> # with the maximum specified protocol and downgrading as necessary >>>> to the >>>> # minimum specified protocol that can be used between two processes. >>>> # Since all protocol ranges are completely inclusive, and no >>>> protocol in the >>>> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >>>> >>>> dse.ldif >>>> >>>> dn: cn=encryption,cn=config >>>> objectClass: top >>>> objectClass: nsEncryptionConfig >>>> cn: encryption >>>> nsSSLSessionTimeout: 0 >>>> nsSSLClientAuth: allowed >>>> nsSSL2: off >>>> nsSSL3: off >>>> creatorsName: cn=server,cn=plugins,cn=config >>>> modifiersName: cn=directory manager >>>> createTimestamp: 20150420131850Z >>>> modifyTimestamp: 20150420131906Z >>>> nsSSL3Ciphers: >>>> +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 >>>> _56_sha,-tls_dhe_dss_1024_rc4_sha >>>> numSubordinates: 1 >>>> >>>> >>>> >>>> But I still get this with nmap.. I thought the above would remove >>>> -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the >>>> fact that I am not >>>> offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really >>>> understanding >>>> where it is coming from cept the +all from DS but the - should be >>>> negating that? >>>> >>>> Starting Nmap 5.51 ( http://nmap.org ) at >>>> 2016-04-27 17:37 EDT >>>> Nmap scan report for rtpvxl0077.watson.local (10.110.76.242) >>>> Host is up (0.000086s latency). >>>> PORT STATE SERVICE >>>> 636/tcp open ldapssl >>>> | ssl-enum-ciphers: >>>> | TLSv1.2 >>>> | Ciphers (13) >>>> | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA >>>> | SSL_RSA_FIPS_WITH_DES_CBC_SHA >>>> | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >>>> | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >>>> | TLS_RSA_WITH_3DES_EDE_CBC_SHA >>>> | TLS_RSA_WITH_AES_128_CBC_SHA >>>> | TLS_RSA_WITH_AES_128_CBC_SHA256 >>>> | TLS_RSA_WITH_AES_128_GCM_SHA256 >>>> | TLS_RSA_WITH_AES_256_CBC_SHA >>>> | TLS_RSA_WITH_AES_256_CBC_SHA256 >>>> | TLS_RSA_WITH_DES_CBC_SHA >>>> | TLS_RSA_WITH_RC4_128_MD5 >>>> | TLS_RSA_WITH_RC4_128_SHA >>>> | Compressors (1) >>>> |_ uncompressed >>>> >>>> Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds >>>> >>>> >>>> >>>> It seems no matter what config I put into nss.conf or dse.ldif >>>> nothing changes >>>> with my nmap results. Is there supposed to be a be a section to add >>>> TLS ciphers >>>> instead of SSL >>> Not sure now, CCing Ludwig who was involved in the original RHEL-6 >>> implementation. >> If I remember correctly we did the change in default ciphers and the >> option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, >> adding Noriko to get confirmation. >> >> but the below comments about changing ciphers in dse.ldif could help >> in using the "old" way to set ciphers >>> Just to be sure, when you are modifying dse.ldif, the procedure >>> should be always following: >>> >>> 1) Stop Directory Server service >>> 2) Modify dse.ldif >>> 3) Start Directory Server service >>> >>> Otherwise it won't get applied and will get overwritten later. >>> >>> In any case, the ciphers with RHEL-6 should be secure enough, the >>> ones in >>> FreeIPA 4.3.1 should be even better. This is for example an nmap >>> taken on >>> FreeIPA Demo instance that runs on FreeIPA 4.3.1: >>> >>> $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org >>> >>> Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST >>> Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99) >>> Host is up (0.18s latency). >>> PORT STATE SERVICE >>> 636/tcp open ldapssl >>> | ssl-enum-ciphers: >>> | TLSv1.2: >>> | ciphers: >>> | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A >>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A >>> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A >>> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A >>> | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A >>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A >>> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A >>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A >>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A >>> | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A >>> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A >>> | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A >>> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A >>> | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A >>> | compressors: >>> | NULL >>> | cipher preference: server >>> |_ least strength: A >>> >>> Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds >>> >>> Martin >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From phosakotenagesh at ebay.com Thu Apr 28 18:14:30 2016 From: phosakotenagesh at ebay.com (Hosakote Nagesh, Pawan) Date: Thu, 28 Apr 2016 18:14:30 +0000 Subject: [Freeipa-users] Free IPA Client in Docker Message-ID: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> Hi, I am planning to deploy FreeIPA Client in a docker where my Apps are running. However I hit a road block as there seems to be problem with the docker?s hostname settings In DNS records. Debug Log ??????? ipa-client-install --hostname=`hostname -f` --mkhomedir -N --force-join ?debug . . . . debug zone phx01.eaz.ebayc3.com. update delete . IN A show send update add . 1200 IN A 172.17.0.3 show send Starting external process args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt Process execution failed Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2603, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2584, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2387, in install client_dns(cli_server[0], hostname, options.dns_updates) File "/usr/sbin/ipa-client-install", line 1423, in client_dns update_dns(server, hostname) File "/usr/sbin/ipa-client-install", line 1410, in update_dns if do_nsupdate(update_txt): File "/usr/sbin/ipa-client-install", line 1346, in do_nsupdate ipautil.run(['/usr/bin/nsupdate', '-g', UPDATE_FILE]) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 303, in run close_fds=True, env=env, cwd=cwd) File "/usr/lib/python2.7/subprocess.py", line 710, in __init__ errread, errwrite) File "/usr/lib/python2.7/subprocess.py", line 1327, in _execute_child raise child_exception OSError: [Errno 2] No such file or directory As a Follow up question I also wanted to know why is absolutely necessary for Kerberos Client to have hostname? Wont Client initiate the connection and FreeIPA server can take it from there. If so what is the need of FQDN for FreeIPA client at all? - Best, Pawan -------------- next part -------------- An HTML attachment was scrubbed... URL: From huston at astro.princeton.edu Thu Apr 28 20:09:25 2016 From: huston at astro.princeton.edu (Steve Huston) Date: Thu, 28 Apr 2016 16:09:25 -0400 Subject: [Freeipa-users] Account/password expirations In-Reply-To: <20160421193726.GB4262@hendrix> References: <20160419155704.GC14903@hendrix> <20160421193726.GB4262@hendrix> Message-ID: Unfortunately I've been swapping tasks enough that I keep forgetting where I left off here. But I'm pretty sure the problem was that sssd would stop a user who was disabled (as you mention) but not if they were expired, either the account itself with krbPrincipalExpiration or the password with krbPasswordExpiration. I know that one does not get a ticket automatically if using ssh public key authentication, which is fine, but there's a specific mention in the link I referenced (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html) that basically if you do this, then sssd will consult for password expiration and warn the user accordingly. That's what I need to happen, and would like it to be native IPA-ish calls, rather than LDAP which is what I need to set it to if I want that functionality (which then also causes other problems, such as losing HBAC and having to set a filter I've yet to get right to allow users to login to anything). So if there's a chance of swinging the vote the other way, I'll keep beating my drum :D On Thu, Apr 21, 2016 at 3:37 PM, Jakub Hrozek wrote: > On Thu, Apr 21, 2016 at 01:26:19PM -0400, Steve Huston wrote: >> On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek wrote: >> > Did you test that this actually fails with id_provider=ipa? I would >> > assume the IPA KDC would kick you out and prompt for a new password.. >> >> If you're using a password, yes it kicks back and requires you to >> change it. The problem is if you're not using a password to >> authenticate, but instead using an SSH key, then it appears there's no >> hooks to check with IPA if the password (or the principal itself) is >> expired and the user is allowed to continue to login. The >> "recommended" way to do this in RHEL6 is to set access_provider to >> ldap in sssd, but that doesn't seem to cover all cases and doesn't >> play well with other IPA things (like HBAC) from what I can tell. > > Then in my opinion SSSD is behaving correctly there. It wouldn't let in > a locked user (it would check the nsaccountlock attribute), but I'm not > sure it would be correct to check krbPasswordExpiration if you're using > a completely different method to authenticate.. > > Moreover, if you login through an SSH key, you don't get a ticket on > login and you can't kinit, so you can't access any network resources > anyway.. > > But to be honest, this is something we discussed even among IPA > developers and we're not in total agreement here either, so maybe others > will overrule me :) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' From bentech4you at gmail.com Thu Apr 28 21:03:42 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 29 Apr 2016 00:03:42 +0300 Subject: [Freeipa-users] HBAC implementation help Message-ID: Hi List, i have a working setup of IPA with AD integrated and one client joined. i want to implement HBAC rules against this client. can anyone please share me good articles of implementing HBAC from web UI. Thanks & Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Thu Apr 28 21:06:34 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 28 Apr 2016 17:06:34 -0400 Subject: [Freeipa-users] Account/password expirations In-Reply-To: <20160421193726.GB4262@hendrix> References: <20160419155704.GC14903@hendrix> <20160421193726.GB4262@hendrix> Message-ID: > > Moreover, if you login through an SSH key, you don't get a ticket on > login and you can't kinit, so you can't access any network resources > anyway.. > > A bit off topic, but a related question: How does nfsv4 work with ssh keys ? Does it mean that you can't use ssh keys if /home is nfsv4 mounted ? I had tried nfsv4 briefly, but had some issues, and didn't look it in too much detail. Also, is it possible to use nfsv4 home in an HPC cluster environment where something like torque or slurm schedules jobs ? For nfsv3, I suppose the workload manager runs as the user, and hence it can read/write to the user's directory. Would it still be possible to do that in an nfsv4 system ? How would renewals happen for long running jobs without any user interaction ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.rainey.ctr at nrlssc.navy.mil Thu Apr 28 21:09:16 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Thu, 28 Apr 2016 16:09:16 -0500 Subject: [Freeipa-users] FreeIPA with smart card using LightDM Message-ID: I am wondering if anyone out there is currently using freeIPA with smart cards along with LightDM. I have systems running SL7.2 with GDM and I have users that prefer to use XFCE or KDE over the default GNOME-Shell. The problem with GDM is I am not able to get screen lock feature to work across multiple desktop environments. If anyone uses XFCE, xscreensaver will need to be installed so they can lock their screen. This choice also makes using the smart card useless when logging back into the system. Also, I haven't been able call the lock screen from the command-line. What examples I have found do not work due to a missing ScreenSaver object. If anyone has any good solutions to this problem I would enjoy hearing them. Thanks in advance. -- *Michael Rainey* -------------- next part -------------- An HTML attachment was scrubbed... URL: From listeranon at gmail.com Thu Apr 28 22:06:37 2016 From: listeranon at gmail.com (Anon Lister) Date: Thu, 28 Apr 2016 18:06:37 -0400 Subject: [Freeipa-users] Account/password expirations In-Reply-To: References: <20160419155704.GC14903@hendrix> <20160421193726.GB4262@hendrix> Message-ID: Your can still authenticate with SSH keys, but to access any NFS 4 shares they will need a Kerberos ticket, which can be obtained via a 'kinit' after logging in. I forget what the default timeout is but they do expire, and at that point access to those shares (by a user or process acting as that user) will not be allowed. You may increase the timeout to something comfortable. We have a solution where we have tickets set at a day and a login script prompts for the password ( actually just runs kint ) for the user if their ticket is expired, which covers interactive login, however it does break scp unless they login first. For us it hasn't come up enough to warrent coming up with another solution. Note this is for sec=krb*, you can do nfs4 sec=sys and get no extra security but other features of v4, and mount as normal. -Anon On Apr 28, 2016 5:09 PM, "Prasun Gera" wrote: > > >> Moreover, if you login through an SSH key, you don't get a ticket on >> login and you can't kinit, so you can't access any network resources >> anyway.. >> >> > A bit off topic, but a related question: > How does nfsv4 work with ssh keys ? Does it mean that you can't use ssh > keys if /home is nfsv4 mounted ? I had tried nfsv4 briefly, but had some > issues, and didn't look it in too much detail. Also, is it possible to use > nfsv4 home in an HPC cluster environment where something like torque or > slurm schedules jobs ? For nfsv3, I suppose the workload manager runs as > the user, and hence it can read/write to the user's directory. Would it > still be possible to do that in an nfsv4 system ? How would renewals happen > for long running jobs without any user interaction ? > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From siology.io at gmail.com Thu Apr 28 22:44:14 2016 From: siology.io at gmail.com (siology.io) Date: Fri, 29 Apr 2016 10:44:14 +1200 Subject: [Freeipa-users] ipa-client password authentication failed In-Reply-To: References: <20160422151651.GH620@hendrix> <70BBF132-4288-4550-B875-D774ED73FB20@redhat.com> Message-ID: On a clean centos 7 VM, after installation of ipa-server browsing to the ipa web UI gets me in the httpd error_logs: [Thu Apr 28 18:41:11.826134 2016] [:error] [pid 10162] [remote 10.0.4.10:244] mod_wsgi (pid=10162): Target WSGI script '/usr/share/ipa/wsgi/plugins.py' does not contain WSGI application 'application'. Is this a known issue ? I didn't get much out of google. -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Thu Apr 28 23:15:52 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Thu, 28 Apr 2016 16:15:52 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <57225110.1000708@redhat.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com><6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com><201604272324.u3RNOR6U009479@d01av01.pok.ibm.com><2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com><5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> <57225110.1000708@redhat.com> Message-ID: Hi Noriko, Thanks for the suggestions, I had to trim out the GCM ciphers in order to get IPA to start back up or I would get the unknown cipher message Nmap is still showing the same 13 ciphers as before though like nothing had changed and I did ipactl stop, made modification, ipactl start tarting Nmap 5.51 ( http://nmap.org ) at 2016-04-28 18:44 EDT Nmap scan report for Host is up (0.000053s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds Current Config: dse.ldif dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20150420131850Z modifyTimestamp: 20150420131906Z nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_ rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha ,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_ aes_256_sha,+rsa_aes_256_sha numSubordinates: 1 nss.conf # SSL 3 ciphers. SSL 2 is disabled by default. NSSCipherSuite -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 Does nss.conf have anything to do with the dir srv ciphers? I know the 389 docs says they are tied together so the way I have been looking at it is nss.conf lists the allowed ciphers where dse.ldif lists which ones to use for 389 from nss.conf. Is that correct? Is there any other place where ciphers would be ignored? nss-3.19.1-8.el6_7.x86_64 sssd-ipa-1.12.4-47.el6_7.4.x86_64 ipa-client-3.0.0-47.el6_7.1.x86_64 ipa-server-selinux-3.0.0-47.el6_7.1.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-47.el6_7.1.x86_64 ipa-server-3.0.0-47.el6_7.1.x86_64 libipa_hbac-python-1.12.4-47.el6_7.4.x86_64 ipa-admintools-3.0.0-47.el6_7.1.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch 389-ds-base-1.2.11.15-68.el6_7.x86_64 389-ds-base-libs-1.2.11.15-68.el6_7.x86_64 I need to get rid of any rc4s Sean Hogan Security Engineer Watson Security & Risk Assurance Watson Cloud Technology and Support email: schogan at us.ibm.com | Tel 919 486 1397 From: Noriko Hosoi To: Ludwig Krispenz , freeipa-users at redhat.com Date: 04/28/2016 12:08 PM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sent by: freeipa-users-bounces at redhat.com Thank you for including me in the loop, Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > If I remember correctly we did the change in default ciphers and the option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, adding Noriko to get confirmation. Ludwig is right.? The way how to set nsSSL3Ciphers has been changed since 1.3.3 which is available on RHEL-7. This is one of the newly supported values of nsSSL3Ciphers: Notes: if the value contains +all, then - is removed from the list. http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1 On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if "+all" is found in the value, all the available ciphers are enabled. To workaround it, could you try explicitely setting ciphers as follows? nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha, +tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha, +tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha Thanks, --noriko On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: wanted to add Noriko, but hit send to quickly On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: On 04/28/2016 12:06 PM, Martin Kosek wrote: On 04/28/2016 01:23 AM, Sean Hogan wrote: Hi Martin, No joy on placing - in front of the RC4s I modified my nss.conf to now read # SSL 3 ciphers. SSL 2 is disabled by default. NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha # SSL Protocol: # Cryptographic protocols that provide communication security. # NSS handles the specified protocols as "ranges", and automatically # negotiates the use of the strongest protocol for a connection starting # with the maximum specified protocol and downgrading as necessary to the # minimum specified protocol that can be used between two processes. # Since all protocol ranges are completely inclusive, and no protocol in the NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 dse.ldif dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20150420131850Z modifyTimestamp: 20150420131906Z nsSSL3Ciphers: +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 _56_sha,-tls_dhe_dss_1024_rc4_sha numSubordinates: 1 But I still get this with nmap.. I thought the above would remove -tls_rsa_export1024_with_rc4_56_sha but still showing. Is it the fact that I am not offering -tls_rsa_export1024_with_rc4_56_sha? If so.. not really understanding where it is coming from cept the +all from DS but the - should be negating that? Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-27 17:37 EDT Nmap scan report for Host is up (0.000086s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds It seems no matter what config I put into nss.conf or dse.ldif nothing changes with my nmap results. Is there supposed to be a be a section to add TLS ciphers instead of SSL Not sure now, CCing Ludwig who was involved in the original RHEL-6 implementation. If I remember correctly we did the change in default ciphers and the option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, adding Noriko to get confirmation. but the below comments about changing ciphers in dse.ldif could help in using the "old" way to set ciphers Just to be sure, when you are modifying dse.ldif, the procedure should be always following: 1) Stop Directory Server service 2) Modify dse.ldif 3) Start Directory Server service Otherwise it won't get applied and will get overwritten later. In any case, the ciphers with RHEL-6 should be secure enough, the ones in FreeIPA 4.3.1 should be even better. This is for example an nmap taken on FreeIPA Demo instance that runs on FreeIPA 4.3.1: $ nmap --script ssl-enum-ciphers -p 636 ipa.demo1.freeipa.org Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-28 12:02 CEST Nmap scan report for ipa.demo1.freeipa.org (209.132.178.99) Host is up (0.18s latency). PORT??? STATE SERVICE 636/tcp open? ldapssl | ssl-enum-ciphers: |?? TLSv1.2: |???? ciphers: |?????? TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A |?????? TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A |?????? TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A |?????? TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A |?????? TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A |?????? TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A |?????? TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A |?????? TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A |?????? TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A |?????? TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A |?????? TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A |?????? TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A |?????? TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A |?????? TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A |???? compressors: |?????? NULL |???? cipher preference: server |_? least strength: A Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 06835182.jpg Type: image/jpeg Size: 27085 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 06129077.gif Type: image/gif Size: 1650 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From prasun.gera at gmail.com Fri Apr 29 01:14:48 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 28 Apr 2016 21:14:48 -0400 Subject: [Freeipa-users] Account/password expirations In-Reply-To: References: <20160419155704.GC14903@hendrix> <20160421193726.GB4262@hendrix> Message-ID: > > Your can still authenticate with SSH keys, but to access any NFS 4 shares > they will need a Kerberos ticket, which can be obtained via a 'kinit' after > logging in. > Then how does the key authentication work if the .ssh directory on nfs4 is not accessible ? Doesn't the key authentication process rely on .ssh/authorized keys being readable by the authentication module ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Apr 29 07:22:18 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 Apr 2016 09:22:18 +0200 Subject: [Freeipa-users] Quick question regarding modifying attributes In-Reply-To: <879C1889-45C7-4922-B794-87A52B851197@bsd.uchicago.edu> References: <4D672522-7239-4023-8BA6-B2A15152A4D9@bsd.uchicago.edu> <20160428162933.GZ12779@hendrix> <879C1889-45C7-4922-B794-87A52B851197@bsd.uchicago.edu> Message-ID: <20160429072218.GA25181@hendrix> On Thu, Apr 28, 2016 at 06:31:20PM +0000, Sullivan, Daniel [AAA] wrote: > Jakub, > > Thank you for your reply. I did not know that the compat tree was > populated from sssd; Do you have any experience and or recommendation on > using the full_name_format variable of sssd.conf to manipulate how cn?s are > populated in anchor records? Basically I?m interested in trying to get > IPA to provision anchor records for a trusted domain without the @f.d.q.n > appended to usernames. It seems like having a custom full_name_format > (sssd.conf) possibly in conjunction with default_domain_suffix (sssd.conf) > might achieve this (have already done some internal testing with partial > results, running into some issues but interested in yours and the groups > opinion on the viability of this). It's not possible at the moment to change the output format of the sssd on the server or the format of the entries in the compat tree. Several pieces of the stack (including the extdom plugin that serves requests to the sssd clients) rely on the name being qualified at least on the server side to function properly. What should be possible starting with 7.3 is to have the shortnames in the output of SSSD clients with id_provider=ipa. But I'm not sure legacy clients would work either with shortnames because with the legacy clients, we typically treat the whole qualified string as a "name": ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [sssd] services = nss, pam config_file_version = 2 domains = default re_expression = (?P.+) <------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the re_expression tells sssd that the whole input string, qualified or not is a "name", there is no separate IPA and AD domain in these setups. This is because with the legacy clients, those clients must use the "ldap" id_provider pointed to the compat tree and the 'ldap' provider, unlike the 'ipa' or 'ad' providers has no notion of trusted domains internally. So if you want to use shortnames on the output, I think the best bet is to wait for sssd-1.14 (coming in RHEL-7.3) with the ipa provider. From jhrozek at redhat.com Fri Apr 29 07:32:30 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 Apr 2016 09:32:30 +0200 Subject: [Freeipa-users] Account/password expirations In-Reply-To: References: <20160419155704.GC14903@hendrix> <20160421193726.GB4262@hendrix> Message-ID: <20160429073230.GC25181@hendrix> On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrote: > > > > Your can still authenticate with SSH keys, but to access any NFS 4 shares > > they will need a Kerberos ticket, which can be obtained via a 'kinit' after > > logging in. > > > > Then how does the key authentication work if the .ssh directory on nfs4 is > not accessible ? Doesn't the key authentication process rely on > .ssh/authorized keys being readable by the authentication module ? SSSD can fetch the authorized keys from IPA, see man sss_ssh_authorizedkeys(1) From jhrozek at redhat.com Fri Apr 29 07:49:13 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 Apr 2016 09:49:13 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> Message-ID: <20160429074913.GE25181@hendrix> On Thu, Apr 28, 2016 at 06:14:30PM +0000, Hosakote Nagesh, Pawan wrote: > Hi, > I am planning to deploy FreeIPA Client in a docker where my Apps are running. However I hit a road block as there seems to be problem with the docker?s hostname settings > In DNS records. > > Debug Log > ??????? > > ipa-client-install --hostname=`hostname -f` --mkhomedir -N --force-join ?debug > > . > > . > > . > > . > > debug > > zone phx01.eaz.ebayc3.com. > > update delete . IN A > > show > > send > > update add . 1200 IN A 172.17.0.3 > > show > > send > > > Starting external process > > args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt > > Process execution failed > > Traceback (most recent call last): > > File "/usr/sbin/ipa-client-install", line 2603, in > > sys.exit(main()) > > File "/usr/sbin/ipa-client-install", line 2584, in main > > rval = install(options, env, fstore, statestore) > > File "/usr/sbin/ipa-client-install", line 2387, in install > > client_dns(cli_server[0], hostname, options.dns_updates) > > File "/usr/sbin/ipa-client-install", line 1423, in client_dns > > update_dns(server, hostname) > > File "/usr/sbin/ipa-client-install", line 1410, in update_dns > > if do_nsupdate(update_txt): > > File "/usr/sbin/ipa-client-install", line 1346, in do_nsupdate > > ipautil.run(['/usr/bin/nsupdate', '-g', UPDATE_FILE]) > > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 303, in run > > close_fds=True, env=env, cwd=cwd) > > File "/usr/lib/python2.7/subprocess.py", line 710, in __init__ > > errread, errwrite) > > File "/usr/lib/python2.7/subprocess.py", line 1327, in _execute_child > > raise child_exception > > OSError: [Errno 2] No such file or directory Looks like nsupdate is missing from the container? From jhrozek at redhat.com Fri Apr 29 07:50:29 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 Apr 2016 09:50:29 +0200 Subject: [Freeipa-users] HBAC implementation help In-Reply-To: References: Message-ID: <20160429075029.GF25181@hendrix> On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote: > Hi List, > > i have a working setup of IPA with AD integrated and one client joined. > > i want to implement HBAC rules against this client. can anyone please share > me good articles of implementing HBAC from web UI. I'm not sure about the web UI, but as a general rule you'll want to add an external group (created with --external) as a member of a POSIX group and reference the POSIX group in the HBAC rule. The AD members should be added as members of the external group. From sbose at redhat.com Fri Apr 29 08:28:33 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 29 Apr 2016 10:28:33 +0200 Subject: [Freeipa-users] FreeIPA with smart card using LightDM In-Reply-To: References: Message-ID: <20160429082833.GA7796@p.redhat.com> On Thu, Apr 28, 2016 at 04:09:16PM -0500, Michael Rainey (Contractor) wrote: > I am wondering if anyone out there is currently using freeIPA with smart > cards along with LightDM. I have systems running SL7.2 with GDM and I have > users that prefer to use XFCE or KDE over the default GNOME-Shell. The > problem with GDM is I am not able to get screen lock feature to work across > multiple desktop environments. If anyone uses XFCE, xscreensaver will need > to be installed so they can lock their screen. This choice also makes using > the smart card useless when logging back into the system. Also, I haven't > been able call the lock screen from the command-line. What examples I have > found do not work due to a missing ScreenSaver object. > > If anyone has any good solutions to this problem I would enjoy hearing them. Since Smartcard authentication does not make sense for all PAM services SSSD uses a list of services where it would offer Smartcard authentication. Currently this list is static and based on a default RHEL or Fedora setup. We already have https://fedorahosted.org/sssd/ticket/2926 to make this list configurable and Lukas already wrote an initial patch for it https://lists.fedorahosted.org/archives/list/sssd-devel at lists.fedorahosted.org/message/FQWOBQV6FFCBKZS2EXKIJU74473E7R7Y/ If you are interested I can provide you with a test build where XFCE, KDM and xscreensaver are included, just let me know for which platform you will need it. bye, Sumit > > Thanks in advance. > -- > *Michael Rainey* > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From pvoborni at redhat.com Fri Apr 29 08:59:15 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 29 Apr 2016 10:59:15 +0200 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <57223AC2.4020603@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> Message-ID: comments inline On 04/28/2016 06:30 PM, Bret Wortman wrote: > Look, I'll be honest. When IPA is in this much of a knot, I don't know how to do > the simplest things with its various components. For example, I've no clue how > to search the ldap database for anything. Or even how to authenticate since > Kerberos isn't running. IPA has sheltered me from ldap for so long that it's a > problem at times like this. > > That being said, here are the things I /was/ able to handle: > > Apr 01 11:02:40 zsipa.private.net server[6896]: Java virtual machine used: > /usr/lib/jvm/jre/bin/java > Apr 01 11:02:40 zsipa.private.net server[6896]: classpath used: > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.j > Apr 01 11:02:40 zsipa.private.net server[6896]: main class used: > org.apache.catalina.startup.Bootstrap > Apr 01 11:02:40 zsipa.private.net server[6896]: flags used: > -DRESTEASY_LIB=/usr/share/java/resteasy > Apr 01 11:02:40 zsipa.private.net server[6896]: options used: > -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat > -Djava.endorsed.dirs= -Djava.io. > Apr 01 11:02:40 zsipa.private.net server[6896]: arguments used: start > Apr 01 11:02:40 zsipa.private.net server[6896]: Apr 01, 2016 11:02:40 AM > org.apache.catalina.startup.ClassLoaderFactory validateFile > Apr 01 11:02:40 zsipa.private.net server[6896]: WARNING: Problem with JAR file > [/var/lib/pki/pki-tomcat/lib/log4j.jar], exists: [false], canRead: [false] > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' > to 'false' did not find a matchi > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspResponderURL' to 'http://zsipa.private.net:9 > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspResponderCertNickname' to 'ocspSigningCe > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspCacheSize' to '1000' did not find a matc > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspMinCacheEntryDuration' to '60' did not f > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'ocspMaxCacheEntryDuration' to '120' did not > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' > to '10' did not find a matching > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'strictCiphers' to 'true' did not find a matc > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' > to 'ssl2=true,ssl3=true,tls=true > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' > to '-SSL2_RC4_128_WITH_MD5,-SSL > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' > to '-SSL3_FORTEZZA_DMS_WITH_NUL > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' > to '-TLS_ECDH_ECDSA_WITH_AES_128 > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'serverCertNickFile' to '/var/lib/pki/pki-tom > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' > to '/var/lib/pki/pki-tomcat/co > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'passwordClass' to 'org.apache.tomcat.util.ne > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to > '/var/lib/pki/pki-tomcat/alias > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'sslVersionRangeStream' to 'tls1_0:tls1_2' di > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.catalina.startup.SetAllPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AE > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.tomcat.util.digester.SetPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' > to 'false' did not find a matc > Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.tomcat.util.digester.SetPropertiesRule begin > Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > 'xmlNamespaceAware' to 'false' did not find a > Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM > org.apache.coyote.AbstractProtocol init > Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initializing > ProtocolHandler ["http-bio-8080"] > Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM > org.apache.coyote.AbstractProtocol init > Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initializing > ProtocolHandler ["http-bio-8443"] > Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher > "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher > "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss > Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher > "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss > Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher > "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher > "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher > "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss > Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher > "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" unsupported by NSS > Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher > "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher > "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS > Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM > org.apache.coyote.AbstractProtocol init > Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initializing > ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM > org.apache.catalina.startup.Catalina load > Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initialization processed > in 988 ms > Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM > org.apache.catalina.core.StandardService startInternal > Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Starting service Catalina > Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM > org.apache.catalina.core.StandardEngine startInternal > Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Starting Servlet Engine: > Apache Tomcat/7.0.59 > Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM > org.apache.catalina.startup.HostConfig deployDescriptor > Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Deploying configuration > descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml > Apr 01 11:02:43 zsipa.private.net server[6896]: Apr 01, 2016 11:02:43 AM > org.apache.catalina.startup.HostConfig deployDescriptor > Apr 01 11:02:43 zsipa.private.net server[6896]: INFO: Deployment of > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has > finished in 1,194 ms > Apr 01 11:02:43 zsipa.private.net server[6896]: Apr 01, 2016 11:02:43 AM > org.apache.catalina.startup.HostConfig deployDescriptor > Apr 01 11:02:43 zsipa.private.net server[6896]: INFO: Deploying configuration > descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml > Apr 01 11:02:43 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback: > Creating SSL authenticator with fallback > Apr 01 11:02:43 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback: > Setting container > Apr 01 11:02:45 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback: > Initializing authenticators > Apr 01 11:02:45 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback: > Starting authenticators > Apr 01 11:02:51 zsipa.private.net server[6896]: Server is started. > Apr 01 11:02:51 zsipa.private.net server[6896]: Apr 01, 2016 11:02:51 AM > org.apache.catalina.startup.HostConfig deployDescriptor > Apr 01 11:02:51 zsipa.private.net server[6896]: INFO: Deployment of > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has > finished in 7,993 ms > Apr 01 11:02:51 zsipa.private.net server[6896]: Apr 01, 2016 11:02:51 AM > org.apache.catalina.startup.HostConfig deployDescriptor > Apr 01 11:02:51 zsipa.private.net server[6896]: INFO: Deploying configuration > descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml > Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM > org.apache.catalina.startup.HostConfig deployDescriptor > Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Deployment of > configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has > finished in 661 ms > Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM > org.apache.coyote.AbstractProtocol start > Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Starting ProtocolHandler > ["http-bio-8080"] > Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM > org.apache.coyote.AbstractProtocol start > Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Starting ProtocolHandler > ["http-bio-8443"] > Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM > org.apache.coyote.AbstractProtocol start > Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Starting ProtocolHandler > ["ajp-bio-127.0.0.1-8009"] > Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM > org.apache.catalina.startup.Catalina start > Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Server startup in 9918 ms Here the PKI server started. And below, 5 minutes later, something stopped it. > Apr 01 11:07:53 zsipa.private.net server[7974]: Java virtual machine used: > /usr/lib/jvm/jre/bin/java > Apr 01 11:07:53 zsipa.private.net server[7974]: classpath used: > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.j > Apr 01 11:07:53 zsipa.private.net server[7974]: main class used: > org.apache.catalina.startup.Bootstrap > Apr 01 11:07:53 zsipa.private.net server[7974]: flags used: > -DRESTEASY_LIB=/usr/share/java/resteasy > Apr 01 11:07:53 zsipa.private.net server[7974]: options used: > -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat > -Djava.endorsed.dirs= -Djava.io. > Apr 01 11:07:53 zsipa.private.net server[7974]: arguments used: stop > Apr 01 11:07:53 zsipa.private.net server[7974]: Apr 01, 2016 11:07:53 AM > org.apache.catalina.startup.ClassLoaderFactory validateFile > Apr 01 11:07:53 zsipa.private.net server[7974]: WARNING: Problem with JAR file > [/var/lib/pki/pki-tomcat/lib/log4j.jar], exists: [false], canRead: [false] > Apr 01 11:07:54 zsipa.private.net server[6896]: Apr 01, 2016 11:07:54 AM > org.apache.catalina.core.StandardServer await > Apr 01 11:07:54 zsipa.private.net server[6896]: INFO: A valid shutdown command > was received via the shutdown port. Stopping the Server instance. > Apr 01 11:07:54 zsipa.private.net server[6896]: Apr 01, 2016 11:07:54 AM > org.apache.coyote.AbstractProtocol pause > Apr 01 11:07:54 zsipa.private.net server[6896]: INFO: Pausing ProtocolHandler > ["http-bio-8080"] > > # systemctl status pki-tomcatd at pki-tomcat.service -l > ? pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat > Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled) > Active: inactive (dead) > > Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM > org.apache.catalina.core.StandardServer await > Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: A valid shutdown command > was received via the shutdown port. Stopping the Server instance. > Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM > org.apache.coyote.AbstractProtocol pause > Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler > ["http-bio-8080"] > Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM > org.apache.coyote.AbstractProtocol pause > Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler > ["http-bio-8443"] > Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM > org.apache.coyote.AbstractProtocol pause > Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler > ["ajp-bio-127.0.0.1-8009"] > Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM > org.apache.catalina.core.StandardService stopInternal > Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Stopping service Catalina Why is the time different here? Given that the PKI server seems to start could you: 1. move date to Apr 1 2. # date 3. # ipactl stop 4. # date 5. # ipactl start -d 6. # date 7. # ipactl status 8. # getcert list 9. # journalctl -u pki-tomcatd at pki-tomcat.service paste here output of 1-8. Plus output of 9 since date in 2. Or ideally attach it as text file so that lines won't be wrapped(hard to read). > > > > # systemctl | grep dirsrv@ > dirsrv at PRIVATE-NET.service > loaded active running 389 Directory Server PRIVATE-NET. > > On 04/28/2016 12:04 PM, Petr Vobornik wrote: >> On 04/28/2016 05:49 PM, Bret Wortman wrote: >>> My system shows pki-server is installed and V10.2.1-3.fc21, but I don't >>> have the pki-server binary itself. Will reinstalling this rpm hurt me in >>> any way? Without it, I'm not sure how to check my system against the >>> messages you provided below. >> Not sure what you mean. Running doesn't require any additional packages. >> It is just to get additional logs. >> systemctl statuspki-tomcatd at pki-tomcat.service >> journalctl -upki-tomcatd at pki-tomcat.service >> >> And the links below are about checking if CA users have correctly mapped >> certificates in LDAP database in ou=people,o=ipaca for that you need >> only ldapsearch command and start directory server: We may skip this part, it might not be needed. >> systemctl startdirsrv at YOUR-REALM-TEST.service >> >> Proper name fordirsrv at YOUR-REALM-TEST.service can be found using: >> systemctl | grep dirsrv@ >> >> >>> On 04/28/2016 11:07 AM, Petr Vobornik wrote: >>>> On 04/28/2016 04:07 PM, Bret Wortman wrote: >>>>> Okay. This morning, I turned back time to 4/1 and started up IPA. It >>>>> didn't >>>>> work, but I got something new and interesting in the debug log, which >>>>> I've >>>>> posted tohttp://pastebin.com/M9VGCS8A. Lots of garbled junk came >>>>> pouring out >>>>> which doesn't happen when I'm set to real time. Is /this/ significant? >>>> Anything in >>>> systemctl statuspki-tomcatd at pki-tomcat.service >>>> or rather: >>>> journalctl -upki-tomcatd at pki-tomcat.service >>>> ? >>>> >>>> Just to be sure, it might be also worth to check if CA subsystem users >>>> have correct certs assigned: >>>> * >>>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html >>>> * >>>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html >>>> >>>>> On 04/27/2016 02:24 PM, Bret Wortman wrote: >>>>>> I put excerpts from the ca logs inhttp://pastebin.com/gYgskU79. It >>>>>> looks >>>>>> logical to me, but I can't spot anything that looks like a root >>>>>> cause error. >>>>>> The selftests are all okay, I think. The debug log might have >>>>>> something, but >>>>>> it might also just be complaining about ldap not being up because >>>>>> it's not. >>>>>> >>>>>> >>>>>> On 04/27/2016 01:11 PM, Rob Crittenden wrote: >>>>>>> Bret Wortman wrote: >>>>>>>> So in lieu of fixing these certs, is there an acceptable way to dump >>>>>>>> them all and start over /without losing the contents of the IPA >>>>>>>> database/? Or otherwise really screwing ourselves? >>>>>>> I don't believe there is a way. >>>>>>> >>>>>>>> We have a replica that's still up and running and we've switched >>>>>>>> everyone over to talking to it, but we're at risk with just the one. >>>>>>> I'd ignore the two unknown certs for now. They look like someone was >>>>>>> experimenting with issuing a cert and didn't quite get things working. >>>>>>> >>>>>>> The CA seems to be throwing an error. I'd check the syslog for >>>>>>> messages from >>>>>>> certmonger and look at the CA debug log and selftest log. >>>>>>> >>>>>>> rob >>>>>>> >>>>>> [snip] >>>>>> >>>>> >> > -- Petr Vobornik From mbasti at redhat.com Fri Apr 29 09:02:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Apr 2016 11:02:10 +0200 Subject: [Freeipa-users] freeipa update changed my cipher set In-Reply-To: <57224564.9080305@ast.cam.ac.uk> References: <57224564.9080305@ast.cam.ac.uk> Message-ID: <57232312.30506@redhat.com> On 28.04.2016 19:16, Roderick Johnstone wrote: > Hi > > RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 > > A couple of months ago I updated > /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite > in use by freeipa (see previous thread on this list). > > When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on > April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and > reverted some, but not all of, my changed settings in dse.ldif. > > I'd like to understand what is expected to happen to this file on a > package upgrade (rpm reports that this file is not owned by any > package so I guess its manipulated by a scriplet) since at least one > of my changes was preserved. > > Also, if I need to maintain a customised cipher suite for ipa, am I > required to only do yum updates of the ipa-server package by hand and > manually merge back in my changes, or is there a better way? > > Thanks > > Roderick Johnstone > Hello, probably IPA upgrade did this change if you need custom ciphers to be preserved, you have to put your own upgrade file (number must be higher than 20) to IPA '/usr/share/ipa/updates/' something like: $ cat 99-myciphers.update dn: cn=encryption,cn=config only:nsSSL3Ciphers: default only:allowWeakCipher: off update default value with your own required ciphers Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Apr 29 09:27:21 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Apr 2016 11:27:21 +0200 Subject: [Freeipa-users] freeipa update changed my cipher set In-Reply-To: <57232312.30506@redhat.com> References: <57224564.9080305@ast.cam.ac.uk> <57232312.30506@redhat.com> Message-ID: <572328F9.8030109@redhat.com> On 29.04.2016 11:02, Martin Basti wrote: > > > On 28.04.2016 19:16, Roderick Johnstone wrote: >> Hi >> >> RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 >> >> A couple of months ago I updated >> /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite >> in use by freeipa (see previous thread on this list). >> >> When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on >> April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and >> reverted some, but not all of, my changed settings in dse.ldif. >> >> I'd like to understand what is expected to happen to this file on a >> package upgrade (rpm reports that this file is not owned by any >> package so I guess its manipulated by a scriplet) since at least one >> of my changes was preserved. >> >> Also, if I need to maintain a customised cipher suite for ipa, am I >> required to only do yum updates of the ipa-server package by hand and >> manually merge back in my changes, or is there a better way? >> >> Thanks >> >> Roderick Johnstone >> > Hello, > > probably IPA upgrade did this change > > if you need custom ciphers to be preserved, you have to put your own > upgrade file (number must be higher than 20) to IPA > '/usr/share/ipa/updates/' > > something like: > > $ cat 99-myciphers.update > dn: cn=encryption,cn=config > only:nsSSL3Ciphers: default > only:allowWeakCipher: off > > update default value with your own required ciphers > > Martin > > I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater /usr/share/ipa/updates/99-myciphers.update to apply changes. Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Apr 29 09:40:40 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 29 Apr 2016 11:40:40 +0200 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> Message-ID: <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> On 04/28/2016 08:14 PM, Hosakote Nagesh, Pawan wrote: > Hi, > I am planning to deploy FreeIPA Client in a docker where my Apps are > running. However I hit a road block as there seems to be problem with the > docker?s hostname settings > In DNS records. CCing Jan on this one. Did you try to use SSSD Docker container we already have instead? https://hub.docker.com/r/fedora/sssd/ https://www.adelton.com/docs/docker/fedora-sssd-container Martin > Debug Log > ??????? > > ipa-client-install --hostname=`hostname -f` --mkhomedir -N --force-join ?debug > > . > > . > > . > > . > > debug > > zone phx01.eaz.ebayc3.com. > > update delete . IN A > > show > > send > > update add . 1200 IN A 172.17.0.3 > > show > > send > > > Starting external process > > args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt > > Process execution failed > > Traceback (most recent call last): > > File "/usr/sbin/ipa-client-install", line 2603, in > > sys.exit(main()) > > File "/usr/sbin/ipa-client-install", line 2584, in main > > rval = install(options, env, fstore, statestore) > > File "/usr/sbin/ipa-client-install", line 2387, in install > > client_dns(cli_server[0], hostname, options.dns_updates) > > File "/usr/sbin/ipa-client-install", line 1423, in client_dns > > update_dns(server, hostname) > > File "/usr/sbin/ipa-client-install", line 1410, in update_dns > > if do_nsupdate(update_txt): > > File "/usr/sbin/ipa-client-install", line 1346, in do_nsupdate > > ipautil.run(['/usr/bin/nsupdate', '-g', UPDATE_FILE]) > > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 303, in run > > close_fds=True, env=env, cwd=cwd) > > File "/usr/lib/python2.7/subprocess.py", line 710, in __init__ > > errread, errwrite) > > File "/usr/lib/python2.7/subprocess.py", line 1327, in _execute_child > > raise child_exception > > OSError: [Errno 2] No such file or directory > > > > As a Follow up question I also wanted to know why is absolutely necessary for > Kerberos Client to have hostname? Wont Client initiate the connection and > FreeIPA server can take it from there. > If so what is the need of FQDN for FreeIPA client at all? > > - > Best, > Pawan > > From bret.wortman at damascusgrp.com Fri Apr 29 10:03:39 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 29 Apr 2016 06:03:39 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> Message-ID: <5723317B.8090900@damascusgrp.com> The date change was due (I think) to me changing the date back to 4/1 yesterday, though I left it there and haven't updated it again until this morning, when I went back to 4/1 again. I put the results of the commands you requested at https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really appreciate it. Bret On 04/29/2016 04:59 AM, Petr Vobornik wrote: > comments inline > > On 04/28/2016 06:30 PM, Bret Wortman wrote: >> Look, I'll be honest. When IPA is in this much of a knot, I don't know how to do >> the simplest things with its various components. For example, I've no clue how >> to search the ldap database for anything. Or even how to authenticate since >> Kerberos isn't running. IPA has sheltered me from ldap for so long that it's a >> problem at times like this. >> >> That being said, here are the things I /was/ able to handle: >> >> Apr 01 11:02:40 zsipa.private.net server[6896]: Java virtual machine used: >> /usr/lib/jvm/jre/bin/java >> Apr 01 11:02:40 zsipa.private.net server[6896]: classpath used: >> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.j >> Apr 01 11:02:40 zsipa.private.net server[6896]: main class used: >> org.apache.catalina.startup.Bootstrap >> Apr 01 11:02:40 zsipa.private.net server[6896]: flags used: >> -DRESTEASY_LIB=/usr/share/java/resteasy >> Apr 01 11:02:40 zsipa.private.net server[6896]: options used: >> -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat >> -Djava.endorsed.dirs= -Djava.io. >> Apr 01 11:02:40 zsipa.private.net server[6896]: arguments used: start >> Apr 01 11:02:40 zsipa.private.net server[6896]: Apr 01, 2016 11:02:40 AM >> org.apache.catalina.startup.ClassLoaderFactory validateFile >> Apr 01 11:02:40 zsipa.private.net server[6896]: WARNING: Problem with JAR file >> [/var/lib/pki/pki-tomcat/lib/log4j.jar], exists: [false], canRead: [false] >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' >> to 'false' did not find a matchi >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> 'ocspResponderURL' to 'http://zsipa.private.net:9 >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> 'ocspResponderCertNickname' to 'ocspSigningCe >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> 'ocspCacheSize' to '1000' did not find a matc >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> 'ocspMinCacheEntryDuration' to '60' did not f >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> 'ocspMaxCacheEntryDuration' to '120' did not >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' >> to '10' did not find a matching >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> 'strictCiphers' to 'true' did not find a matc >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' >> to 'ssl2=true,ssl3=true,tls=true >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' >> to '-SSL2_RC4_128_WITH_MD5,-SSL >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' >> to '-SSL3_FORTEZZA_DMS_WITH_NUL >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' >> to '-TLS_ECDH_ECDSA_WITH_AES_128 >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> 'serverCertNickFile' to '/var/lib/pki/pki-tom >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' >> to '/var/lib/pki/pki-tomcat/co >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> 'passwordClass' to 'org.apache.tomcat.util.ne >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to >> '/var/lib/pki/pki-tomcat/alias >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> 'sslVersionRangeStream' to 'tls1_0:tls1_2' di >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.catalina.startup.SetAllPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AE >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.tomcat.util.digester.SetPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' >> to 'false' did not find a matc >> Apr 01 11:02:41 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.tomcat.util.digester.SetPropertiesRule begin >> Apr 01 11:02:41 zsipa.private.net server[6896]: WARNING: >> [SetPropertiesRule]{Server/Service/Engine/Host} Setting property >> 'xmlNamespaceAware' to 'false' did not find a >> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:41 AM >> org.apache.coyote.AbstractProtocol init >> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initializing >> ProtocolHandler ["http-bio-8080"] >> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM >> org.apache.coyote.AbstractProtocol init >> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initializing >> ProtocolHandler ["http-bio-8443"] >> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher >> "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss >> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher >> "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss >> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher >> "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss >> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher >> "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss >> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher >> "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss >> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher >> "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss >> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher >> "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" unsupported by NSS >> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher >> "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS >> Apr 01 11:02:42 zsipa.private.net server[6896]: Error: SSL cipher >> "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS >> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM >> org.apache.coyote.AbstractProtocol init >> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initializing >> ProtocolHandler ["ajp-bio-127.0.0.1-8009"] >> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM >> org.apache.catalina.startup.Catalina load >> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Initialization processed >> in 988 ms >> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM >> org.apache.catalina.core.StandardService startInternal >> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Starting service Catalina >> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM >> org.apache.catalina.core.StandardEngine startInternal >> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Starting Servlet Engine: >> Apache Tomcat/7.0.59 >> Apr 01 11:02:42 zsipa.private.net server[6896]: Apr 01, 2016 11:02:42 AM >> org.apache.catalina.startup.HostConfig deployDescriptor >> Apr 01 11:02:42 zsipa.private.net server[6896]: INFO: Deploying configuration >> descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml >> Apr 01 11:02:43 zsipa.private.net server[6896]: Apr 01, 2016 11:02:43 AM >> org.apache.catalina.startup.HostConfig deployDescriptor >> Apr 01 11:02:43 zsipa.private.net server[6896]: INFO: Deployment of >> configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has >> finished in 1,194 ms >> Apr 01 11:02:43 zsipa.private.net server[6896]: Apr 01, 2016 11:02:43 AM >> org.apache.catalina.startup.HostConfig deployDescriptor >> Apr 01 11:02:43 zsipa.private.net server[6896]: INFO: Deploying configuration >> descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml >> Apr 01 11:02:43 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback: >> Creating SSL authenticator with fallback >> Apr 01 11:02:43 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback: >> Setting container >> Apr 01 11:02:45 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback: >> Initializing authenticators >> Apr 01 11:02:45 zsipa.private.net server[6896]: SSLAuthenticatorWithFallback: >> Starting authenticators >> Apr 01 11:02:51 zsipa.private.net server[6896]: Server is started. >> Apr 01 11:02:51 zsipa.private.net server[6896]: Apr 01, 2016 11:02:51 AM >> org.apache.catalina.startup.HostConfig deployDescriptor >> Apr 01 11:02:51 zsipa.private.net server[6896]: INFO: Deployment of >> configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has >> finished in 7,993 ms >> Apr 01 11:02:51 zsipa.private.net server[6896]: Apr 01, 2016 11:02:51 AM >> org.apache.catalina.startup.HostConfig deployDescriptor >> Apr 01 11:02:51 zsipa.private.net server[6896]: INFO: Deploying configuration >> descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml >> Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM >> org.apache.catalina.startup.HostConfig deployDescriptor >> Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Deployment of >> configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki.xml has >> finished in 661 ms >> Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM >> org.apache.coyote.AbstractProtocol start >> Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Starting ProtocolHandler >> ["http-bio-8080"] >> Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM >> org.apache.coyote.AbstractProtocol start >> Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Starting ProtocolHandler >> ["http-bio-8443"] >> Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM >> org.apache.coyote.AbstractProtocol start >> Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Starting ProtocolHandler >> ["ajp-bio-127.0.0.1-8009"] >> Apr 01 11:02:52 zsipa.private.net server[6896]: Apr 01, 2016 11:02:52 AM >> org.apache.catalina.startup.Catalina start >> Apr 01 11:02:52 zsipa.private.net server[6896]: INFO: Server startup in 9918 ms > Here the PKI server started. And below, 5 minutes later, something > stopped it. > > >> Apr 01 11:07:53 zsipa.private.net server[7974]: Java virtual machine used: >> /usr/lib/jvm/jre/bin/java >> Apr 01 11:07:53 zsipa.private.net server[7974]: classpath used: >> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.j >> Apr 01 11:07:53 zsipa.private.net server[7974]: main class used: >> org.apache.catalina.startup.Bootstrap >> Apr 01 11:07:53 zsipa.private.net server[7974]: flags used: >> -DRESTEASY_LIB=/usr/share/java/resteasy >> Apr 01 11:07:53 zsipa.private.net server[7974]: options used: >> -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat >> -Djava.endorsed.dirs= -Djava.io. >> Apr 01 11:07:53 zsipa.private.net server[7974]: arguments used: stop >> Apr 01 11:07:53 zsipa.private.net server[7974]: Apr 01, 2016 11:07:53 AM >> org.apache.catalina.startup.ClassLoaderFactory validateFile >> Apr 01 11:07:53 zsipa.private.net server[7974]: WARNING: Problem with JAR file >> [/var/lib/pki/pki-tomcat/lib/log4j.jar], exists: [false], canRead: [false] >> Apr 01 11:07:54 zsipa.private.net server[6896]: Apr 01, 2016 11:07:54 AM >> org.apache.catalina.core.StandardServer await >> Apr 01 11:07:54 zsipa.private.net server[6896]: INFO: A valid shutdown command >> was received via the shutdown port. Stopping the Server instance. >> Apr 01 11:07:54 zsipa.private.net server[6896]: Apr 01, 2016 11:07:54 AM >> org.apache.coyote.AbstractProtocol pause >> Apr 01 11:07:54 zsipa.private.net server[6896]: INFO: Pausing ProtocolHandler >> ["http-bio-8080"] >> # systemctl status pki-tomcatd at pki-tomcat.service -l >> ? pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat >> Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd at .service; enabled) >> Active: inactive (dead) >> >> Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM >> org.apache.catalina.core.StandardServer await >> Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: A valid shutdown command >> was received via the shutdown port. Stopping the Server instance. >> Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM >> org.apache.coyote.AbstractProtocol pause >> Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler >> ["http-bio-8080"] >> Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM >> org.apache.coyote.AbstractProtocol pause >> Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler >> ["http-bio-8443"] >> Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM >> org.apache.coyote.AbstractProtocol pause >> Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler >> ["ajp-bio-127.0.0.1-8009"] >> Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM >> org.apache.catalina.core.StandardService stopInternal >> Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Stopping service Catalina > Why is the time different here? > > > Given that the PKI server seems to start could you: > > 1. move date to Apr 1 > 2. # date > 3. # ipactl stop > 4. # date > 5. # ipactl start -d > 6. # date > 7. # ipactl status > 8. # getcert list > 9. # journalctl -u pki-tomcatd at pki-tomcat.service > > paste here output of 1-8. Plus output of 9 since date in 2. Or ideally > attach it as text file so that lines won't be wrapped(hard to read). > >> >> >> # systemctl | grep dirsrv@ >> dirsrv at PRIVATE-NET.service >> loaded active running 389 Directory Server PRIVATE-NET. >> >> On 04/28/2016 12:04 PM, Petr Vobornik wrote: >>> On 04/28/2016 05:49 PM, Bret Wortman wrote: >>>> My system shows pki-server is installed and V10.2.1-3.fc21, but I don't >>>> have the pki-server binary itself. Will reinstalling this rpm hurt me in >>>> any way? Without it, I'm not sure how to check my system against the >>>> messages you provided below. >>> Not sure what you mean. Running doesn't require any additional packages. >>> It is just to get additional logs. >>> systemctl statuspki-tomcatd at pki-tomcat.service >>> journalctl -upki-tomcatd at pki-tomcat.service >>> >>> And the links below are about checking if CA users have correctly mapped >>> certificates in LDAP database in ou=people,o=ipaca for that you need >>> only ldapsearch command and start directory server: > We may skip this part, it might not be needed. > >>> systemctl startdirsrv at YOUR-REALM-TEST.service >>> >>> Proper name fordirsrv at YOUR-REALM-TEST.service can be found using: >>> systemctl | grep dirsrv@ >>> >>> >>>> On 04/28/2016 11:07 AM, Petr Vobornik wrote: >>>>> On 04/28/2016 04:07 PM, Bret Wortman wrote: >>>>>> Okay. This morning, I turned back time to 4/1 and started up IPA. It >>>>>> didn't >>>>>> work, but I got something new and interesting in the debug log, which >>>>>> I've >>>>>> posted tohttp://pastebin.com/M9VGCS8A. Lots of garbled junk came >>>>>> pouring out >>>>>> which doesn't happen when I'm set to real time. Is /this/ significant? >>>>> Anything in >>>>> systemctl statuspki-tomcatd at pki-tomcat.service >>>>> or rather: >>>>> journalctl -upki-tomcatd at pki-tomcat.service >>>>> ? >>>>> >>>>> Just to be sure, it might be also worth to check if CA subsystem users >>>>> have correct certs assigned: >>>>> * >>>>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html >>>>> * >>>>> https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html >>>>> >>>>>> On 04/27/2016 02:24 PM, Bret Wortman wrote: >>>>>>> I put excerpts from the ca logs inhttp://pastebin.com/gYgskU79. It >>>>>>> looks >>>>>>> logical to me, but I can't spot anything that looks like a root >>>>>>> cause error. >>>>>>> The selftests are all okay, I think. The debug log might have >>>>>>> something, but >>>>>>> it might also just be complaining about ldap not being up because >>>>>>> it's not. >>>>>>> >>>>>>> >>>>>>> On 04/27/2016 01:11 PM, Rob Crittenden wrote: >>>>>>>> Bret Wortman wrote: >>>>>>>>> So in lieu of fixing these certs, is there an acceptable way to dump >>>>>>>>> them all and start over /without losing the contents of the IPA >>>>>>>>> database/? Or otherwise really screwing ourselves? >>>>>>>> I don't believe there is a way. >>>>>>>> >>>>>>>>> We have a replica that's still up and running and we've switched >>>>>>>>> everyone over to talking to it, but we're at risk with just the one. >>>>>>>> I'd ignore the two unknown certs for now. They look like someone was >>>>>>>> experimenting with issuing a cert and didn't quite get things working. >>>>>>>> >>>>>>>> The CA seems to be throwing an error. I'd check the syslog for >>>>>>>> messages from >>>>>>>> certmonger and look at the CA debug log and selftest log. >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>> [snip] >>>>>>> > From prashant at apigee.com Fri Apr 29 10:37:55 2016 From: prashant at apigee.com (Prashant Bapat) Date: Fri, 29 Apr 2016 16:07:55 +0530 Subject: [Freeipa-users] OTP and time step size In-Reply-To: <571E436B.80705@redhat.com> References: <571E436B.80705@redhat.com> Message-ID: Hi Petr, Thanks for the response. But my question was more towards the cases where there is a slight delay in entering the OTP in the web UI and it reaching the IPA server. This actually can happen with ANY time window. There are couple of scenarios. 1. Network delays. 2. User enters the OTP token and takes a few seconds before pressing submit. 3. User has to enter OTP first and then the password. This is the case when changing password in IPA at the moment when OTP is on. Is there a way to make IPA honor either the current token (obviously!) or 1 elapsed token? This will go a long way in making FreeIPA's OTP implementation much more usable. Thanks. --Prashant On 25 April 2016 at 21:48, Petr Vobornik wrote: > On 04/22/2016 08:55 AM, Prashant Bapat wrote: > > Hi, > > > > We have been using the OTP feature of FreeIPA extensively for users to > login to > > the web UI. Now we are rolling out an external service using the LDAP > > authentication based on FreeIPA and OTP. > > > > End users typically login rarely to the web UI. Only to update their SSH > keys > > once in 90 days. > > > > However to the new service based on FreeIPA's LDAP they would be logging > in > > multiple times daily. > > > > Here is an observation: FreeIPA's OTP mechanism is very stringent in > requiring > > the current token to be inside the 30 second window. Because of this > there might > > be a sizable percentage of users who will have to retry login. > Obviously, this > > is a bad user experience. > > > > As per the RFC-6238 section > 5.2, we > > could allow 1 time step and make the user experience better. > > > > Can this be done by changing a config or does it involve a > patch/code-change. > > Any pointers to this appreciated. > > > > Thanks. > > --Prashant > > > > FreeIPA works with both time based OTP tokens(TOTP) and counter based > OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator > can set custom clock interval during creation of a token. But > self-service Web UI doesn't show this option. Users can still use it in > CLI though. > > Alternative is HOTP which doesn't use time interval and there the UX > issue is not there. It can be also created in user self service. > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Fri Apr 29 11:02:02 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Fri, 29 Apr 2016 19:02:02 +0800 Subject: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire Message-ID: Hi All: Any method can fall back the default ipa cert if I didn't backup orginal? Now the slapd and ipa cert storage quite a mess so they cant replicate even disabled nsslapd:security to off thx Barry -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Apr 29 11:20:14 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Apr 2016 13:20:14 +0200 Subject: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire In-Reply-To: References: Message-ID: <5723436E.8030206@redhat.com> On 29.04.2016 13:02, barrykfl at gmail.com wrote: > Hi All: > > Any method can fall back the default ipa cert if I didn't backup orginal? > > Now the slapd and ipa cert storage quite a mess so they cant replicate > even disabled nsslapd:security to off > > > thx > Barry > > Hello Barry, Can you provide more info? What is your IPA version, OS? What are the symptoms you are experiencing? What do you mean by default ipa cert ? Can you provide logs from replicas? Can you provide `getcert list` command output? Can you provide `ipactl status` from both server? Replication uses GSSAPI, at least on new IPA versions, I'm not sure if certificates are involved in this. Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Fri Apr 29 11:27:18 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 29 Apr 2016 14:27:18 +0300 Subject: [Freeipa-users] HBAC implementation help In-Reply-To: <20160429075029.GF25181@hendrix> References: <20160429075029.GF25181@hendrix> Message-ID: HI Thanks for your reply. can i do this external group mapping from web UI? On Fri, Apr 29, 2016 at 10:50 AM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote: > > Hi List, > > > > i have a working setup of IPA with AD integrated and one client joined. > > > > i want to implement HBAC rules against this client. can anyone please > share > > me good articles of implementing HBAC from web UI. > > I'm not sure about the web UI, but as a general rule you'll want to add > an external group (created with --external) as a member of a POSIX group > and reference the POSIX group in the HBAC rule. The AD members should be > added as members of the external group. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Fri Apr 29 11:29:14 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 29 Apr 2016 13:29:14 +0200 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <5723317B.8090900@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> Message-ID: <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> On 04/29/2016 12:03 PM, Bret Wortman wrote: > The date change was due (I think) to me changing the date back to 4/1 > yesterday, though I left it there and haven't updated it again until > this morning, when I went back to 4/1 again. > > I put the results of the commands you requested at > https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really > appreciate it. > > > Bret If I combine this and the previous output, it seems that: - PKI starts normally - ipactl has troubles with determining that PKI started and after 5mins of failed attempts it stops whole IPA (expected behavior when a service doesn't start) The failed attempt is: """ ipa: DEBUG: Waiting until the CA is running ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://zsipa.private.net:443/ca/admin/ca/getStatus' ipa: DEBUG: Process finished, return code=4 ipa: DEBUG: stdout= ipa: DEBUG: stderr=--2016-04-01 09:39:50-- https://zsipa.private.net/ca/admin/ca/getStatus Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53 Connecting to zsipa.private.net (zsipa.private.net)|192.168.208.53|:443... connected. Unable to establish SSL connection. ipa: DEBUG: The CA status is: check interrupted due to error: Command ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero exit status 4 """ It says "Unable to establish SSL connection", it would be good to get more details. Also given that the CA cert was renewed on April 3rd and that all certs expires after that date, we should rather use date April 4th when moving the date back. So first start IPA again (date April 4th) but force it to not stop services 1. ipactl start --force wait until all is started 2. wget -v -d -S -O - --timeout=30 --no-check-certificate https://zsipa.private.net:443/ca/admin/ca/getStatus optionally (assuming that CA won't be turned of) 3. getcert list -- Petr Vobornik From cac2s.spam at gmail.com Fri Apr 29 11:31:40 2016 From: cac2s.spam at gmail.com (cac2s) Date: Fri, 29 Apr 2016 14:31:40 +0300 Subject: [Freeipa-users] WinSync: The correct method for unbinding some users from synchronization Message-ID: <5723461C.90404@gmail.com> Hello ALL. In our organization it became necessary to: - replicate all user accounts from AD to FreeIPA preserving user passwords (the passwords will appear in FreeIPA when changing these in AD using WinSync) - unbind the part of the migrated accounts from synchronization - remove unbindedusers from the AD(they should remainwith password on the FreeIPA side) - the remaining accounts (onthe AD side) should continue to be synchronized/replicated (add/change/delete on the AD side) In some circumstances that do not depend on me, the use of a trust does not approach us... The question is whether the rightfollowing method to unbind part of the user accounts from the Syncby removing: - objectClass: ntUser - ntUniqueId: * - ntUserAcctExpires: * - ntUserCodePage: * - ntUserDeleteAccount: * or perhaps there is a more correct method? Thanks. p.s.: sorry for my English From pvoborni at redhat.com Fri Apr 29 11:34:48 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 29 Apr 2016 13:34:48 +0200 Subject: [Freeipa-users] OTP and time step size In-Reply-To: References: <571E436B.80705@redhat.com> Message-ID: On 04/29/2016 12:37 PM, Prashant Bapat wrote: > Hi Petr, > > Thanks for the response. But my question was more towards the cases where there > is a slight delay in entering the OTP in the web UI and it reaching the IPA > server. This actually can happen with ANY time window. > > There are couple of scenarios. > > 1. Network delays. > 2. User enters the OTP token and takes a few seconds before pressing submit. > 3. User has to enter OTP first and then the password. This is the case when > changing password in IPA at the moment when OTP is on. Actually password change scenario is: 1. oldpassword + otp 2. old password + otp2 + new password + confirm new password > > Is there a way to make IPA honor either the current token (obviously!) or 1 > elapsed token? Actually it may be done this way, but I'm not sure. > > This will go a long way in making FreeIPA's OTP implementation much more usable. Either way, as I said in the previous mail, try HOTP tokens. They don't use time windows and therefore the above is not an issue. > > Thanks. > --Prashant > > On 25 April 2016 at 21:48, Petr Vobornik > wrote: > > On 04/22/2016 08:55 AM, Prashant Bapat wrote: > > Hi, > > > > We have been using the OTP feature of FreeIPA extensively for users to login to > > the web UI. Now we are rolling out an external service using the LDAP > > authentication based on FreeIPA and OTP. > > > > End users typically login rarely to the web UI. Only to update their SSH keys > > once in 90 days. > > > > However to the new service based on FreeIPA's LDAP they would be logging in > > multiple times daily. > > > > Here is an observation: FreeIPA's OTP mechanism is very stringent in requiring > > the current token to be inside the 30 second window. Because of this there might > > be a sizable percentage of users who will have to retry login. Obviously, this > > is a bad user experience. > > > > As per the RFC-6238 section > 5.2, we > > could allow 1 time step and make the user experience better. > > > > Can this be done by changing a config or does it involve a patch/code-change. > > Any pointers to this appreciated. > > > > Thanks. > > --Prashant > > > > FreeIPA works with both time based OTP tokens(TOTP) and counter based > OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator > can set custom clock interval during creation of a token. But > self-service Web UI doesn't show this option. Users can still use it in > CLI though. > > Alternative is HOTP which doesn't use time interval and there the UX > issue is not there. It can be also created in user self service. > -- > Petr Vobornik > > -- Petr Vobornik From mbasti at redhat.com Fri Apr 29 11:36:20 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Apr 2016 13:36:20 +0200 Subject: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire In-Reply-To: References: <5723436E.8030206@redhat.com> Message-ID: <57234734.6050601@redhat.com> Please keep, user-list in CC You did not send all information I requested. Please use `rpm -ql ipa-server` to get exact version number On 29.04.2016 13:32, barrykfl at gmail.com wrote: > > Error.is from Gss api And i m thinkbif it relate cert issue. > > Server1> server 2 fail > Server 2 > server1 ok > > Freeipa 3.0 both > > slapd_ldap_sasl_interactive_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_492' not found)) errno 0 (Success) > [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - > agmt="cn=meTocentral02.ABC.com " > (central02:389): Replication bind with GSSAPI auth failed: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Credentials > cache file '/tmp/krb5cc_492' not found)) > [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [26/Apr/2016:18:40:19 +0800] - Listening on > /var/run/slapd-ABC-COM.socket for LDAPI requests > [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - > agmt="cn=meTocentral02.ABC.com " > (central02:389): Replication bind with GSSAPI auth resumed > [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - > agmt="cn=meTocentral02.ABC.com " > (central02:389): Missing data encountered > [26/Apr/2016:18:40:23 +0800] > > > > On 29.04.2016 13:02, barrykfl at gmail.com wrote: >> Hi All: >> >> Any method can fall back the default ipa cert if I didn't backup orginal? >> >> Now the slapd and ipa cert storage quite a mess so they cant >> replicate even disabled nsslapd:security to off >> >> >> thx >> Barry >> >> > Hello Barry, > > Can you provide more info? > > What is your IPA version, OS? > What are the symptoms you are experiencing? > What do you mean by default ipa cert ? > Can you provide logs from replicas? > Can you provide `getcert list` command output? > Can you provide `ipactl status` from both server? > > Replication uses GSSAPI, at least on new IPA versions, I'm not sure if > certificates are involved in this. > > Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Apr 29 11:46:07 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Apr 2016 13:46:07 +0200 Subject: [Freeipa-users] HBAC implementation help In-Reply-To: References: <20160429075029.GF25181@hendrix> Message-ID: <5723497F.503@redhat.com> On 29.04.2016 13:27, Ben .T.George wrote: > HI > > Thanks for your reply. > > can i do this external group mapping from web UI? You can create External Group using webUI (user groups/ add group/ choose external radio button) More doc about HBAC: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html Martin > > On Fri, Apr 29, 2016 at 10:50 AM, Jakub Hrozek > wrote: > > On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote: > > Hi List, > > > > i have a working setup of IPA with AD integrated and one client > joined. > > > > i want to implement HBAC rules against this client. can anyone > please share > > me good articles of implementing HBAC from web UI. > > I'm not sure about the web UI, but as a general rule you'll want > to add > an external group (created with --external) as a member of a POSIX > group > and reference the POSIX group in the HBAC rule. The AD members > should be > added as members of the external group. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmj at ast.cam.ac.uk Fri Apr 29 12:13:02 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Fri, 29 Apr 2016 13:13:02 +0100 Subject: [Freeipa-users] freeipa update changed my cipher set In-Reply-To: <572328F9.8030109@redhat.com> References: <57224564.9080305@ast.cam.ac.uk> <57232312.30506@redhat.com> <572328F9.8030109@redhat.com> Message-ID: <57234FCE.7070102@ast.cam.ac.uk> On 29/04/2016 10:27, Martin Basti wrote: > > > On 29.04.2016 11:02, Martin Basti wrote: >> >> >> On 28.04.2016 19:16, Roderick Johnstone wrote: >>> Hi >>> >>> RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 >>> >>> A couple of months ago I updated >>> /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite >>> in use by freeipa (see previous thread on this list). >>> >>> When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on >>> April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and >>> reverted some, but not all of, my changed settings in dse.ldif. >>> >>> I'd like to understand what is expected to happen to this file on a >>> package upgrade (rpm reports that this file is not owned by any >>> package so I guess its manipulated by a scriplet) since at least one >>> of my changes was preserved. >>> >>> Also, if I need to maintain a customised cipher suite for ipa, am I >>> required to only do yum updates of the ipa-server package by hand and >>> manually merge back in my changes, or is there a better way? >>> >>> Thanks >>> >>> Roderick Johnstone >>> >> Hello, >> >> probably IPA upgrade did this change >> >> if you need custom ciphers to be preserved, you have to put your own >> upgrade file (number must be higher than 20) to IPA >> '/usr/share/ipa/updates/' >> >> something like: >> >> $ cat 99-myciphers.update >> dn: cn=encryption,cn=config >> only:nsSSL3Ciphers: default >> only:allowWeakCipher: off >> >> update default value with your own required ciphers >> >> Martin >> >> > I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater > /usr/share/ipa/updates/99-myciphers.update to apply changes. > Martin Martin Thats the perfect solution, and works well for me. Thank you very much. I didn't see this info documented in the RHEL7 IdM Guide (apart from a reference to the directory in the list of configuration files in section 28.1) or on the freeipa wiki. Did I miss it somewhere? Thanks again. Roderick From mbasti at redhat.com Fri Apr 29 12:34:13 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Apr 2016 14:34:13 +0200 Subject: [Freeipa-users] freeipa update changed my cipher set In-Reply-To: <57234FCE.7070102@ast.cam.ac.uk> References: <57224564.9080305@ast.cam.ac.uk> <57232312.30506@redhat.com> <572328F9.8030109@redhat.com> <57234FCE.7070102@ast.cam.ac.uk> Message-ID: <572354C5.9000907@redhat.com> On 29.04.2016 14:13, Roderick Johnstone wrote: > On 29/04/2016 10:27, Martin Basti wrote: >> >> >> On 29.04.2016 11:02, Martin Basti wrote: >>> >>> >>> On 28.04.2016 19:16, Roderick Johnstone wrote: >>>> Hi >>>> >>>> RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 >>>> >>>> A couple of months ago I updated >>>> /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite >>>> in use by freeipa (see previous thread on this list). >>>> >>>> When the update to ipa-server-4.2.0-15.el7_2.6.1.x86_64 came in on >>>> April 14 it saved my dse.ldif to dse.ldif.ipa.87160d3fec74fa3f and >>>> reverted some, but not all of, my changed settings in dse.ldif. >>>> >>>> I'd like to understand what is expected to happen to this file on a >>>> package upgrade (rpm reports that this file is not owned by any >>>> package so I guess its manipulated by a scriplet) since at least one >>>> of my changes was preserved. >>>> >>>> Also, if I need to maintain a customised cipher suite for ipa, am I >>>> required to only do yum updates of the ipa-server package by hand and >>>> manually merge back in my changes, or is there a better way? >>>> >>>> Thanks >>>> >>>> Roderick Johnstone >>>> >>> Hello, >>> >>> probably IPA upgrade did this change >>> >>> if you need custom ciphers to be preserved, you have to put your own >>> upgrade file (number must be higher than 20) to IPA >>> '/usr/share/ipa/updates/' >>> >>> something like: >>> >>> $ cat 99-myciphers.update >>> dn: cn=encryption,cn=config >>> only:nsSSL3Ciphers: default >>> only:allowWeakCipher: off >>> >>> update default value with your own required ciphers >>> >>> Martin >>> >>> >> I forgot to add, you have to run ipa-server-upgrade or ipa-ldap-updater >> /usr/share/ipa/updates/99-myciphers.update to apply changes. >> Martin > > Martin > > Thats the perfect solution, and works well for me. Thank you very much. > > I didn't see this info documented in the RHEL7 IdM Guide (apart from a > reference to the directory in the list of configuration files in > section 28.1) or on the freeipa wiki. Did I miss it somewhere? > > Thanks again. > > Roderick You are welcome, well, I don't think that this is documented in the guide, it is quite hackish. I created ticket https://fedorahosted.org/freeipa/ticket/5863 Martin From bret.wortman at damascusgrp.com Fri Apr 29 12:53:24 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 29 Apr 2016 08:53:24 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> Message-ID: <57235944.1080306@damascusgrp.com> Despite "ipactl status" indicating that all processes were running after step 1, step 2 produces "Unable to establish SSL connection." Full terminal session is at http://pastebin.com/ZuNBHPy0 On 04/29/2016 07:29 AM, Petr Vobornik wrote: > On 04/29/2016 12:03 PM, Bret Wortman wrote: >> The date change was due (I think) to me changing the date back to 4/1 >> yesterday, though I left it there and haven't updated it again until >> this morning, when I went back to 4/1 again. >> >> I put the results of the commands you requested at >> https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really >> appreciate it. >> >> >> Bret > If I combine this and the previous output, it seems that: > > - PKI starts normally > - ipactl has troubles with determining that PKI started and after 5mins > of failed attempts it stops whole IPA (expected behavior when a service > doesn't start) > > The failed attempt is: > """ > ipa: DEBUG: Waiting until the CA is running > ipa: DEBUG: Starting external process > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > '--no-check-certificate' > 'https://zsipa.private.net:443/ca/admin/ca/getStatus' > ipa: DEBUG: Process finished, return code=4 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=--2016-04-01 09:39:50-- > https://zsipa.private.net/ca/admin/ca/getStatus > Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53 > Connecting to zsipa.private.net > (zsipa.private.net)|192.168.208.53|:443... connected. > Unable to establish SSL connection. > > ipa: DEBUG: The CA status is: check interrupted due to error: Command > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' > 'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero > exit status 4 > """ > > It says "Unable to establish SSL connection", it would be good to get > more details. > > Also given that the CA cert was renewed on April 3rd and that all certs > expires after that date, we should rather use date April 4th when moving > the date back. > > So first start IPA again (date April 4th) but force it to not stop services > > 1. ipactl start --force > wait until all is started > 2. wget -v -d -S -O - --timeout=30 --no-check-certificate > https://zsipa.private.net:443/ca/admin/ca/getStatus > > optionally (assuming that CA won't be turned of) > 3. getcert list > From pvoborni at redhat.com Fri Apr 29 12:58:41 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 29 Apr 2016 14:58:41 +0200 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <57235944.1080306@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> <57235944.1080306@damascusgrp.com> Message-ID: <02866943-61ed-ac6d-edca-3afddbfada9b@redhat.com> On 04/29/2016 02:53 PM, Bret Wortman wrote: > Despite "ipactl status" indicating that all processes were running after > step 1, step 2 produces "Unable to establish SSL connection." > > Full terminal session is at http://pastebin.com/ZuNBHPy0 > > On 04/29/2016 07:29 AM, Petr Vobornik wrote: >> On 04/29/2016 12:03 PM, Bret Wortman wrote: >>> The date change was due (I think) to me changing the date back to 4/1 >>> yesterday, though I left it there and haven't updated it again until >>> this morning, when I went back to 4/1 again. >>> >>> I put the results of the commands you requested at >>> https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really >>> appreciate it. I cannot view the pastebin: """ This is a private paste. If you created this paste, please login to view it. """ >>> >>> >>> Bret >> If I combine this and the previous output, it seems that: >> >> - PKI starts normally >> - ipactl has troubles with determining that PKI started and after 5mins >> of failed attempts it stops whole IPA (expected behavior when a service >> doesn't start) >> >> The failed attempt is: >> """ >> ipa: DEBUG: Waiting until the CA is running >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' >> '--no-check-certificate' >> 'https://zsipa.private.net:443/ca/admin/ca/getStatus' >> ipa: DEBUG: Process finished, return code=4 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr=--2016-04-01 09:39:50-- >> https://zsipa.private.net/ca/admin/ca/getStatus >> Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53 >> Connecting to zsipa.private.net >> (zsipa.private.net)|192.168.208.53|:443... connected. >> Unable to establish SSL connection. >> >> ipa: DEBUG: The CA status is: check interrupted due to error: Command >> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' >> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero >> exit status 4 >> """ >> >> It says "Unable to establish SSL connection", it would be good to get >> more details. >> >> Also given that the CA cert was renewed on April 3rd and that all certs >> expires after that date, we should rather use date April 4th when moving >> the date back. >> >> So first start IPA again (date April 4th) but force it to not stop >> services >> >> 1. ipactl start --force >> wait until all is started >> 2. wget -v -d -S -O - --timeout=30 --no-check-certificate >> https://zsipa.private.net:443/ca/admin/ca/getStatus >> >> optionally (assuming that CA won't be turned of) >> 3. getcert list >> > -- Petr Vobornik From jalvarez at cyberfuel.com Fri Apr 29 13:17:27 2016 From: jalvarez at cyberfuel.com (Jose Alvarez R.) Date: Fri, 29 Apr 2016 07:17:27 -0600 Subject: [Freeipa-users] HTTP response code is 401, not 200 Message-ID: <04e201d1a219$7a6497f0$6f2dc7d0$@cyberfuel.com> Hi Users You can help me? I have the problem for join a client to my FREEIPA Server. The version IPA Server is 3.0 and IP client is 3.0 When I join my client to IPA server show these errors: [root at ppa ~]# tail -f /var/log/ipaclient-install.log 2016-04-28T17:26:41Z DEBUG stderr= 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are identical 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com 2016-04-28T17:26:41Z DEBUG stdout= 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is 401, not 200 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. My client have installed a PPA(http://www.odin.com/es/products/plesk-automation ) and the version curl is: curl-7.31.0-1.el6.x86_64 python-pycurl-7.19.0-8.el6.x86_64 libcurl-7.31.0-1.el6.x86_64 libcurl-7.31.0-1.el6.i686 The version curl in my server FREEIPA is: python-pycurl-7.19.0-8.el6.x86_64 curl-7.19.7-46.el6.x86_64 libcurl-7.19.7-46.el6.x86_64 Can you help me ? Thanks, Regards Jose Alvarez R. -------------- next part -------------- An HTML attachment was scrubbed... URL: From andreas.calminder at nordnet.se Fri Apr 29 13:33:15 2016 From: andreas.calminder at nordnet.se (Andreas Calminder) Date: Fri, 29 Apr 2016 15:33:15 +0200 Subject: [Freeipa-users] oneWaySync affecting Password sync? Message-ID: <787fe2a2-1e57-5975-1172-fbd4d5ff83d3@nordnet.se> Hello, I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting oneWaySync to fromWindows will affect password synchronization from IPA to AD, I.E password changes from IPA will not be replicated to Windows? Best regards, Andreas From bentech4you at gmail.com Fri Apr 29 13:41:17 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 29 Apr 2016 16:41:17 +0300 Subject: [Freeipa-users] ipa trust-fetch-domains failing. Message-ID: Hi while issuing ipa trust-fetch-domains, i am getting below error. i have created new security group in AD and i want to add this to external group. [root at freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw" ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from trusted fo rest failed. See details in the error_log help me to fi/expalin more about this error Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Fri Apr 29 14:08:58 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 29 Apr 2016 16:08:58 +0200 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <57235944.1080306@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> <57235944.1080306@damascusgrp.com> Message-ID: <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> On 04/29/2016 02:53 PM, Bret Wortman wrote: > Despite "ipactl status" indicating that all processes were running after > step 1, step 2 produces "Unable to establish SSL connection." > > Full terminal session is at http://pastebin.com/ZuNBHPy0 Hm, it doesn't help me much. Does it contact the correct machine? I.e., is IP address OK? What is the result of: netstat -ln | grep 443 netstat -ln | grep 8009 Have you modified by any chance: /etc/httpd/conf.d/ipa-pki-proxy.conf Try to run curl, maybe it will be more verbose, but probably not: # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus Christian(CCd), do you have any ideas? Could you look into /var/log/httpd/error_log or syslog(would try /var/log/message and journalctl), There might be more information about the: """ status: NEED_TO_SUBMIT ca-error: Internal error """ Which may help us with root culprit. Do web ui or CLI work? > > On 04/29/2016 07:29 AM, Petr Vobornik wrote: >> On 04/29/2016 12:03 PM, Bret Wortman wrote: >>> The date change was due (I think) to me changing the date back to 4/1 >>> yesterday, though I left it there and haven't updated it again until >>> this morning, when I went back to 4/1 again. >>> >>> I put the results of the commands you requested at >>> https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really >>> appreciate it. >>> >>> >>> Bret >> If I combine this and the previous output, it seems that: >> >> - PKI starts normally >> - ipactl has troubles with determining that PKI started and after 5mins >> of failed attempts it stops whole IPA (expected behavior when a service >> doesn't start) >> >> The failed attempt is: >> """ >> ipa: DEBUG: Waiting until the CA is running >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' >> '--no-check-certificate' >> 'https://zsipa.private.net:443/ca/admin/ca/getStatus' >> ipa: DEBUG: Process finished, return code=4 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr=--2016-04-01 09:39:50-- >> https://zsipa.private.net/ca/admin/ca/getStatus >> Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53 >> Connecting to zsipa.private.net >> (zsipa.private.net)|192.168.208.53|:443... connected. >> Unable to establish SSL connection. >> >> ipa: DEBUG: The CA status is: check interrupted due to error: Command >> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' >> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero >> exit status 4 >> """ >> >> It says "Unable to establish SSL connection", it would be good to get >> more details. >> >> Also given that the CA cert was renewed on April 3rd and that all certs >> expires after that date, we should rather use date April 4th when moving >> the date back. >> >> So first start IPA again (date April 4th) but force it to not stop >> services >> >> 1. ipactl start --force >> wait until all is started >> 2. wget -v -d -S -O - --timeout=30 --no-check-certificate >> https://zsipa.private.net:443/ca/admin/ca/getStatus >> >> optionally (assuming that CA won't be turned of) >> 3. getcert list >> > -- Petr Vobornik From pvoborni at redhat.com Fri Apr 29 14:20:07 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 29 Apr 2016 16:20:07 +0200 Subject: [Freeipa-users] ipa-client password authentication failed In-Reply-To: References: <20160422151651.GH620@hendrix> <70BBF132-4288-4550-B875-D774ED73FB20@redhat.com> Message-ID: <08f1d5b6-a600-7dcb-30cf-e608f25e8d96@redhat.com> On 04/29/2016 12:44 AM, siology.io wrote: > On a clean centos 7 VM, after installation of ipa-server browsing to the ipa web > UI gets me in the httpd error_logs: > > [Thu Apr 28 18:41:11.826134 2016] [:error] [pid 10162] [remote 10.0.4.10:244 > ] mod_wsgi (pid=10162): Target WSGI script > '/usr/share/ipa/wsgi/plugins.py' does not contain WSGI application 'application'. > > Is this a known issue ? I didn't get much out of google. > I don't see this issue on RHEL 7.2 nor FreeIPA 4.3.x on F23. Could you paste here content of your /usr/share/ipa/wsgi/plugins.py file? Does it prevent to load Web UI? -- Petr Vobornik From cheimes at redhat.com Fri Apr 29 14:24:29 2016 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 29 Apr 2016 16:24:29 +0200 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> <57235944.1080306@damascusgrp.com> <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> Message-ID: <6c840c2c-1753-0ce7-dcf3-c898dcde4af3@redhat.com> On 2016-04-29 16:08, Petr Vobornik wrote: > On 04/29/2016 02:53 PM, Bret Wortman wrote: >> Despite "ipactl status" indicating that all processes were running after >> step 1, step 2 produces "Unable to establish SSL connection." >> >> Full terminal session is at http://pastebin.com/ZuNBHPy0 > > Hm, it doesn't help me much. > > Does it contact the correct machine? I.e., is IP address OK? > > What is the result of: > > netstat -ln | grep 443 > netstat -ln | grep 8009 > > Have you modified by any chance: /etc/httpd/conf.d/ipa-pki-proxy.conf > > Try to run curl, maybe it will be more verbose, but probably not: > > # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus > > Christian(CCd), do you have any ideas? Is Apache HTTPD running and listening on 443/TCP? $ ss -tpln | grep 443 Did you install mod_ssl by any chance? FreeIPA uses mod_nss. mod_ssl can disrupt TLS services. The openssl client tool shows more debug information than curl: openssl s_client -connect zsipa.private.net:443 -CAfile /etc/ipa/ca.crt -verify 10 Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From bentech4you at gmail.com Fri Apr 29 14:38:30 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 29 Apr 2016 17:38:30 +0300 Subject: [Freeipa-users] HBAC with Active directory group is not working Message-ID: Hi List, I have working setup of one AD, one IPA server and one client server. by default i can login to client server by using AD username. i want to apply HBAC rules against this client server. For that i have done below steps. 1. created External group in IPA erver 2. created local POSIX group n IPA server 3. Added AD group to external group 4. added POSIX group to external group. After that have created HBAC rule by adding both local and external IPA groups, added sshd as service and selected service group as sudo. i have applied this HBAC rule to client server and from web UI and while testing HBAC from web, i am getting access denied . How can i implement HBAC with Active directory user group. Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Fri Apr 29 14:51:13 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 29 Apr 2016 10:51:13 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> <57235944.1080306@damascusgrp.com> <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> Message-ID: <572374E1.1030902@damascusgrp.com> It is contacting the correct machine. I tried again by IP with the same results. /etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014. Web UI won't load. CLI won't respond either. Commands just hang. # netstat -ln | grep 443 tcp6 0 0 :::8443 :::* LISTEN tcp6 2 0 :::443 :::* LISTEN # netstat -ln | grep 8009 tcp6 0 0 127.0.0.1:8009 :::* LISTEN # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus * Hostname was NOT found in DNS cache * Trying 192.168.208.53... * Connected to zsipa.private.net (192.168.208.53) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none (long hang at this point, so I ^C-ed) # openssl s_client -connect zsipa.private.net:443 -CAfile /etc/ipa/ca.crt -verify 10 verify depth is 10 CONNECTED(00000003) (long hang at this point, aborted again) For the other (longer) logs, see http://pastebin.com/esBBKyGZ Also, answering Christian's questions: mod_ssl has not been installed. # ss -tpln | grep 443 LISTEN 0 100 :::8443 :::* users:(("java",pid=26522,fd=84)) LISTEN 13 128 :::443 :::* users:(("httpd",pid=26323,fd=6)) # On 04/29/2016 10:08 AM, Petr Vobornik wrote: > On 04/29/2016 02:53 PM, Bret Wortman wrote: >> Despite "ipactl status" indicating that all processes were running after >> step 1, step 2 produces "Unable to establish SSL connection." >> >> Full terminal session is at http://pastebin.com/ZuNBHPy0 > Hm, it doesn't help me much. > > Does it contact the correct machine? I.e., is IP address OK? > > What is the result of: > > netstat -ln | grep 443 > netstat -ln | grep 8009 > > Have you modified by any chance: /etc/httpd/conf.d/ipa-pki-proxy.conf > > Try to run curl, maybe it will be more verbose, but probably not: > > # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus > > Christian(CCd), do you have any ideas? > > Could you look into /var/log/httpd/error_log or syslog(would try > /var/log/message and journalctl), There might be more information about the: > """ > status: NEED_TO_SUBMIT > ca-error: Internal error > """ > Which may help us with root culprit. > > Do web ui or CLI work? > >> On 04/29/2016 07:29 AM, Petr Vobornik wrote: >>> On 04/29/2016 12:03 PM, Bret Wortman wrote: >>>> The date change was due (I think) to me changing the date back to 4/1 >>>> yesterday, though I left it there and haven't updated it again until >>>> this morning, when I went back to 4/1 again. >>>> >>>> I put the results of the commands you requested at >>>> https://pastebin.com/s7cHAh6R. Thanks for your help, Petr. I really >>>> appreciate it. >>>> >>>> >>>> Bret >>> If I combine this and the previous output, it seems that: >>> >>> - PKI starts normally >>> - ipactl has troubles with determining that PKI started and after 5mins >>> of failed attempts it stops whole IPA (expected behavior when a service >>> doesn't start) >>> >>> The failed attempt is: >>> """ >>> ipa: DEBUG: Waiting until the CA is running >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' >>> '--no-check-certificate' >>> 'https://zsipa.private.net:443/ca/admin/ca/getStatus' >>> ipa: DEBUG: Process finished, return code=4 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr=--2016-04-01 09:39:50-- >>> https://zsipa.private.net/ca/admin/ca/getStatus >>> Resolving zsipa.private.net (zsipa.private.net)... 192.168.208.53 >>> Connecting to zsipa.private.net >>> (zsipa.private.net)|192.168.208.53|:443... connected. >>> Unable to establish SSL connection. >>> >>> ipa: DEBUG: The CA status is: check interrupted due to error: Command >>> ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' >>> 'https://zsipa.private.net:443/ca/admin/ca/getStatus'' returned non-zero >>> exit status 4 >>> """ >>> >>> It says "Unable to establish SSL connection", it would be good to get >>> more details. >>> >>> Also given that the CA cert was renewed on April 3rd and that all certs >>> expires after that date, we should rather use date April 4th when moving >>> the date back. >>> >>> So first start IPA again (date April 4th) but force it to not stop >>> services >>> >>> 1. ipactl start --force >>> wait until all is started >>> 2. wget -v -d -S -O - --timeout=30 --no-check-certificate >>> https://zsipa.private.net:443/ca/admin/ca/getStatus >>> >>> optionally (assuming that CA won't be turned of) >>> 3. getcert list >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Apr 29 14:59:32 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 Apr 2016 16:59:32 +0200 Subject: [Freeipa-users] HBAC with Active directory group is not working In-Reply-To: References: Message-ID: <20160429145932.GM25181@hendrix> On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > Hi List, > > I have working setup of one AD, one IPA server and one client server. by > default i can login to client server by using AD username. > > i want to apply HBAC rules against this client server. For that i have done > below steps. > > 1. created External group in IPA erver > 2. created local POSIX group n IPA server > 3. Added AD group to external group > 4. added POSIX group to external group. > > After that have created HBAC rule by adding both local and external IPA > groups, added sshd as service and selected service group as sudo. > > i have applied this HBAC rule to client server and from web UI and while > testing HBAC from web, i am getting access denied . Sorry, not enough info. One guess would be that you need to add the "sudo-i" service as well. The other is that the groups might not show up on the client (do they?) Anyway, it might be good idea to follow https://fedorahosted.org/sssd/wiki/Troubleshooting From cheimes at redhat.com Fri Apr 29 15:02:42 2016 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 29 Apr 2016 17:02:42 +0200 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <572374E1.1030902@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F5B99.4060607@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> <57235944.1080306@damascusgrp.com> <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> <572374E1.1030902@damascusgrp.com> Message-ID: <49c392e7-3ed0-c46c-f09e-ec683644f0c1@redhat.com> On 2016-04-29 16:51, Bret Wortman wrote: > It is contacting the correct machine. I tried again by IP with the same > results. > > /etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014. > > Web UI won't load. CLI won't respond either. Commands just hang. > > # netstat -ln | grep 443 > tcp6 0 0 :::8443 > :::* LISTEN > tcp6 2 0 :::443 > :::* LISTEN > # netstat -ln | grep 8009 > tcp6 0 0 127.0.0.1:8009 > :::* LISTEN > # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus > * Hostname was NOT found in DNS cache > * Trying 192.168.208.53... > * Connected to zsipa.private.net (192.168.208.53) port 443 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * CAfile: /etc/pki/tls/certs/ca-bundle.crt > CApath: none > (long hang at this point, so I ^C-ed) > > # openssl s_client -connect zsipa.private.net:443 -CAfile > /etc/ipa/ca.crt -verify 10 > verify depth is 10 > CONNECTED(00000003) > (long hang at this point, aborted again) > > For the other (longer) logs, see http://pastebin.com/esBBKyGZ > > Also, answering Christian's questions: > > mod_ssl has not been installed. > > # ss -tpln | grep 443 > LISTEN 0 100 :::8443 :::* > users:(("java",pid=26522,fd=84)) > LISTEN 13 128 :::443 :::* > users:(("httpd",pid=26323,fd=6)) > # The output of ss looks sane. httpd is Apache, Java is Dogtag PKI's Tomcat instance. The error log of Apache is more troublesome. It looks like your NSSDB is busted: [Mon Apr 04 14:18:49.330238 2016] [:error] [pid 26327] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Mon Apr 04 14:18:49.330253 2016] [:error] [pid 26327] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Mon Apr 04 14:18:50.318327 2016] [core:notice] [pid 26323] AH00052: child pid 26327 exit signal Segmentation fault (11) Please run this commands to show us the content of your NSSDB. # ls -laZ /etc/httpd/ # ls -laZ /etc/httpd/alias # certutil -L -d /etc/httpd/alias Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From abokovoy at redhat.com Fri Apr 29 15:03:35 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 29 Apr 2016 18:03:35 +0300 Subject: [Freeipa-users] HBAC with Active directory group is not working In-Reply-To: References: Message-ID: <20160429150335.coax4wkggfal5kca@redhat.com> On Fri, 29 Apr 2016, Ben .T.George wrote: >Hi List, > >I have working setup of one AD, one IPA server and one client server. by >default i can login to client server by using AD username. > >i want to apply HBAC rules against this client server. For that i have done >below steps. > >1. created External group in IPA erver >2. created local POSIX group n IPA server >3. Added AD group to external group >4. added POSIX group to external group. You should have added external group to POSIX group, not the other way around. -- / Alexander Bokovoy From rcritten at redhat.com Fri Apr 29 15:30:17 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Apr 2016 11:30:17 -0400 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> <5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> <57225110.1000708@redhat.com> Message-ID: <57237E09.5090603@redhat.com> Sean Hogan wrote: > Hi Noriko, > > Thanks for the suggestions, > > I had to trim out the GCM ciphers in order to get IPA to start back up > or I would get the unknown cipher message The trick is getting the cipher name right (it doesn't always follow a pattern) and explicitly disabling some ciphers as they are enabled by default. Try this string: -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha I have an oldish install but I think it will still do what you need: 389-ds-base-1.2.11.15-68.el6_7.x86_64 Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT Nmap scan report for pacer.example.com (192.168.126.2) Host is up (0.00053s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server |_ least strength: C Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds $ sslscan pacer.example.com:636 |grep Accept Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 112 bits DES-CBC3-SHA Accepted TLS11 256 bits AES256-SHA Accepted TLS11 128 bits AES128-SHA Accepted TLS11 112 bits DES-CBC3-SHA Accepted TLS12 256 bits AES256-SHA256 Accepted TLS12 256 bits AES256-SHA Accepted TLS12 128 bits AES128-GCM-SHA256 Accepted TLS12 128 bits AES128-SHA256 Accepted TLS12 128 bits AES128-SHA Accepted TLS12 112 bits DES-CBC3-SHA rob > > Nmap is still showing the same 13 ciphers as before though like nothing > had changed and I did ipactl stop, made modification, ipactl start > > tarting Nmap 5.51 ( http://nmap.org ) at 2016-04-28 > 18:44 EDT > Nmap scan report for > Host is up (0.000053s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2 > | Ciphers (13) > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA256 > | TLS_RSA_WITH_AES_128_GCM_SHA256 > | TLS_RSA_WITH_AES_256_CBC_SHA > | TLS_RSA_WITH_AES_256_CBC_SHA256 > | TLS_RSA_WITH_DES_CBC_SHA > | TLS_RSA_WITH_RC4_128_MD5 > | TLS_RSA_WITH_RC4_128_SHA > | Compressors (1) > |_ uncompressed > > Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds > > Current Config: > > dse.ldif > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: off > creatorsName: cn=server,cn=plugins,cn=config > modifiersName: cn=directory manager > createTimestamp: 20150420131850Z > modifyTimestamp: 20150420131906Z > nsSSL3Ciphers: > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_ > rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha > ,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_ > aes_256_sha,+rsa_aes_256_sha > numSubordinates: 1 > > > nss.conf > # SSL 3 ciphers. SSL 2 is disabled by default. > NSSCipherSuite > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > Does nss.conf have anything to do with the dir srv ciphers? I know the > 389 docs says they are tied together so the way I have been looking at > it is nss.conf lists the allowed ciphers where dse.ldif lists which ones > to use for 389 from nss.conf. Is that correct? Is there any other place > where ciphers would be ignored? > > nss-3.19.1-8.el6_7.x86_64 > sssd-ipa-1.12.4-47.el6_7.4.x86_64 > ipa-client-3.0.0-47.el6_7.1.x86_64 > ipa-server-selinux-3.0.0-47.el6_7.1.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-3.0.0-47.el6_7.1.x86_64 > ipa-server-3.0.0-47.el6_7.1.x86_64 > libipa_hbac-python-1.12.4-47.el6_7.4.x86_64 > ipa-admintools-3.0.0-47.el6_7.1.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > 389-ds-base-libs-1.2.11.15-68.el6_7.x86_64 > > > I need to get rid of any rc4s > > Sean Hogan > Security Engineer > Watson Security & Risk Assurance > Watson Cloud Technology and Support > email: schogan at us.ibm.com | Tel 919 486 1397 > > > > > > > Inactive hide details for Noriko Hosoi ---04/28/2016 12:08:59 PM---Thank > you for including me in the loop, Ludwig. On 04/28/201Noriko Hosoi > ---04/28/2016 12:08:59 PM---Thank you for including me in the loop, > Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > From: Noriko Hosoi > To: Ludwig Krispenz , freeipa-users at redhat.com > Date: 04/28/2016 12:08 PM > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > Sent by: freeipa-users-bounces at redhat.com > > ------------------------------------------------------------------------ > > > > Thank you for including me in the loop, Ludwig. > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > If I remember correctly we did the change in default ciphers and the > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > adding Noriko to get confirmation. > > Ludwig is right. The way how to set nsSSL3Ciphers has been changed > since 1.3.3 which is available on RHEL-7. > > This is one of the newly supported values of nsSSL3Ciphers: > > Notes: if the value contains +all, then *-*is removed > from the list._ > __http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1_ > > On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if > "+all" is found in the value, all the available ciphers are enabled. > > To workaround it, could you try explicitely setting ciphers as follows? > nsSSL3Ciphers: > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha, > +tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha, > +tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > Thanks, > --noriko > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > wanted to add Noriko, but hit send to quickly > > On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > On 04/28/2016 12:06 PM, Martin Kosek wrote: > On 04/28/2016 01:23 AM, Sean Hogan wrote: > Hi Martin, > > No joy on placing - in front of the RC4s > > > I modified my nss.conf to now read > # SSL 3 ciphers. SSL 2 is disabled by > default. > NSSCipherSuite > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha > > > # SSL Protocol: > # Cryptographic protocols that provide > communication security. > # NSS handles the specified protocols as > "ranges", and automatically > # negotiates the use of the strongest > protocol for a connection starting > # with the maximum specified protocol > and downgrading as necessary to the > # minimum specified protocol that can be > used between two processes. > # Since all protocol ranges are > completely inclusive, and no protocol in > the > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > dse.ldif > > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: off > creatorsName: > cn=server,cn=plugins,cn=config > modifiersName: cn=directory manager > createTimestamp: 20150420131850Z > modifyTimestamp: 20150420131906Z > nsSSL3Ciphers: > +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 > > _56_sha,-tls_dhe_dss_1024_rc4_sha > numSubordinates: 1 > > > > But I still get this with nmap.. I > thought the above would remove > -tls_rsa_export1024_with_rc4_56_sha but > still showing. Is it the fact that I am not > offering > -tls_rsa_export1024_with_rc4_56_sha? If > so.. not really understanding > where it is coming from cept the +all > from DS but the - should be negating that? > > Starting Nmap 5.51 ( _http://nmap.org_ > __ > ) at 2016-04-27 17:37 EDT > Nmap scan report for > Host is up (0.000086s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2 > | Ciphers (13) > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA256 > | TLS_RSA_WITH_AES_128_GCM_SHA256 > | TLS_RSA_WITH_AES_256_CBC_SHA > | TLS_RSA_WITH_AES_256_CBC_SHA256 > | TLS_RSA_WITH_DES_CBC_SHA > | TLS_RSA_WITH_RC4_128_MD5 > | TLS_RSA_WITH_RC4_128_SHA > | Compressors (1) > |_ uncompressed > > Nmap done: 1 IP address (1 host up) > scanned in 0.32 seconds > > > > It seems no matter what config I put > into nss.conf or dse.ldif nothing changes > with my nmap results. Is there supposed > to be a be a section to add TLS ciphers > instead of SSL Not sure now, CCing Ludwig who was involved in > the original RHEL-6 > implementation. If I remember correctly we did the change in default > ciphers and the option for handling in 389-ds > 1.3.3, > so it would not be in RHEL6, adding Noriko to get > confirmation. > > but the below comments about changing ciphers in > dse.ldif could help in using the "old" way to set ciphers > Just to be sure, when you are modifying > dse.ldif, the procedure > should be always following: > > 1) Stop Directory Server service > 2) Modify dse.ldif > 3) Start Directory Server service > > Otherwise it won't get applied and will get > overwritten later. > > In any case, the ciphers with RHEL-6 should be > secure enough, the ones in > FreeIPA 4.3.1 should be even better. This is for > example an nmap taken on > FreeIPA Demo instance that runs on FreeIPA 4.3.1: > > $ nmap --script ssl-enum-ciphers -p 636 > ipa.demo1.freeipa.org > > Starting Nmap 7.12 ( _https://nmap.org_ > ) at 2016-04-28 12:02 CEST > Nmap scan report for ipa.demo1.freeipa.org > (209.132.178.99) > Host is up (0.18s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2: > | ciphers: > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > (secp256r1) - A > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh > 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh > 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh > 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh > 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh > 2048) - A > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa > 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa > 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa > 2048) - A > | compressors: > | NULL > | cipher preference: server > |_ least strength: A > > Nmap done: 1 IP address (1 host up) scanned in > 21.12 seconds > > Martin > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > From a.rubets at levi9.com Fri Apr 29 07:54:32 2016 From: a.rubets at levi9.com (Anton Rubets) Date: Fri, 29 Apr 2016 07:54:32 +0000 Subject: [Freeipa-users] Replication error In-Reply-To: References: <1461672172950.27500@levi9.com>, Message-ID: <1461916471786.49814@levi9.com> Hi Yeap now request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) gone But still i have attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap2.domain389/o%3Dipaca) failed. Maybe you can help to find out were i need to go? dirsrv, ldap, client, sssd etc Best Regards Anton Rubets ________________________________________ From: Petr Vobornik Sent: Thursday, April 28, 2016 1:49 PM To: Anton Rubets; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Replication error On 04/26/2016 02:02 PM, Anton Rubets wrote: > Hhi all > > I have issues with replication between to FreeIPA server > > In maters log > > [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap2.domain:389/o%3Dipaca) failed. > [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap2.domain:389/o%3Dipaca) failed. > [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap2.domain389/o%3Dipaca) failed. > [26/Apr/2016:10:39:35 +0200] slapi_ldap_bind - Error: could not send startTLS > request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) > > > On replica server > > > [26/Apr/2016:08:38:12 +0000] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap1.domain:389/o%3Dipaca) failed. > [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap1domain:389/o%3Dipaca) failed. > [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap1.domain:389/o%3Dipaca) failed. > [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral, > ldap://ldap1.domain:389/o%3Dipaca) failed. This is a symptom of dangling RUVs (replica update vector) of previously removed replicas. It happens when replica is removed using: # ipa-replica-manage del $replica # ipa-server-install --uninstall (on replica) without running: # ipa-csreplica-manage del $replica first resolution is to clear the RUVs manually using clean ruv DS task becase ipa-csreplica-manage doesn't have support for it. FreeIPA 4.4 will receive a new command which will handle bot suffixes automatically - #5411. The instructions can found on the list: * https://www.redhat.com/archives/freeipa-users/2015-June/msg00386.html * https://www.redhat.com/archives/freeipa-users/2015-June/msg00416.html and * http://www.port389.org/docs/389ds/FAQ/troubleshoot-cleanallruv.html * or general procedure for future feature: https://fedorahosted.org/freeipa/ticket/5411#comment:7 Important: Be very careful not to remove RUVs of existing replicas. > > > And i can't find source of this problem. I have checked permission and etc. As > i see replica is working but this message disturb my email every few minutes and > i wanna somehow fix this. Also I just migrate from 3.0 to 4.2. > Info: > Master : > rpm -qa | grep ipa > ipa-server-dns-4.2.0-15.0.1.el7.centos.6.x86_64 > ipa-admintools-4.2.0-15.0.1.el7.centos.6.x86_64 > sssd-ipa-1.13.0-40.el7_2.2.x86_64 > ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64 > libipa_hbac-1.13.0-40.el7_2.2.x86_64 > python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 > python-iniparse-0.4-9.el7.noarch > ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64 > ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64? > > Replica: > rpm -qa | grep ipa > sssd-ipa-1.13.0-40.el7_2.2.x86_64 > ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 > libipa_hbac-1.13.0-40.el7_2.2.x86_64 > ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 > python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 > python-iniparse-0.4-9.el7.noarch > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64? > > > Best Regards > Anton Rubets -- Petr Vobornik From russell.goldberg.5 at us.af.mil Fri Apr 29 13:34:52 2016 From: russell.goldberg.5 at us.af.mil (GOLDBERG, RUSSELL J GG-12 USAF ACC 453 EWS/EWP) Date: Fri, 29 Apr 2016 13:34:52 +0000 Subject: [Freeipa-users] IPA Server Web UI multiple network access Message-ID: <98898F131055A34DA5C86882EC0195CA74863D28@52VEJX-D06-03B.area52.afnoapps.usaf.mil> I'm attempting to figure out if it's possible to configure IPA's web UI in such a way that it can be accessed from both a private and a public network infrastructure. I've installed IPA server (version 3.0.0) on a RHEL 6.7 host (ipa.dev.internal) and configured an IPA domain (dev.internal). Our client machines reside on a separate domain (dev.external) and network, which the IPA server is additionally connected to. >From hosts on the internal network (10.1.0.0/16), I am able to access the IPA web UI without issue, as expected. >From hosts on the external network (192.168.1.0/24), I was initially presented with a blank screen when attempting to access the web UI. I attempted to disable the httpd rewrite rules located in /etc/httpd/conf.d/ipa-rewrite.conf and restarted the httpd server: this allowed me to see the login page, but immediately presented me with a web app error dialog. Lastly, I attempted to modify the ipa-rewrite.conf, replacing all instances of the initial FQDN (ipa.dev.internal) with the public FQDN (ipa.dev.external): this allowed me to see the login page and even to successfully submit login credentials. However, upon entered valid login credentials I am immediately redirected back to the login page in an infinite redirect loop. Are there any glaring oversights I'm making? I imagine that the problem ultimately lies with Kerberos (and possibly my external client's HTTP referrer), but admittedly I lack expertise in that area. Any help in getting this issue solved would be greatly appreciated. Thanks, Russell From bentech4you at gmail.com Fri Apr 29 15:32:28 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 29 Apr 2016 18:32:28 +0300 Subject: [Freeipa-users] HBAC with Active directory group is not working In-Reply-To: <20160429145932.GM25181@hendrix> References: <20160429145932.GM25181@hendrix> Message-ID: HI, "The other is that the groups might not show up on the client (do they?)" how can i check that. Thanks Ben On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > > Hi List, > > > > I have working setup of one AD, one IPA server and one client server. by > > default i can login to client server by using AD username. > > > > i want to apply HBAC rules against this client server. For that i have > done > > below steps. > > > > 1. created External group in IPA erver > > 2. created local POSIX group n IPA server > > 3. Added AD group to external group > > 4. added POSIX group to external group. > > > > After that have created HBAC rule by adding both local and external IPA > > groups, added sshd as service and selected service group as sudo. > > > > i have applied this HBAC rule to client server and from web UI and while > > testing HBAC from web, i am getting access denied . > > Sorry, not enough info. > > One guess would be that you need to add the "sudo-i" service as well. > The other is that the groups might not show up on the client (do they?) > > Anyway, it might be good idea to follow > https://fedorahosted.org/sssd/wiki/Troubleshooting > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Fri Apr 29 15:33:05 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 29 Apr 2016 18:33:05 +0300 Subject: [Freeipa-users] HBAC with Active directory group is not working In-Reply-To: <20160429150335.coax4wkggfal5kca@redhat.com> References: <20160429150335.coax4wkggfal5kca@redhat.com> Message-ID: Hi Alex, yea my mistake. i was following u this http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy wrote: > On Fri, 29 Apr 2016, Ben .T.George wrote: > >> Hi List, >> >> I have working setup of one AD, one IPA server and one client server. by >> default i can login to client server by using AD username. >> >> i want to apply HBAC rules against this client server. For that i have >> done >> below steps. >> >> 1. created External group in IPA erver >> 2. created local POSIX group n IPA server >> 3. Added AD group to external group >> 4. added POSIX group to external group. >> > You should have added external group to POSIX group, not the other way > around. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 29 15:34:22 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Apr 2016 11:34:22 -0400 Subject: [Freeipa-users] HTTP response code is 401, not 200 In-Reply-To: <04e201d1a219$7a6497f0$6f2dc7d0$@cyberfuel.com> References: <04e201d1a219$7a6497f0$6f2dc7d0$@cyberfuel.com> Message-ID: <57237EFE.4010705@redhat.com> Jose Alvarez R. wrote: > Hi Users > > You can help me? > > I have the problem for join a client to my FREEIPA Server. The version > IPA Server is 3.0 and IP client is 3.0 > > When I join my client to IPA server show these errors: > > [root at ppa ~]# tail ?f /var/log/ipaclient-install.log > > 2016-04-28T17:26:41Z DEBUG stderr= > > 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from > ldap://freeipa.cyberfuel.com > > 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are > identical > > 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s > freeipa.cyberfuel.com -b dc=cyberfuel,dc=com > > 2016-04-28T17:26:41Z DEBUG stdout= > > 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 > > 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is > 401, not 200 > > 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. > > 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. I'd look in the 389-ds access and error logs on the IPA server to see if there are any more details. Look for the BIND from the client and see what happens. More context from the log file might be helpful. I believe if you run the client installer with --debug then additional flags are passed to ipa-join to include the XML-RPC conversation and that might be useful too. What account are you using to enroll with, admin? rob From bentech4you at gmail.com Fri Apr 29 15:37:26 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 29 Apr 2016 18:37:26 +0300 Subject: [Freeipa-users] HBAC with Active directory group is not working In-Reply-To: References: <20160429150335.coax4wkggfal5kca@redhat.com> Message-ID: Hi I have created 2 fresh users now and i was running below, [root at freeipa log]# ipa hbactest --user "KWTTESTDC\jude" --host `hostname` --service sshd ipa: ERROR: trusted domain user not found [root at freeipa log]# ipa hbactest --user "KWTTESTDC\muneer" --host `hostname` --service sshd ipa: ERROR: trusted domain user not found but i can able to test with old users, [root at freeipa log]# ipa hbactest --user "KWTTESTDC\Administrator" --host `hostname` --service sshd -------------------- Access granted: True -------------------- Matched rules: allow_all Not matched rules: ad_can_login Not matched rules: local_admin_can_login [root at freeipa log]# ipa hbactest --user "KWTTESTDC\ben" --host `hostname` --service sshd -------------------- Access granted: True -------------------- Matched rules: ad_can_login Matched rules: allow_all Not matched rules: local_admin_can_login Is there any sync time for trust.? when i was trying ipa trust-fetch-domains, i am getting below [root at freeipa log]# ipa trust-fetch-domains "kwttestdc.com.kw" ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from trusted forest failed. See details in the error_log Thanks & Regards, Ben On Fri, Apr 29, 2016 at 6:33 PM, Ben .T.George wrote: > Hi Alex, > > yea my mistake. > > i was following u this > > > http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources > > > > On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy > wrote: > >> On Fri, 29 Apr 2016, Ben .T.George wrote: >> >>> Hi List, >>> >>> I have working setup of one AD, one IPA server and one client server. by >>> default i can login to client server by using AD username. >>> >>> i want to apply HBAC rules against this client server. For that i have >>> done >>> below steps. >>> >>> 1. created External group in IPA erver >>> 2. created local POSIX group n IPA server >>> 3. Added AD group to external group >>> 4. added POSIX group to external group. >>> >> You should have added external group to POSIX group, not the other way >> around. >> >> -- >> / Alexander Bokovoy >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 29 15:44:55 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Apr 2016 11:44:55 -0400 Subject: [Freeipa-users] oneWaySync affecting Password sync? In-Reply-To: <787fe2a2-1e57-5975-1172-fbd4d5ff83d3@nordnet.se> References: <787fe2a2-1e57-5975-1172-fbd4d5ff83d3@nordnet.se> Message-ID: <57238177.2030102@redhat.com> Andreas Calminder wrote: > Hello, > > I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting > oneWaySync to fromWindows will affect password synchronization from IPA > to AD, I.E password changes from IPA will not be replicated to Windows? > Hmm, interesting question, I'm not sure. What is your goal here? Do you want to disallow attribute changes in IPA to be replicated but you DO want passwords, or you don't want anything? ccing Rich to see what he thinks. rob From mbasti at redhat.com Fri Apr 29 15:45:01 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 29 Apr 2016 17:45:01 +0200 Subject: [Freeipa-users] IPA Server Web UI multiple network access In-Reply-To: <98898F131055A34DA5C86882EC0195CA74863D28@52VEJX-D06-03B.area52.afnoapps.usaf.mil> References: <98898F131055A34DA5C86882EC0195CA74863D28@52VEJX-D06-03B.area52.afnoapps.usaf.mil> Message-ID: <5723817D.4070403@redhat.com> On 29.04.2016 15:34, GOLDBERG, RUSSELL J GG-12 USAF ACC 453 EWS/EWP wrote: > I'm attempting to figure out if it's possible to configure IPA's web UI in such a way that it can be accessed from both a private and a public network infrastructure. > > I've installed IPA server (version 3.0.0) on a RHEL 6.7 host (ipa.dev.internal) and configured an IPA domain (dev.internal). Our client machines reside on a separate domain (dev.external) and network, which the IPA server is additionally connected to. > > >From hosts on the internal network (10.1.0.0/16), I am able to access the IPA web UI without issue, as expected. > > >From hosts on the external network (192.168.1.0/24), I was initially presented with a blank screen when attempting to access the web UI. > > I attempted to disable the httpd rewrite rules located in /etc/httpd/conf.d/ipa-rewrite.conf and restarted the httpd server: this allowed me to see the login page, but immediately presented me with a web app error dialog. > > Lastly, I attempted to modify the ipa-rewrite.conf, replacing all instances of the initial FQDN (ipa.dev.internal) with the public FQDN (ipa.dev.external): this allowed me to see the login page and even to successfully submit login credentials. However, upon entered valid login credentials I am immediately redirected back to the login page in an infinite redirect loop. > > Are there any glaring oversights I'm making? I imagine that the problem ultimately lies with Kerberos (and possibly my external client's HTTP referrer), but admittedly I lack expertise in that area. > > Any help in getting this issue solved would be greatly appreciated. > > Thanks, > > Russell > > > I'm not sure if this is possible do safely. Please read following links, it may help, I'm not expert in this area. https://ssimo.org/blog/id_019.html https://www.redhat.com/archives/freeipa-users/2015-May/msg00026.html Martin From rmeggins at redhat.com Fri Apr 29 15:49:55 2016 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 29 Apr 2016 09:49:55 -0600 Subject: [Freeipa-users] oneWaySync affecting Password sync? In-Reply-To: <57238177.2030102@redhat.com> References: <787fe2a2-1e57-5975-1172-fbd4d5ff83d3@nordnet.se> <57238177.2030102@redhat.com> Message-ID: <572382A3.6060809@redhat.com> On 04/29/2016 09:44 AM, Rob Crittenden wrote: > Andreas Calminder wrote: >> Hello, >> >> I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting >> oneWaySync to fromWindows will affect password synchronization from IPA >> to AD, I.E password changes from IPA will not be replicated to Windows? >> > > Hmm, interesting question, I'm not sure. What is your goal here? Do > you want to disallow attribute changes in IPA to be replicated but you > DO want passwords, or you don't want anything? > > ccing Rich to see what he thinks. AFAIK, there is no way to sync only passwords from IPA to AD. So if you set oneWaySync: fromWindows, you will not sync password changes from IPA to AD. > > rob From jhrozek at redhat.com Fri Apr 29 15:56:06 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 29 Apr 2016 17:56:06 +0200 Subject: [Freeipa-users] HBAC with Active directory group is not working In-Reply-To: References: <20160429145932.GM25181@hendrix> Message-ID: <20160429155606.GN25181@hendrix> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: > HI, > > "The other is that the groups might not show up on the client (do they?)" id $user. But I think Alexander noticed the root cause. > > how can i check that. > > Thanks > Ben > > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek wrote: > > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > > > Hi List, > > > > > > I have working setup of one AD, one IPA server and one client server. by > > > default i can login to client server by using AD username. > > > > > > i want to apply HBAC rules against this client server. For that i have > > done > > > below steps. > > > > > > 1. created External group in IPA erver > > > 2. created local POSIX group n IPA server > > > 3. Added AD group to external group > > > 4. added POSIX group to external group. > > > > > > After that have created HBAC rule by adding both local and external IPA > > > groups, added sshd as service and selected service group as sudo. > > > > > > i have applied this HBAC rule to client server and from web UI and while > > > testing HBAC from web, i am getting access denied . > > > > Sorry, not enough info. > > > > One guess would be that you need to add the "sudo-i" service as well. > > The other is that the groups might not show up on the client (do they?) > > > > Anyway, it might be good idea to follow > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > From Silvio.Wanka at fiege.com Fri Apr 29 15:46:50 2016 From: Silvio.Wanka at fiege.com (Wanka, Silvio) Date: Fri, 29 Apr 2016 15:46:50 +0000 Subject: [Freeipa-users] DNS reverse Zones on other server Message-ID: <08C1F0DB82CAD14DA46313AE457AFF721B990D41@fieinfmbx2vp.fiege.com> Hi, if I search in the web for this problem I don?t find an useable solution, maybe my search pattern is wrong. ;-) I have setup an IPA domain with integrated DNS but because the most systems here are Windows servers and clients the IPA clients must use the same IP ranges. So the reverse zones are located on AD domain controllers. These reverse zones are of course configured as forward zones on the IPA DNS server. So reverse lookup works properly for all AD computers but I miss a possibility that if we join a computer to IPA which adds a DNS record or manually add a DNS record that the reverse record will be automatically added on AD site as it would be done if the reverse zone would be located on IPA site. Is there the only possibility to manage the reverse record on AD site manually or update/refresh it per regular running script? I have a one-way trust to AD but won?t change it to two-way, if necessary and possible I would use a special AD account for that. TIA, Silvio Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Wir arbeiten ausschlie?lich auf Grundlage der Allgemeinen Deutschen Spediteurbedingungen, jeweils neuester Fassung. Diese beschr?nken in Ziffer 23 ADSp die gesetzliche Haftung f?r G?tersch?den nach ? 431 HGB f?r Sch?den im speditionellen Gewahrsam auf 5,-- Euro/kg, bei multimodalen Transporten unter Einschluss einer Seebef?rderung auf 2 SZR/kg sowie ferner je Schadenfall bzw. -ereignis auf 1 Mio. bzw. 2 Mio. Euro oder 2 SZR/kg, je nachdem, welcher Betrag h?her ist. Erg?nzend wird vereinbart, dass (1) Ziffer 27 ADSp weder die Haftung des Spediteurs noch die Zurechnung des Verschuldens von Leuten und sonstigen Dritten abweichend von gesetzlichen Vorschriften wie ? 507 HGB, Art. 25 M?, Art. 36 CIM, Art. 20, 21 CMNI zu Gunsten des Auftraggebers erweitert, (2) der Spediteur als Verfrachter in den in ? 512 Abs. 2 Nr. 1 HGB aufgef?hrten F?llen des nautischen Verschulden oder Feuer an Bord nur f?r eigenes Verschulden haftet und (3) der Spediteur als Frachtf?hrer im Sinne der CMNI unter den in Art. 25 Abs. 2 CMNI genannten Voraussetzungen nicht f?r nautisches Verschulden, Feuer an Bord oder M?ngel des Schiffes haftet. All our business is transacted exclusively on the basis of the German Freight Forwarders' Standard Terms and Conditions (ADSp), and, to the extent these do not apply to logistics services, in accordance with the General Terms and Conditions for Logistics (Logistik-AGB) most recent edition. Under Clause 23 ADSp, liability for damage/loss to goods according to ? 431 HGB (German Commercial Code) is limited - to 5 EUR/kg whilst in the custody of the freight forwarder - to 2 SDR/kg (Special Drawing Rights) for multimodal carriage incl. sea transport - to 1 million EUR or 2 SDR/kg per claim or to 2 million EUR or 2 SDR/kg per event, irrespective of the number of claims per event, in each case whichever is higher. If we are liable according to the provisions of the Montreal Convention, clause 27 ADSp shall not apply. Clause 27 ADSp shall also not be considered as an extension of our liability through imputation of default by agents, representatives, employees, subcontractors or other third parties in the cases of Art. 36 CIM, Art. 21 CMNI or section 660 HGB. Otherwise clause 27 ADSp shall remain unaffected. -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Fri Apr 29 15:56:57 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Fri, 29 Apr 2016 08:56:57 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <57237E09.5090603@redhat.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> <5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> <57225110.1000708@redhat.com> <57237E09.5090603@redhat.com> Message-ID: <201604291557.u3TFvBLq030809@d01av03.pok.ibm.com> Hi Rob, I stopped IPA, modified dse.ldif, restarted with the cipher list and it started without issue however Same 13 ciphers. You know.. thinking about this now.. I going to try something. The box I am testing on it a replica master and not the first replica. I did not think this would make a difference since I removed the replica from the realm before testing but maybe it will not change anything thinking its stuck in the old realm? Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-29 11:51 EDT Nmap scan report for Host is up (0.000082s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20150420131850Z modifyTimestamp: 20150420131906Z nsSSL3Ciphers: -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5 ,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_ sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha numSubordinates: 1 Sean Hogan Security Engineer Watson Security & Risk Assurance Watson Cloud Technology and Support email: schogan at us.ibm.com | Tel 919 486 1397 From: Rob Crittenden To: Sean Hogan/Durham/IBM at IBMUS, Noriko Hosoi Cc: freeipa-users at redhat.com Date: 04/29/2016 08:30 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sean Hogan wrote: > Hi Noriko, > > Thanks for the suggestions, > > I had to trim out the GCM ciphers in order to get IPA to start back up > or I would get the unknown cipher message The trick is getting the cipher name right (it doesn't always follow a pattern) and explicitly disabling some ciphers as they are enabled by default. Try this string: -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha I have an oldish install but I think it will still do what you need: 389-ds-base-1.2.11.15-68.el6_7.x86_64 Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT Nmap scan report for pacer.example.com (192.168.126.2) Host is up (0.00053s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server |_ least strength: C Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds $ sslscan pacer.example.com:636 |grep Accept Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 112 bits DES-CBC3-SHA Accepted TLS11 256 bits AES256-SHA Accepted TLS11 128 bits AES128-SHA Accepted TLS11 112 bits DES-CBC3-SHA Accepted TLS12 256 bits AES256-SHA256 Accepted TLS12 256 bits AES256-SHA Accepted TLS12 128 bits AES128-GCM-SHA256 Accepted TLS12 128 bits AES128-SHA256 Accepted TLS12 128 bits AES128-SHA Accepted TLS12 112 bits DES-CBC3-SHA rob > > Nmap is still showing the same 13 ciphers as before though like nothing > had changed and I did ipactl stop, made modification, ipactl start > > tarting Nmap 5.51 ( http://nmap.org ) at 2016-04-28 > 18:44 EDT > Nmap scan report for > Host is up (0.000053s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2 > | Ciphers (13) > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA256 > | TLS_RSA_WITH_AES_128_GCM_SHA256 > | TLS_RSA_WITH_AES_256_CBC_SHA > | TLS_RSA_WITH_AES_256_CBC_SHA256 > | TLS_RSA_WITH_DES_CBC_SHA > | TLS_RSA_WITH_RC4_128_MD5 > | TLS_RSA_WITH_RC4_128_SHA > | Compressors (1) > |_ uncompressed > > Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds > > Current Config: > > dse.ldif > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: off > creatorsName: cn=server,cn=plugins,cn=config > modifiersName: cn=directory manager > createTimestamp: 20150420131850Z > modifyTimestamp: 20150420131906Z > nsSSL3Ciphers: > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_ > rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha > ,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_ > aes_256_sha,+rsa_aes_256_sha > numSubordinates: 1 > > > nss.conf > # SSL 3 ciphers. SSL 2 is disabled by default. > NSSCipherSuite > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > Does nss.conf have anything to do with the dir srv ciphers? I know the > 389 docs says they are tied together so the way I have been looking at > it is nss.conf lists the allowed ciphers where dse.ldif lists which ones > to use for 389 from nss.conf. Is that correct? Is there any other place > where ciphers would be ignored? > > nss-3.19.1-8.el6_7.x86_64 > sssd-ipa-1.12.4-47.el6_7.4.x86_64 > ipa-client-3.0.0-47.el6_7.1.x86_64 > ipa-server-selinux-3.0.0-47.el6_7.1.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-3.0.0-47.el6_7.1.x86_64 > ipa-server-3.0.0-47.el6_7.1.x86_64 > libipa_hbac-python-1.12.4-47.el6_7.4.x86_64 > ipa-admintools-3.0.0-47.el6_7.1.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > 389-ds-base-libs-1.2.11.15-68.el6_7.x86_64 > > > I need to get rid of any rc4s > > Sean Hogan > Security Engineer > Watson Security & Risk Assurance > Watson Cloud Technology and Support > email: schogan at us.ibm.com | Tel 919 486 1397 > > > > > > > Inactive hide details for Noriko Hosoi ---04/28/2016 12:08:59 PM---Thank > you for including me in the loop, Ludwig. On 04/28/201Noriko Hosoi > ---04/28/2016 12:08:59 PM---Thank you for including me in the loop, > Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > From: Noriko Hosoi > To: Ludwig Krispenz , freeipa-users at redhat.com > Date: 04/28/2016 12:08 PM > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > Sent by: freeipa-users-bounces at redhat.com > > ------------------------------------------------------------------------ > > > > Thank you for including me in the loop, Ludwig. > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > If I remember correctly we did the change in default ciphers and the > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > adding Noriko to get confirmation. > > Ludwig is right. The way how to set nsSSL3Ciphers has been changed > since 1.3.3 which is available on RHEL-7. > > This is one of the newly supported values of nsSSL3Ciphers: > > Notes: if the value contains +all, then *-*is removed > from the list._ > __http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1_ > > On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if > "+all" is found in the value, all the available ciphers are enabled. > > To workaround it, could you try explicitely setting ciphers as follows? > nsSSL3Ciphers: > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha, > +tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha, > +tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > Thanks, > --noriko > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > wanted to add Noriko, but hit send to quickly > > On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > On 04/28/2016 12:06 PM, Martin Kosek wrote: > On 04/28/2016 01:23 AM, Sean Hogan wrote: > Hi Martin, > > No joy on placing - in front of the RC4s > > > I modified my nss.conf to now read > # SSL 3 ciphers. SSL 2 is disabled by > default. > NSSCipherSuite > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha > > > # SSL Protocol: > # Cryptographic protocols that provide > communication security. > # NSS handles the specified protocols as > "ranges", and automatically > # negotiates the use of the strongest > protocol for a connection starting > # with the maximum specified protocol > and downgrading as necessary to the > # minimum specified protocol that can be > used between two processes. > # Since all protocol ranges are > completely inclusive, and no protocol in > the > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > dse.ldif > > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: off > creatorsName: > cn=server,cn=plugins,cn=config > modifiersName: cn=directory manager > createTimestamp: 20150420131850Z > modifyTimestamp: 20150420131906Z > nsSSL3Ciphers: > +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 > > _56_sha,-tls_dhe_dss_1024_rc4_sha > numSubordinates: 1 > > > > But I still get this with nmap.. I > thought the above would remove > -tls_rsa_export1024_with_rc4_56_sha but > still showing. Is it the fact that I am not > offering > -tls_rsa_export1024_with_rc4_56_sha? If > so.. not really understanding > where it is coming from cept the +all > from DS but the - should be negating that? > > Starting Nmap 5.51 ( _http://nmap.org_ > __ > ) at 2016-04-27 17:37 EDT > Nmap scan report for > Host is up (0.000086s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2 > | Ciphers (13) > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA256 > | TLS_RSA_WITH_AES_128_GCM_SHA256 > | TLS_RSA_WITH_AES_256_CBC_SHA > | TLS_RSA_WITH_AES_256_CBC_SHA256 > | TLS_RSA_WITH_DES_CBC_SHA > | TLS_RSA_WITH_RC4_128_MD5 > | TLS_RSA_WITH_RC4_128_SHA > | Compressors (1) > |_ uncompressed > > Nmap done: 1 IP address (1 host up) > scanned in 0.32 seconds > > > > It seems no matter what config I put > into nss.conf or dse.ldif nothing changes > with my nmap results. Is there supposed > to be a be a section to add TLS ciphers > instead of SSL Not sure now, CCing Ludwig who was involved in > the original RHEL-6 > implementation. If I remember correctly we did the change in default > ciphers and the option for handling in 389-ds > 1.3.3, > so it would not be in RHEL6, adding Noriko to get > confirmation. > > but the below comments about changing ciphers in > dse.ldif could help in using the "old" way to set ciphers > Just to be sure, when you are modifying > dse.ldif, the procedure > should be always following: > > 1) Stop Directory Server service > 2) Modify dse.ldif > 3) Start Directory Server service > > Otherwise it won't get applied and will get > overwritten later. > > In any case, the ciphers with RHEL-6 should be > secure enough, the ones in > FreeIPA 4.3.1 should be even better. This is for > example an nmap taken on > FreeIPA Demo instance that runs on FreeIPA 4.3.1: > > $ nmap --script ssl-enum-ciphers -p 636 > ipa.demo1.freeipa.org > > Starting Nmap 7.12 ( _https://nmap.org_ > ) at 2016-04-28 12:02 CEST > Nmap scan report for ipa.demo1.freeipa.org > (209.132.178.99) > Host is up (0.18s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2: > | ciphers: > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > (secp256r1) - A > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh > 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh > 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh > 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh > 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh > 2048) - A > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa > 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa > 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa > 2048) - A > | compressors: > | NULL > | cipher preference: server > |_ least strength: A > > Nmap done: 1 IP address (1 host up) scanned in > 21.12 seconds > > Martin > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0D676957.jpg Type: image/jpeg Size: 27085 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0D067958.gif Type: image/gif Size: 1650 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From bentech4you at gmail.com Fri Apr 29 15:58:11 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 29 Apr 2016 18:58:11 +0300 Subject: [Freeipa-users] HBAC with Active directory group is not working In-Reply-To: <20160429155606.GN25181@hendrix> References: <20160429145932.GM25181@hendrix> <20160429155606.GN25181@hendrix> Message-ID: HI while explaning here it went wrong. actually i did is" Added external group to POSIX group" On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: > > HI, > > > > "The other is that the groups might not show up on the client (do they?)" > > id $user. > > But I think Alexander noticed the root cause. > > > > > how can i check that. > > > > Thanks > > Ben > > > > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek > wrote: > > > > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > > > > Hi List, > > > > > > > > I have working setup of one AD, one IPA server and one client > server. by > > > > default i can login to client server by using AD username. > > > > > > > > i want to apply HBAC rules against this client server. For that i > have > > > done > > > > below steps. > > > > > > > > 1. created External group in IPA erver > > > > 2. created local POSIX group n IPA server > > > > 3. Added AD group to external group > > > > 4. added POSIX group to external group. > > > > > > > > After that have created HBAC rule by adding both local and external > IPA > > > > groups, added sshd as service and selected service group as sudo. > > > > > > > > i have applied this HBAC rule to client server and from web UI and > while > > > > testing HBAC from web, i am getting access denied . > > > > > > Sorry, not enough info. > > > > > > One guess would be that you need to add the "sudo-i" service as well. > > > The other is that the groups might not show up on the client (do they?) > > > > > > Anyway, it might be good idea to follow > > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Andreas.Calminder at nordnet.se Fri Apr 29 16:00:18 2016 From: Andreas.Calminder at nordnet.se (Andreas Calminder) Date: Fri, 29 Apr 2016 16:00:18 +0000 Subject: [Freeipa-users] oneWaySync affecting Password sync? Message-ID: <7b78960f-56e6-4d37-844c-615b7fea816d@email.android.com> Hello, The goal was that I wanted to just have passwords in sync, leaving attributes and what not to windows but mostly to protect from accidental deletes in IPA being carried out in the active directory. I've removed the onewaysync attribute and worked around it with limiting the permissions for the user handling the replication. Thanks! Andreas On 29 Apr 2016 5:49 p.m., Rich Megginson wrote: > > On 04/29/2016 09:44 AM, Rob Crittenden wrote: > > Andreas Calminder wrote: > >> Hello, > >> > >> I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting > >> oneWaySync to fromWindows will affect password synchronization from IPA > >> to AD, I.E password changes from IPA will not be replicated to Windows? > >> > > > > Hmm, interesting question, I'm not sure. What is your goal here? Do > > you want to disallow attribute changes in IPA to be replicated but you > > DO want passwords, or you don't want anything? > > > > ccing Rich to see what he thinks. > > AFAIK, there is no way to sync only passwords from IPA to AD.? So if you > set oneWaySync: fromWindows, you will not sync password changes from IPA > to AD. > > > > > rob > From bentech4you at gmail.com Fri Apr 29 16:05:55 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 29 Apr 2016 19:05:55 +0300 Subject: [Freeipa-users] HBAC with Active directory group is not working In-Reply-To: References: <20160429145932.GM25181@hendrix> <20160429155606.GN25181@hendrix> Message-ID: HI actually i have added Domain Admins and the user ben is not part of Domain Admins. But when i login to client machine, i am getting below -sh-4.2$ id uid=1827801104(ben at kwttestdc.com.kw) gid=1827801104(ben at kwttestdc.com.kw) groups=1827801104(ben at kwttestdc.com.kw),1827800513(*domain users at kwttestdc.com.kw *),1827801105(sudo admins at kwttestdc.com.kw) On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George wrote: > HI > > while explaning here it went wrong. actually i did is" > Added external group to POSIX group" > > On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek wrote: > >> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >> > HI, >> > >> > "The other is that the groups might not show up on the client (do >> they?)" >> >> id $user. >> >> But I think Alexander noticed the root cause. >> >> > >> > how can i check that. >> > >> > Thanks >> > Ben >> > >> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek >> wrote: >> > >> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >> > > > Hi List, >> > > > >> > > > I have working setup of one AD, one IPA server and one client >> server. by >> > > > default i can login to client server by using AD username. >> > > > >> > > > i want to apply HBAC rules against this client server. For that i >> have >> > > done >> > > > below steps. >> > > > >> > > > 1. created External group in IPA erver >> > > > 2. created local POSIX group n IPA server >> > > > 3. Added AD group to external group >> > > > 4. added POSIX group to external group. >> > > > >> > > > After that have created HBAC rule by adding both local and >> external IPA >> > > > groups, added sshd as service and selected service group as sudo. >> > > > >> > > > i have applied this HBAC rule to client server and from web UI and >> while >> > > > testing HBAC from web, i am getting access denied . >> > > >> > > Sorry, not enough info. >> > > >> > > One guess would be that you need to add the "sudo-i" service as well. >> > > The other is that the groups might not show up on the client (do >> they?) >> > > >> > > Anyway, it might be good idea to follow >> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >> > > >> > > -- >> > > Manage your subscription for the Freeipa-users mailing list: >> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > Go to http://freeipa.org for more info on the project >> > > >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Fri Apr 29 16:12:44 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 29 Apr 2016 19:12:44 +0300 Subject: [Freeipa-users] HBAC with Active directory group is not working In-Reply-To: References: <20160429145932.GM25181@hendrix> <20160429155606.GN25181@hendrix> Message-ID: HI If i disable allow_all rule, i cannot able to login to client machine. On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George wrote: > HI > > actually i have added Domain Admins and the user ben is not part of Domain > Admins. But when i login to client machine, i am getting below > > -sh-4.2$ id > uid=1827801104(ben at kwttestdc.com.kw) gid=1827801104(ben at kwttestdc.com.kw) > groups=1827801104(ben at kwttestdc.com.kw),1827800513(*domain > users at kwttestdc.com.kw *),1827801105(sudo > admins at kwttestdc.com.kw) > > > > On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George > wrote: > >> HI >> >> while explaning here it went wrong. actually i did is" >> Added external group to POSIX group" >> >> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek wrote: >> >>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >>> > HI, >>> > >>> > "The other is that the groups might not show up on the client (do >>> they?)" >>> >>> id $user. >>> >>> But I think Alexander noticed the root cause. >>> >>> > >>> > how can i check that. >>> > >>> > Thanks >>> > Ben >>> > >>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek >>> wrote: >>> > >>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >>> > > > Hi List, >>> > > > >>> > > > I have working setup of one AD, one IPA server and one client >>> server. by >>> > > > default i can login to client server by using AD username. >>> > > > >>> > > > i want to apply HBAC rules against this client server. For that i >>> have >>> > > done >>> > > > below steps. >>> > > > >>> > > > 1. created External group in IPA erver >>> > > > 2. created local POSIX group n IPA server >>> > > > 3. Added AD group to external group >>> > > > 4. added POSIX group to external group. >>> > > > >>> > > > After that have created HBAC rule by adding both local and >>> external IPA >>> > > > groups, added sshd as service and selected service group as sudo. >>> > > > >>> > > > i have applied this HBAC rule to client server and from web UI and >>> while >>> > > > testing HBAC from web, i am getting access denied . >>> > > >>> > > Sorry, not enough info. >>> > > >>> > > One guess would be that you need to add the "sudo-i" service as well. >>> > > The other is that the groups might not show up on the client (do >>> they?) >>> > > >>> > > Anyway, it might be good idea to follow >>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >>> > > >>> > > -- >>> > > Manage your subscription for the Freeipa-users mailing list: >>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>> > > Go to http://freeipa.org for more info on the project >>> > > >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Fri Apr 29 16:17:11 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 29 Apr 2016 12:17:11 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <49c392e7-3ed0-c46c-f09e-ec683644f0c1@redhat.com> References: <571F586E.2000302@damascusgrp.com> <571F6BF5.9060801@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> <57235944.1080306@damascusgrp.com> <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> <572374E1.1030902@damascusgrp.com> <49c392e7-3ed0-c46c-f09e-ec683644f0c1@redhat.com> Message-ID: <57238907.2000101@damascusgrp.com> I'll put the results inline here, since they're short. [root at zsipa log]# ls -laZ /etc/httpd/ drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 . drwxr-xr-x. root root system_u:object_r:etc_t:s0 .. drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.modules.d lrwxrwxrwx root root ? logs -> ../../var/log/httpd lrwxrwxrwx root root ? modules -> ../../usr/lib64/httpd/modules lrwxrwxrwx root root ? run -> /run/httpd [root at zsipa log]# ls -laZ /etc/httpd/alias drwxr-xr-x. root root system_u:object_r:cert_t:s0 . drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .. -r--r--r-- root root ? cacert.asc -r--r--r-- root root ? cacert.asc.orig -rw-r----- root root ? cert8.db -rw-rw---- root apache ? cert8.db.20160426 -rw-rw---- root apache ? cert8.db.orig -rw-------. root root system_u:object_r:cert_t:s0 install.log -rw-r----- root root ? key3.db -rw-rw---- root apache ? key3.db.20160426 -rw-rw---- root apache ? key3.db.orig lrwxrwxrwx root root ? libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so -rw-rw---- root apache ? pwdfile.txt -rw-rw---- root apache ? pwdfile.txt.orig -rw-rw---- root apache ? secmod.db -rw-rw---- root apache ? secmod.db.orig [root at zsipa log]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u Server-Cert u,u,u ipaCert u,u,u PRIVATE.NET IPA CA CT,C,C PRIVATE.NET IPA CA CT,C,C [root at zsipa log]# On 04/29/2016 11:02 AM, Christian Heimes wrote: > On 2016-04-29 16:51, Bret Wortman wrote: >> It is contacting the correct machine. I tried again by IP with the same >> results. >> >> /etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014. >> >> Web UI won't load. CLI won't respond either. Commands just hang. >> >> # netstat -ln | grep 443 >> tcp6 0 0 :::8443 >> :::* LISTEN >> tcp6 2 0 :::443 >> :::* LISTEN >> # netstat -ln | grep 8009 >> tcp6 0 0 127.0.0.1:8009 >> :::* LISTEN >> # curl -v https://zsipa.private.net:443/ca/admin/ca/getStatus >> * Hostname was NOT found in DNS cache >> * Trying 192.168.208.53... >> * Connected to zsipa.private.net (192.168.208.53) port 443 (#0) >> * Initializing NSS with certpath: sql:/etc/pki/nssdb >> * CAfile: /etc/pki/tls/certs/ca-bundle.crt >> CApath: none >> (long hang at this point, so I ^C-ed) >> >> # openssl s_client -connect zsipa.private.net:443 -CAfile >> /etc/ipa/ca.crt -verify 10 >> verify depth is 10 >> CONNECTED(00000003) >> (long hang at this point, aborted again) >> >> For the other (longer) logs, see http://pastebin.com/esBBKyGZ >> >> Also, answering Christian's questions: >> >> mod_ssl has not been installed. >> >> # ss -tpln | grep 443 >> LISTEN 0 100 :::8443 :::* >> users:(("java",pid=26522,fd=84)) >> LISTEN 13 128 :::443 :::* >> users:(("httpd",pid=26323,fd=6)) >> # > The output of ss looks sane. httpd is Apache, Java is Dogtag PKI's > Tomcat instance. > > The error log of Apache is more troublesome. It looks like your NSSDB is > busted: > > [Mon Apr 04 14:18:49.330238 2016] [:error] [pid 26327] NSS_Initialize > failed. Certificate database: /etc/httpd/alias. > [Mon Apr 04 14:18:49.330253 2016] [:error] [pid 26327] SSL Library > Error: -8038 SEC_ERROR_NOT_INITIALIZED > [Mon Apr 04 14:18:50.318327 2016] [core:notice] [pid 26323] AH00052: > child pid 26327 exit signal Segmentation fault (11) > > Please run this commands to show us the content of your NSSDB. > > # ls -laZ /etc/httpd/ > # ls -laZ /etc/httpd/alias > # certutil -L -d /etc/httpd/alias > > > Christian > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cheimes at redhat.com Fri Apr 29 16:25:44 2016 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 29 Apr 2016 18:25:44 +0200 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <57238907.2000101@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F6C80.8000006@damascusgrp.com> <7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> <57235944.1080306@damascusgrp.com> <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> <572374E1.1030902@damascusgrp.com> <49c392e7-3ed0-c46c-f09e-ec683644f0c1@redhat.com> <57238907.2000101@damascusgrp.com> Message-ID: On 2016-04-29 18:17, Bret Wortman wrote: > I'll put the results inline here, since they're short. > > [root at zsipa log]# ls -laZ /etc/httpd/ > drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 . > drwxr-xr-x. root root system_u:object_r:etc_t:s0 .. > drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias > drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf > drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d > drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.modules.d > lrwxrwxrwx root root ? logs -> > ../../var/log/httpd > lrwxrwxrwx root root ? modules -> > ../../usr/lib64/httpd/modules > lrwxrwxrwx root root ? run -> /run/httpd > [root at zsipa log]# ls -laZ /etc/httpd/alias > drwxr-xr-x. root root system_u:object_r:cert_t:s0 . > drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .. > -r--r--r-- root root ? cacert.asc > -r--r--r-- root root ? cacert.asc.orig > -rw-r----- root root ? cert8.db > -rw-rw---- root apache ? cert8.db.20160426 > -rw-rw---- root apache ? cert8.db.orig > -rw-------. root root system_u:object_r:cert_t:s0 install.log > -rw-r----- root root ? key3.db > -rw-rw---- root apache ? key3.db.20160426 > -rw-rw---- root apache ? key3.db.orig > lrwxrwxrwx root root ? libnssckbi.so > -> ../../..//usr/lib64/libnssckbi.so > -rw-rw---- root apache ? pwdfile.txt > -rw-rw---- root apache ? pwdfile.txt.orig > -rw-rw---- root apache ? secmod.db > -rw-rw---- root apache ? secmod.db.orig Some files don't have the correct SELinux context or are completely missing a context. SELinux prevents Apache from accessing this files. Did you replace some files or restore some from a backup? You should see a bunch of SELinux violations in your audit log. In order to restore the correct context, please run restorecon: # restorecon -R -v /etc/httpd/alias This should set correct contexts and allow you to start Apache HTTPD again. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From bentech4you at gmail.com Fri Apr 29 16:27:49 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 29 Apr 2016 19:27:49 +0300 Subject: [Freeipa-users] HBAC with Active directory group is not working In-Reply-To: References: <20160429145932.GM25181@hendrix> <20160429155606.GN25181@hendrix> Message-ID: surprisingly i have created some local IPA users and added to same HBAC rule, and removed AD grop ad applied this rule to client, and that got worked. How can i make this AD group with HBAC working? Regards, Ben On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George wrote: > HI > > If i disable allow_all rule, > i cannot able to login to client machine. > > On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George > wrote: > >> HI >> >> actually i have added Domain Admins and the user ben is not part of >> Domain Admins. But when i login to client machine, i am getting below >> >> -sh-4.2$ id >> uid=1827801104(ben at kwttestdc.com.kw) gid=1827801104(ben at kwttestdc.com.kw) >> groups=1827801104(ben at kwttestdc.com.kw),1827800513(*domain >> users at kwttestdc.com.kw *),1827801105(sudo >> admins at kwttestdc.com.kw) >> >> >> >> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George >> wrote: >> >>> HI >>> >>> while explaning here it went wrong. actually i did is" >>> Added external group to POSIX group" >>> >>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek >>> wrote: >>> >>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >>>> > HI, >>>> > >>>> > "The other is that the groups might not show up on the client (do >>>> they?)" >>>> >>>> id $user. >>>> >>>> But I think Alexander noticed the root cause. >>>> >>>> > >>>> > how can i check that. >>>> > >>>> > Thanks >>>> > Ben >>>> > >>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek >>>> wrote: >>>> > >>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >>>> > > > Hi List, >>>> > > > >>>> > > > I have working setup of one AD, one IPA server and one client >>>> server. by >>>> > > > default i can login to client server by using AD username. >>>> > > > >>>> > > > i want to apply HBAC rules against this client server. For that i >>>> have >>>> > > done >>>> > > > below steps. >>>> > > > >>>> > > > 1. created External group in IPA erver >>>> > > > 2. created local POSIX group n IPA server >>>> > > > 3. Added AD group to external group >>>> > > > 4. added POSIX group to external group. >>>> > > > >>>> > > > After that have created HBAC rule by adding both local and >>>> external IPA >>>> > > > groups, added sshd as service and selected service group as sudo. >>>> > > > >>>> > > > i have applied this HBAC rule to client server and from web UI >>>> and while >>>> > > > testing HBAC from web, i am getting access denied . >>>> > > >>>> > > Sorry, not enough info. >>>> > > >>>> > > One guess would be that you need to add the "sudo-i" service as >>>> well. >>>> > > The other is that the groups might not show up on the client (do >>>> they?) >>>> > > >>>> > > Anyway, it might be good idea to follow >>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >>>> > > >>>> > > -- >>>> > > Manage your subscription for the Freeipa-users mailing list: >>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> > > Go to http://freeipa.org for more info on the project >>>> > > >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From listeranon at gmail.com Fri Apr 29 16:30:52 2016 From: listeranon at gmail.com (Anon Lister) Date: Fri, 29 Apr 2016 12:30:52 -0400 Subject: [Freeipa-users] Account/password expirations In-Reply-To: References: <20160419155704.GC14903@hendrix> <20160421193726.GB4262@hendrix> <20160429073230.GC25181@hendrix> Message-ID: Yep sorry I missed that. You need to put your public keys in IPA. On Apr 29, 2016 3:32 AM, "Jakub Hrozek" wrote: On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrote: > > > > Your can still authenticate with SSH keys, but to access any NFS 4 shares > > they will need a Kerberos ticket, which can be obtained via a 'kinit' after > > logging in. > > > > Then how does the key authentication work if the .ssh directory on nfs4 is > not accessible ? Doesn't the key authentication process rely on > .ssh/authorized keys being readable by the authentication module ? SSSD can fetch the authorized keys from IPA, see man sss_ssh_authorizedkeys(1) -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Fri Apr 29 16:41:48 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 29 Apr 2016 12:41:48 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: References: <571F586E.2000302@damascusgrp.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> <57235944.1080306@damascusgrp.com> <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> <572374E1.1030902@damascusgrp.com> <49c392e7-3ed0-c46c-f09e-ec683644f0c1@redhat.com> <57238907.2000101@damascusgrp.com> Message-ID: <57238ECC.7010907@damascusgrp.com> We run with selinux disabled. # getenforce Disabled # restorecon -R -v /etc/httpd/alias # ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Failed to start pki-tomcatd Service Shutting down Aborting ipactl # ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services ipa: INFO: The ipactl command was successful # On 04/29/2016 12:25 PM, Christian Heimes wrote: > On 2016-04-29 18:17, Bret Wortman wrote: >> I'll put the results inline here, since they're short. >> >> [root at zsipa log]# ls -laZ /etc/httpd/ >> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 . >> drwxr-xr-x. root root system_u:object_r:etc_t:s0 .. >> drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias >> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf >> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d >> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.modules.d >> lrwxrwxrwx root root ? logs -> >> ../../var/log/httpd >> lrwxrwxrwx root root ? modules -> >> ../../usr/lib64/httpd/modules >> lrwxrwxrwx root root ? run -> /run/httpd >> [root at zsipa log]# ls -laZ /etc/httpd/alias >> drwxr-xr-x. root root system_u:object_r:cert_t:s0 . >> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .. >> -r--r--r-- root root ? cacert.asc >> -r--r--r-- root root ? cacert.asc.orig >> -rw-r----- root root ? cert8.db >> -rw-rw---- root apache ? cert8.db.20160426 >> -rw-rw---- root apache ? cert8.db.orig >> -rw-------. root root system_u:object_r:cert_t:s0 install.log >> -rw-r----- root root ? key3.db >> -rw-rw---- root apache ? key3.db.20160426 >> -rw-rw---- root apache ? key3.db.orig >> lrwxrwxrwx root root ? libnssckbi.so >> -> ../../..//usr/lib64/libnssckbi.so >> -rw-rw---- root apache ? pwdfile.txt >> -rw-rw---- root apache ? pwdfile.txt.orig >> -rw-rw---- root apache ? secmod.db >> -rw-rw---- root apache ? secmod.db.orig > Some files don't have the correct SELinux context or are completely > missing a context. SELinux prevents Apache from accessing this files. > Did you replace some files or restore some from a backup? You should see > a bunch of SELinux violations in your audit log. > > In order to restore the correct context, please run restorecon: > > # restorecon -R -v /etc/httpd/alias > > This should set correct contexts and allow you to start Apache HTTPD again. > > Christian > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jalvarez at cyberfuel.com Fri Apr 29 17:00:27 2016 From: jalvarez at cyberfuel.com (Jose Alvarez R.) Date: Fri, 29 Apr 2016 11:00:27 -0600 Subject: [Freeipa-users] HTTP response code is 401, not 200 In-Reply-To: <57237EFE.4010705@redhat.com> References: <04e201d1a219$7a6497f0$6f2dc7d0$@cyberfuel.com> <57237EFE.4010705@redhat.com> Message-ID: <06b701d1a238$a151b590$e3f520b0$@cyberfuel.com> Hi Rob, Thanks for your response Yes, It's with admin. I execute the command "ipa-client-install --debug" ------------------------------------------------------------------------- [root at ppa named]# ipa-client-install --debug /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': None , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': Tr ue, 'force_join': False, 'ca_cert_file': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=None, servers=None, hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in "cyberfuel.com" (domain of the hostname) and its sub-domains Search DNS for SRV record of _ldap._tcp.cyberfuel.com. DNS record found: DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, port:389,weight:50,server:freeipa.cyberfuel.com.} [Kerberos realm search] Search DNS for TXT record of _kerberos.cyberfuel.com. DNS record found: DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU EL.COM} Search DNS for SRV record of _kerberos._udp.cyberfuel.com. DNS record found: DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} [LDAP server check] Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub) Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com Discovery result: Success; server=freeipa.cyberfuel.com, domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com will use discovered domain: cyberfuel.com Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS Discovery) and its sub-domains Search DNS for SRV record of _ldap._tcp.cyberfuel.com. DNS record found: DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, port:389,weight:50,server:freeipa.cyberfuel.com.} DNS validated, enabling discovery will use discovered server: freeipa.cyberfuel.com Discovery was successful! will use discovered realm: CYBERFUEL.COM will use discovered basedn: dc=cyberfuel,dc=com Hostname: ppa.cyberfuel.com Hostname source: Machine's FQDN Realm: CYBERFUEL.COM Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of the hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com BaseDN: dc=cyberfuel,dc=com BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 Continue to configure the system with these values? [no]: no Installation failed. Rolling back changes. IPA client is not configured on this system. [root at ppa named]# [root at ppa named]# ipa-client-install --debug /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=None, servers=None, hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in "cyberfuel.com" (domain of the hostname) and its sub-domains Search DNS for SRV record of _ldap._tcp.cyberfuel.com. DNS record found: DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, port:389,weight:50,server:freeipa.cyberfuel.com.} [Kerberos realm search] Search DNS for TXT record of _kerberos.cyberfuel.com. DNS record found: DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU EL.COM} Search DNS for SRV record of _kerberos._udp.cyberfuel.com. DNS record found: DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} [LDAP server check] Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub) Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com Discovery result: Success; server=freeipa.cyberfuel.com, domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com will use discovered domain: cyberfuel.com Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS Discovery) and its sub-domains Search DNS for SRV record of _ldap._tcp.cyberfuel.com. DNS record found: DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, port:389,weight:50,server:freeipa.cyberfuel.com.} DNS validated, enabling discovery will use discovered server: freeipa.cyberfuel.com Discovery was successful! will use discovered realm: CYBERFUEL.COM will use discovered basedn: dc=cyberfuel,dc=com Hostname: ppa.cyberfuel.com Hostname source: Machine's FQDN Realm: CYBERFUEL.COM Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of the hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com BaseDN: dc=cyberfuel,dc=com BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 Continue to configure the system with these values? [no]: yes args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory User authorized to enroll computers: admin will use principal provided as option: admin Synchronizing time with KDC... Search DNS for SRV record of _ntp._udp.cyberfuel.com. No DNS record found args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= stderr= Writing Kerberos configuration to /tmp/tmpqWSatK: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = CYBERFUEL.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 [realms] CYBERFUEL.COM = { kdc = freeipa.cyberfuel.com:88 master_kdc = freeipa.cyberfuel.com:88 admin_server = freeipa.cyberfuel.com:749 default_domain = cyberfuel.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .cyberfuel.com = CYBERFUEL.COM cyberfuel.com = CYBERFUEL.COM Password for admin at CYBERFUEL.COM: args=kinit admin at CYBERFUEL.COM stdout=Password for admin at CYBERFUEL.COM: stderr= trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com Existing CA cert and Retrieved CA cert are identical args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n ppa.cyberfuel.com\r\n \r\n \r\n nsosversion\r\n 2.6.32-573.8.1.el6.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n * About to connect() to freeipa.cyberfuel.com port 443 (#0) * Trying 192.168.20.90... * Adding handle: conn: 0x10bb2f0 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com * start date: 2015-09-30 17:52:11 GMT * expire date: 2017-09-30 17:52:11 GMT * common name: freeipa.cyberfuel.com (matched) * issuer: O=CYBERFUEL.COM; CN=Certificate Authority * SSL certificate verify ok. > POST /ipa/xml HTTP/1.1 Host: freeipa.cyberfuel.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://freeipa.cyberfuel.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 477 * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" < Accept-Ranges: bytes < Content-Length: 1370 < Connection: close < Content-Type: text/html; charset=UTF-8 < * Closing connection 0 HTTP response code is 401, not 200 Joining realm failed: XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n ppa.cyberfuel.com\r\n \r\n \r\n nsosversion\r\n 2.6.32-573.8.1.el6.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n * About to connect() to freeipa.cyberfuel.com port 443 (#0) * Trying 192.168.20.90... * Adding handle: conn: 0x10bb2f0 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com * start date: 2015-09-30 17:52:11 GMT * expire date: 2017-09-30 17:52:11 GMT * common name: freeipa.cyberfuel.com (matched) * issuer: O=CYBERFUEL.COM; CN=Certificate Authority * SSL certificate verify ok. > POST /ipa/xml HTTP/1.1 Host: freeipa.cyberfuel.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://freeipa.cyberfuel.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 477 * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" < Accept-Ranges: bytes < Content-Length: 1370 < Connection: close < Content-Type: text/html; charset=UTF-8 < * Closing connection 0 HTTP response code is 401, not 200 Installation failed. Rolling back changes. IPA client is not configured on this system. ------------------------------------------------- It's the version curl IPA server [root at freeipa log]# rpm -qa | grep curl python-pycurl-7.19.0-8.el6.x86_64 curl-7.19.7-46.el6.x86_64 libcurl-7.19.7-46.el6.x86_64 [root at freeipa log]# It's the version curl PPA server(IPA Client) [root at ppa named]# rpm -qa | grep curl curl-7.31.0-1.el6.x86_64 python-pycurl-7.19.0-8.el6.x86_64 libcurl-7.31.0-1.el6.x86_64 libcurl-7.31.0-1.el6.i686 The version curl is different, but the version curl PPA is the repository Odin Plesk. ----------------------------------------------------- [root at ppa tmp]# cat kerberos_trace.log [12118] 1461855578.809966: ccselect module realm chose cache FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [12118] 1461855578.810171: Retrieving admin at CYBERFUEL.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found [12118] 1461855578.810252: Getting credentials admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found [12118] 1461855578.810451: Retrieving admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with result: 0/Success [12118] 1461855578.810476: Found cached TGT for service realm: admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM [12118] 1461855578.810509: Requesting tickets for ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [12118] 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377 [12118] 1461855578.810679: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118] 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com [12118] 1461855578.811466: Initiating TCP connection to stream 192.168.0.90:88 [12118] 1461855578.811935: Sending TCP request to stream 192.168.0.90:88 [12118] 1461855578.816404: Received answer from stream 192.168.0.90:88 [12118] 1461855578.816714: Response was from master KDC [12118] 1461855578.816906: TGS reply is for admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result: 0/Success [12118] 1461855578.817018: Received creds for desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [12118] 1461855578.817066: Removing admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX [12118] 1461855578.817107: Storing admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmptSoqDX [12118] 1461855578.817413: Creating authenticator for admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2 [12118] 1461855578.874786: ccselect module realm chose cache FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [12118] 1461855578.874938: Retrieving admin at CYBERFUEL.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888: ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [17304] 1461858424.874126: Retrieving admin at CYBERFUEL.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found [17304] 1461858424.874220: Getting credentials admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found [17304] 1461858424.874531: Retrieving admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result: 0/Success [17304] 1461858424.874603: Found cached TGT for service realm: admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM [17304] 1461858424.874631: Requesting tickets for ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [17304] 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33 [17304] 1461858424.874788: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304] 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com [17304] 1461858424.875805: Initiating TCP connection to stream 192.168.20.90:88 [17304] 1461858424.877976: Sending TCP request to stream 192.168.20.90:88 [17304] 1461858424.882385: Received answer from stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from master KDC [17304] 1461858424.882775: TGS reply is for admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/20DA [17304] 1461858424.882850: TGS request result: 0/Success [17304] 1461858424.882883: Received creds for desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [17304] 1461858424.882918: Removing admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P [17304] 1461858424.882951: Storing admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpH0QF6P [17304] 1461858424.883271: Creating authenticator for admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA [17304] 1461858424.898190: ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [17304] 1461858424.898401: Retrieving admin at CYBERFUEL.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386: ccselect module realm chose cache FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [23457] 1461863053.621602: Retrieving admin at CYBERFUEL.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found [23457] 1461863053.621719: Getting credentials admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found [23457] 1461863053.622097: Retrieving admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result: 0/Success [23457] 1461863053.622144: Found cached TGT for service realm: admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM [23457] 1461863053.622176: Requesting tickets for ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23457] 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C [23457] 1461863053.622331: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457] 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com [23457] 1461863053.623367: Initiating TCP connection to stream 192.168.20.90:88 [23457] 1461863053.623866: Sending TCP request to stream 192.168.20.90:88 [23457] 1461863053.627939: Received answer from stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from master KDC [23457] 1461863053.628485: TGS reply is for admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request result: 0/Success [23457] 1461863053.628610: Received creds for desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [23457] 1461863053.628655: Removing admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 [23457] 1461863053.628689: Storing admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmp576FE3 [23457] 1461863053.629119: Creating authenticator for admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88 [23457] 1461863053.640471: ccselect module realm chose cache FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [23457] 1461863053.640721: Retrieving admin at CYBERFUEL.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338: ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client principal admin at CYBERFUEL.COM for server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [23749] 1461863277.525435: Retrieving admin at CYBERFUEL.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found [23749] 1461863277.525469: Getting credentials admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found [23749] 1461863277.525572: Retrieving admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result: 0/Success [23749] 1461863277.525584: Found cached TGT for service realm: admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM [23749] 1461863277.525593: Requesting tickets for ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23749] 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D [23749] 1461863277.525662: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749] 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com [23749] 1461863277.526161: Initiating TCP connection to stream 192.168.20.90:88 [23749] 1461863277.526440: Sending TCP request to stream 192.168.20.90:88 [23749] 1461863277.530652: Received answer from stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from master KDC [23749] 1461863277.530881: TGS reply is for admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request result: 0/Success [23749] 1461863277.530948: Received creds for desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [23749] 1461863277.530962: Removing admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj [23749] 1461863277.530971: Storing admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmprfuOsj [23749] 1461863277.531133: Creating authenticator for admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 1019693263, subkey aes256-cts/B3E0, session key aes256-cts/79C3 [23749] 1461863277.542808: ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client principal admin at CYBERFUEL.COM for server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [23749] 1461863277.542889: Retrieving admin at CYBERFUEL.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277: ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [25544] 1461864401.258584: Retrieving admin at CYBERFUEL.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found [25544] 1461864401.258678: Getting credentials admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found [25544] 1461864401.259040: Retrieving admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result: 0/Success [25544] 1461864401.259076: Found cached TGT for service realm: admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM [25544] 1461864401.259102: Requesting tickets for ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [25544] 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A [25544] 1461864401.259291: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544] 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com [25544] 1461864401.260361: Initiating TCP connection to stream 192.168.20.90:88 [25544] 1461864401.260980: Sending TCP request to stream 192.168.20.90:88 [25544] 1461864401.264399: Received answer from stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from master KDC [25544] 1461864401.264893: TGS reply is for admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/9106 [25544] 1461864401.264966: TGS request result: 0/Success [25544] 1461864401.264996: Received creds for desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [25544] 1461864401.265029: Removing admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN [25544] 1461864401.265058: Storing admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpbzX7EN [25544] 1461864401.265581: Creating authenticator for admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106 [25544] 1461864401.275884: ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [25544] 1461864401.276059: Retrieving admin at CYBERFUEL.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354: ccselect module realm chose cache FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [18097] 1461937028.664456: Retrieving admin at CYBERFUEL.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found [18097] 1461937028.664490: Getting credentials admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found [18097] 1461937028.664590: Retrieving admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result: 0/Success [18097] 1461937028.664601: Found cached TGT for service realm: admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM [18097] 1461937028.664611: Requesting tickets for ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [18097] 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372 [18097] 1461937028.664727: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097] 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com [18097] 1461937028.665136: Initiating TCP connection to stream 192.168.20.90:88 [18097] 1461937028.665510: Sending TCP request to stream 192.168.20.90:88 [18097] 1461937028.668919: Received answer from stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from master KDC [18097] 1461937028.669109: TGS reply is for admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/9592 [18097] 1461937028.669136: TGS request result: 0/Success [18097] 1461937028.669156: Received creds for desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [18097] 1461937028.669167: Removing admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 [18097] 1461937028.669176: Storing admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpF9x_o8 [18097] 1461937028.669304: Creating authenticator for admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592 [18097] 1461937028.676414: ccselect module realm chose cache FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM [18097] 1461937028.676470: Retrieving admin at CYBERFUEL.COM -> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, subkey aes256-cts/26C4, seqnum 864174069 ----------------------------------- Regards Jose Alvarez -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: viernes 29 de abril de 2016 09:34 a.m. To: Jose Alvarez R. ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 Jose Alvarez R. wrote: > Hi Users > > You can help me? > > I have the problem for join a client to my FREEIPA Server. The version > IPA Server is 3.0 and IP client is 3.0 > > When I join my client to IPA server show these errors: > > [root at ppa ~]# tail -f /var/log/ipaclient-install.log > > 2016-04-28T17:26:41Z DEBUG stderr= > > 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from > ldap://freeipa.cyberfuel.com > > 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are > identical > > 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s > freeipa.cyberfuel.com -b dc=cyberfuel,dc=com > > 2016-04-28T17:26:41Z DEBUG stdout= > > 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 > > 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is > 401, not 200 > > 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. > > 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. I'd look in the 389-ds access and error logs on the IPA server to see if there are any more details. Look for the BIND from the client and see what happens. More context from the log file might be helpful. I believe if you run the client installer with --debug then additional flags are passed to ipa-join to include the XML-RPC conversation and that might be useful too. What account are you using to enroll with, admin? rob From rcritten at redhat.com Fri Apr 29 17:04:50 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Apr 2016 13:04:50 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <57238ECC.7010907@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F9092.7060204@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> <57235944.1080306@damascusgrp.com> <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> <572374E1.1030902@damascusgrp.com> <49c392e7-3ed0-c46c-f09e-ec683644f0c1@redhat.com> <57238907.2000101@damascusgrp.com> <57238ECC.7010907@damascusgrp.com> Message-ID: <57239432.7000708@redhat.com> Bret Wortman wrote: > We run with selinux disabled. > > # getenforce > Disabled > # restorecon -R -v /etc/httpd/alias > # ipactl start > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Starting ipa_memcached Service > Starting httpd Service > Starting pki-tomcatd Service > Failed to start pki-tomcatd Service > Shutting down > Aborting ipactl > # ipactl status > Directory Service: STOPPED > Directory Service must be running in order to obtain status of other > services > ipa: INFO: The ipactl command was successful > # The problem is permissions. Try: # chgrp apache /etc/httpd/alias/*.db The mode is ok, Apache only needs read access. The segfault is fixed upstream and actual usable error messages reported. The init system doesn't see it as a failure because this happens after Apache forks its children. I'd also consider re-enabling SELinux eventually. rob > > > > On 04/29/2016 12:25 PM, Christian Heimes wrote: >> On 2016-04-29 18:17, Bret Wortman wrote: >>> I'll put the results inline here, since they're short. >>> >>> [root at zsipa log]# ls -laZ /etc/httpd/ >>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 . >>> drwxr-xr-x. root root system_u:object_r:etc_t:s0 .. >>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias >>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf >>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d >>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.modules.d >>> lrwxrwxrwx root root ? logs -> >>> ../../var/log/httpd >>> lrwxrwxrwx root root ? modules -> >>> ../../usr/lib64/httpd/modules >>> lrwxrwxrwx root root ? run -> /run/httpd >>> [root at zsipa log]# ls -laZ /etc/httpd/alias >>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 . >>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .. >>> -r--r--r-- root root ? cacert.asc >>> -r--r--r-- root root ? cacert.asc.orig >>> -rw-r----- root root ? cert8.db >>> -rw-rw---- root apache ? cert8.db.20160426 >>> -rw-rw---- root apache ? cert8.db.orig >>> -rw-------. root root system_u:object_r:cert_t:s0 install.log >>> -rw-r----- root root ? key3.db >>> -rw-rw---- root apache ? key3.db.20160426 >>> -rw-rw---- root apache ? key3.db.orig >>> lrwxrwxrwx root root ? libnssckbi.so >>> -> ../../..//usr/lib64/libnssckbi.so >>> -rw-rw---- root apache ? pwdfile.txt >>> -rw-rw---- root apache ? pwdfile.txt.orig >>> -rw-rw---- root apache ? secmod.db >>> -rw-rw---- root apache ? secmod.db.orig >> Some files don't have the correct SELinux context or are completely >> missing a context. SELinux prevents Apache from accessing this files. >> Did you replace some files or restore some from a backup? You should see >> a bunch of SELinux violations in your audit log. >> >> In order to restore the correct context, please run restorecon: >> >> # restorecon -R -v /etc/httpd/alias >> >> This should set correct contexts and allow you to start Apache HTTPD again. >> >> Christian >> > > > From bret.wortman at damascusgrp.com Fri Apr 29 17:07:53 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 29 Apr 2016 13:07:53 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <57239432.7000708@redhat.com> References: <571F586E.2000302@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> <57235944.1080306@damascusgrp.com> <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> <572374E1.1030902@damascusgrp.com> <49c392e7-3ed0-c46c-f09e-ec683644f0c1@redhat.com> <57238907.2000101@damascusgrp.com> <57238ECC.7010907@damascusgrp.com> <57239432.7000708@redhat.com> Message-ID: <572394E9.2030208@damascusgrp.com> Hot damn! It's up and running. Web UI works. CLI works. The chgrp did the trick. Thank you Rob, Petr and Christian! Bret On 04/29/2016 01:04 PM, Rob Crittenden wrote: > Bret Wortman wrote: >> We run with selinux disabled. >> >> # getenforce >> Disabled >> # restorecon -R -v /etc/httpd/alias >> # ipactl start >> Starting Directory Service >> Starting krb5kdc Service >> Starting kadmin Service >> Starting named Service >> Starting ipa_memcached Service >> Starting httpd Service >> Starting pki-tomcatd Service >> Failed to start pki-tomcatd Service >> Shutting down >> Aborting ipactl >> # ipactl status >> Directory Service: STOPPED >> Directory Service must be running in order to obtain status of other >> services >> ipa: INFO: The ipactl command was successful >> # > > The problem is permissions. Try: > > # chgrp apache /etc/httpd/alias/*.db > > The mode is ok, Apache only needs read access. > > The segfault is fixed upstream and actual usable error messages > reported. The init system doesn't see it as a failure because this > happens after Apache forks its children. > > I'd also consider re-enabling SELinux eventually. > > rob > >> >> >> >> On 04/29/2016 12:25 PM, Christian Heimes wrote: >>> On 2016-04-29 18:17, Bret Wortman wrote: >>>> I'll put the results inline here, since they're short. >>>> >>>> [root at zsipa log]# ls -laZ /etc/httpd/ >>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 . >>>> drwxr-xr-x. root root system_u:object_r:etc_t:s0 .. >>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias >>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf >>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d >>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 >>>> conf.modules.d >>>> lrwxrwxrwx root root ? logs -> >>>> ../../var/log/httpd >>>> lrwxrwxrwx root root ? modules -> >>>> ../../usr/lib64/httpd/modules >>>> lrwxrwxrwx root root ? run -> >>>> /run/httpd >>>> [root at zsipa log]# ls -laZ /etc/httpd/alias >>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 . >>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .. >>>> -r--r--r-- root root ? cacert.asc >>>> -r--r--r-- root root ? cacert.asc.orig >>>> -rw-r----- root root ? cert8.db >>>> -rw-rw---- root apache ? cert8.db.20160426 >>>> -rw-rw---- root apache ? cert8.db.orig >>>> -rw-------. root root system_u:object_r:cert_t:s0 install.log >>>> -rw-r----- root root ? key3.db >>>> -rw-rw---- root apache ? key3.db.20160426 >>>> -rw-rw---- root apache ? key3.db.orig >>>> lrwxrwxrwx root root ? libnssckbi.so >>>> -> ../../..//usr/lib64/libnssckbi.so >>>> -rw-rw---- root apache ? pwdfile.txt >>>> -rw-rw---- root apache ? pwdfile.txt.orig >>>> -rw-rw---- root apache ? secmod.db >>>> -rw-rw---- root apache ? secmod.db.orig >>> Some files don't have the correct SELinux context or are completely >>> missing a context. SELinux prevents Apache from accessing this files. >>> Did you replace some files or restore some from a backup? You should >>> see >>> a bunch of SELinux violations in your audit log. >>> >>> In order to restore the correct context, please run restorecon: >>> >>> # restorecon -R -v /etc/httpd/alias >>> >>> This should set correct contexts and allow you to start Apache HTTPD >>> again. >>> >>> Christian >>> >> >> >> > From barrykfl at gmail.com Fri Apr 29 17:10:52 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Sat, 30 Apr 2016 01:10:52 +0800 Subject: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire In-Reply-To: <57234734.6050601@redhat.com> References: <5723436E.8030206@redhat.com> <57234734.6050601@redhat.com> Message-ID: ipa-server-3.0.0-37.el6.x86_64 << here 2016-04-29 19:36 GMT+08:00 Martin Basti : > Please keep, user-list in CC > > You did not send all information I requested. > > Please use `rpm -ql ipa-server` to get exact version number > > > On 29.04.2016 13:32, barrykfl at gmail.com wrote: > > Error.is from Gss api And i m thinkbif it relate cert issue. > > Server1> server 2 fail > Server 2 > server1 ok > > Freeipa 3.0 both > > slapd_ldap_sasl_interactive_bind - Error: could not perform interactive > bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information (Credentials cache file '/tmp/krb5cc_492' not > found)) errno 0 (Success) > [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn= > meTocentral02.ABC.com " (central02:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor > code may provide more information (Credentials cache file '/tmp/krb5cc_492' > not found)) > [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket > for LDAPI requests > [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= > meTocentral02.ABC.com " (central02:389): > Replication bind with GSSAPI auth resumed > [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= > meTocentral02.ABC.com " (central02:389): > Missing data encountered > [26/Apr/2016:18:40:23 +0800] > > > On 29.04.2016 13:02, barrykfl at gmail.com wrote: > > Hi All: > > Any method can fall back the default ipa cert if I didn't backup orginal? > > Now the slapd and ipa cert storage quite a mess so they cant replicate > even disabled nsslapd:security to off > > > thx > Barry > > > Hello Barry, > > Can you provide more info? > > What is your IPA version, OS? > What are the symptoms you are experiencing? > What do you mean by default ipa cert ? > Can you provide logs from replicas? > Can you provide `getcert list` command output? > Can you provide `ipactl status` from both server? > > Replication uses GSSAPI, at least on new IPA versions, I'm not sure if > certificates are involved in this. > > Martin > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From barrykfl at gmail.com Fri Apr 29 17:13:02 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Sat, 30 Apr 2016 01:13:02 +0800 Subject: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire In-Reply-To: References: <5723436E.8030206@redhat.com> <57234734.6050601@redhat.com> Message-ID: server 1: ipa-server-3.0.0-26.el6_4.4.x86_64 server2 ipa-server-3.0.0-37.el6.x86_64 2016-04-30 1:10 GMT+08:00 : > > ipa-server-3.0.0-37.el6.x86_64 << here > > 2016-04-29 19:36 GMT+08:00 Martin Basti : > >> Please keep, user-list in CC >> >> You did not send all information I requested. >> >> Please use `rpm -ql ipa-server` to get exact version number >> >> >> On 29.04.2016 13:32, barrykfl at gmail.com wrote: >> >> Error.is from Gss api And i m thinkbif it relate cert issue. >> >> Server1> server 2 fail >> Server 2 > server1 ok >> >> Freeipa 3.0 both >> >> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive >> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): >> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may >> provide more information (Credentials cache file '/tmp/krb5cc_492' not >> found)) errno 0 (Success) >> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn= >> meTocentral02.ABC.com " (central02:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor >> code may provide more information (Credentials cache file '/tmp/krb5cc_492' >> not found)) >> [26/Apr/2016:18:40:19 +0800] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket >> for LDAPI requests >> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= >> meTocentral02.ABC.com " (central02:389): >> Replication bind with GSSAPI auth resumed >> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn= >> meTocentral02.ABC.com " (central02:389): >> Missing data encountered >> [26/Apr/2016:18:40:23 +0800] >> >> >> On 29.04.2016 13:02, barrykfl at gmail.com wrote: >> >> Hi All: >> >> Any method can fall back the default ipa cert if I didn't backup orginal? >> >> Now the slapd and ipa cert storage quite a mess so they cant replicate >> even disabled nsslapd:security to off >> >> >> thx >> Barry >> >> >> Hello Barry, >> >> Can you provide more info? >> >> What is your IPA version, OS? >> What are the symptoms you are experiencing? >> What do you mean by default ipa cert ? >> Can you provide logs from replicas? >> Can you provide `getcert list` command output? >> Can you provide `ipactl status` from both server? >> >> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if >> certificates are involved in this. >> >> Martin >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 29 17:14:07 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Apr 2016 13:14:07 -0400 Subject: [Freeipa-users] HTTP response code is 401, not 200 In-Reply-To: <06b701d1a238$a151b590$e3f520b0$@cyberfuel.com> References: <04e201d1a219$7a6497f0$6f2dc7d0$@cyberfuel.com> <57237EFE.4010705@redhat.com> <06b701d1a238$a151b590$e3f520b0$@cyberfuel.com> Message-ID: <5723965F.20102@redhat.com> Jose Alvarez R. wrote: > Hi Rob, Thanks for your response > > Yes, It's with admin. I assume this is a problem with your version of xmlrpc-c. We use standard calls xmlrpc-c calls to setup authentication and IIRC that links against libcurl which provides the Kerberos/GSSAPI support. On EL6 you need xmlrpc-c >= 1.16.24-1200.1840.2 I'm confused about the versions. You mention PPA but include what look like RPM versions that seem to point to RHEL 6. rob > > I execute the command "ipa-client-install --debug" > ------------------------------------------------------------------------- > > > [root at ppa named]# ipa-client-install --debug > /usr/sbin/ipa-client-install was invoked with options: {'domain': None, > 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > 'primary': False, 'mkhomedir > ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, > 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': > False, 'principal': None > , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, > 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, > 'conf_sudo': True, 'conf_ssh': Tr > ue, 'force_join': False, 'ca_cert_file': None, 'server': None, > 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': > False, 'uninstall': False} > missing options might be asked for interactively later > Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > [IPA Discovery] > Starting IPA discovery with domain=None, servers=None, > hostname=ppa.cyberfuel.com > Start searching for LDAP SRV record in "cyberfuel.com" (domain of the > hostname) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, > port:389,weight:50,server:freeipa.cyberfuel.com.} > [Kerberos realm search] > Search DNS for TXT record of _kerberos.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU > EL.COM} > Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit > y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > [LDAP server check] > Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server > Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > Search LDAP server for IPA base DN > Check if naming context 'dc=cyberfuel,dc=com' is for IPA > Naming context 'dc=cyberfuel,dc=com' is a valid IPA context > Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub) > Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > Discovery result: Success; server=freeipa.cyberfuel.com, > domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com > Validated servers: freeipa.cyberfuel.com > will use discovered domain: cyberfuel.com > Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS > Discovery) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, > port:389,weight:50,server:freeipa.cyberfuel.com.} > DNS validated, enabling discovery > will use discovered server: freeipa.cyberfuel.com > Discovery was successful! > will use discovered realm: CYBERFUEL.COM > will use discovered basedn: dc=cyberfuel,dc=com > Hostname: ppa.cyberfuel.com > Hostname source: Machine's FQDN > Realm: CYBERFUEL.COM > Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com > DNS Domain: cyberfuel.com > DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of > the hostname) > IPA Server: freeipa.cyberfuel.com > IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com > BaseDN: dc=cyberfuel,dc=com > BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 > > Continue to configure the system with these values? [no]: no > Installation failed. Rolling back changes. > IPA client is not configured on this system. > [root at ppa named]# > [root at ppa named]# ipa-client-install --debug > /usr/sbin/ipa-client-install was invoked with options: {'domain': None, > 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': > True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain': > None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac': > False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, > 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': > True, 'force_join': False, 'ca_cert_file': None, 'server': None, > 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': > False, 'uninstall': False} > missing options might be asked for interactively later > Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > [IPA Discovery] > Starting IPA discovery with domain=None, servers=None, > hostname=ppa.cyberfuel.com > Start searching for LDAP SRV record in "cyberfuel.com" (domain of the > hostname) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, > port:389,weight:50,server:freeipa.cyberfuel.com.} > [Kerberos realm search] > Search DNS for TXT record of _kerberos.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU > EL.COM} > Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit > y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > [LDAP server check] > Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server > Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > Search LDAP server for IPA base DN > Check if naming context 'dc=cyberfuel,dc=com' is for IPA > Naming context 'dc=cyberfuel,dc=com' is a valid IPA context > Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub) > Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > Discovery result: Success; server=freeipa.cyberfuel.com, > domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com > Validated servers: freeipa.cyberfuel.com > will use discovered domain: cyberfuel.com > Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS > Discovery) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, > port:389,weight:50,server:freeipa.cyberfuel.com.} > DNS validated, enabling discovery > will use discovered server: freeipa.cyberfuel.com > Discovery was successful! > will use discovered realm: CYBERFUEL.COM > will use discovered basedn: dc=cyberfuel,dc=com > Hostname: ppa.cyberfuel.com > Hostname source: Machine's FQDN > Realm: CYBERFUEL.COM > Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com > DNS Domain: cyberfuel.com > DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of > the hostname) > IPA Server: freeipa.cyberfuel.com > IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com > BaseDN: dc=cyberfuel,dc=com > BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 > > Continue to configure the system with these values? [no]: yes > args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM > stdout= > stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory > > User authorized to enroll computers: admin > will use principal provided as option: admin > Synchronizing time with KDC... > Search DNS for SRV record of _ntp._udp.cyberfuel.com. > No DNS record found > args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com > stdout= > stderr= > Writing Kerberos configuration to /tmp/tmpqWSatK: > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = CYBERFUEL.COM > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > udp_preference_limit = 0 > > > [realms] > CYBERFUEL.COM = { > kdc = freeipa.cyberfuel.com:88 > master_kdc = freeipa.cyberfuel.com:88 > admin_server = freeipa.cyberfuel.com:749 > default_domain = cyberfuel.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > > } > > > [domain_realm] > .cyberfuel.com = CYBERFUEL.COM > cyberfuel.com = CYBERFUEL.COM > > > > Password for admin at CYBERFUEL.COM: > args=kinit admin at CYBERFUEL.COM > stdout=Password for admin at CYBERFUEL.COM: > > stderr= > trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com > Existing CA cert and Retrieved CA cert are identical > args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d > stdout= > stderr=XML-RPC CALL: > > \r\n > \r\n > join\r\n > \r\n > \r\n > ppa.cyberfuel.com\r\n > \r\n > \r\n > nsosversion\r\n > 2.6.32-573.8.1.el6.x86_64\r\n > nshardwareplatform\r\n > x86_64\r\n > \r\n > \r\n > \r\n > > * About to connect() to freeipa.cyberfuel.com port 443 (#0) > * Trying 192.168.20.90... > * Adding handle: conn: 0x10bb2f0 > * Adding handle: send: 0 > * Adding handle: recv: 0 > * Curl_addHandleToPipeline: length: 1 > * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 > * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) > * successfully set certificate verify locations: > * CAfile: /etc/ipa/ca.crt > CApath: none > * SSL connection using AES256-SHA > * Server certificate: > * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com > * start date: 2015-09-30 17:52:11 GMT > * expire date: 2017-09-30 17:52:11 GMT > * common name: freeipa.cyberfuel.com (matched) > * issuer: O=CYBERFUEL.COM; CN=Certificate Authority > * SSL certificate verify ok. >> POST /ipa/xml HTTP/1.1 > Host: freeipa.cyberfuel.com > Accept: */* > Content-Type: text/xml > User-Agent: ipa-join/3.0.0 > Referer: https://freeipa.cyberfuel.com/ipa/xml > X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > Content-Length: 477 > > * upload completely sent off: 477 out of 477 bytes > < HTTP/1.1 401 Authorization Required > < Date: Fri, 29 Apr 2016 16:16:32 GMT > * Server Apache/2.2.15 (CentOS) is not blacklisted > < Server: Apache/2.2.15 (CentOS) > < WWW-Authenticate: Negotiate > < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT > < ETag: "a0528-55a-53051ba8f7000" > < Accept-Ranges: bytes > < Content-Length: 1370 > < Connection: close > < Content-Type: text/html; charset=UTF-8 > < > * Closing connection 0 > HTTP response code is 401, not 200 > > Joining realm failed: XML-RPC CALL: > > \r\n > \r\n > join\r\n > \r\n > \r\n > ppa.cyberfuel.com\r\n > \r\n > \r\n > nsosversion\r\n > 2.6.32-573.8.1.el6.x86_64\r\n > nshardwareplatform\r\n > x86_64\r\n > \r\n > \r\n > \r\n > > * About to connect() to freeipa.cyberfuel.com port 443 (#0) > * Trying 192.168.20.90... > * Adding handle: conn: 0x10bb2f0 > * Adding handle: send: 0 > * Adding handle: recv: 0 > * Curl_addHandleToPipeline: length: 1 > * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 > * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) > * successfully set certificate verify locations: > * CAfile: /etc/ipa/ca.crt > CApath: none > * SSL connection using AES256-SHA > * Server certificate: > * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com > * start date: 2015-09-30 17:52:11 GMT > * expire date: 2017-09-30 17:52:11 GMT > * common name: freeipa.cyberfuel.com (matched) > * issuer: O=CYBERFUEL.COM; CN=Certificate Authority > * SSL certificate verify ok. >> POST /ipa/xml HTTP/1.1 > Host: freeipa.cyberfuel.com > Accept: */* > Content-Type: text/xml > User-Agent: ipa-join/3.0.0 > Referer: https://freeipa.cyberfuel.com/ipa/xml > X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > Content-Length: 477 > > * upload completely sent off: 477 out of 477 bytes > < HTTP/1.1 401 Authorization Required > < Date: Fri, 29 Apr 2016 16:16:32 GMT > * Server Apache/2.2.15 (CentOS) is not blacklisted > < Server: Apache/2.2.15 (CentOS) > < WWW-Authenticate: Negotiate > < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT > < ETag: "a0528-55a-53051ba8f7000" > < Accept-Ranges: bytes > < Content-Length: 1370 > < Connection: close > < Content-Type: text/html; charset=UTF-8 > < > * Closing connection 0 > HTTP response code is 401, not 200 > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > ------------------------------------------------- > > It's the version curl IPA server > > [root at freeipa log]# rpm -qa | grep curl > python-pycurl-7.19.0-8.el6.x86_64 > curl-7.19.7-46.el6.x86_64 > libcurl-7.19.7-46.el6.x86_64 > [root at freeipa log]# > > > It's the version curl PPA server(IPA Client) > > [root at ppa named]# rpm -qa | grep curl > curl-7.31.0-1.el6.x86_64 > python-pycurl-7.19.0-8.el6.x86_64 > libcurl-7.31.0-1.el6.x86_64 > libcurl-7.31.0-1.el6.i686 > > > The version curl is different, but the version curl PPA is the repository > Odin Plesk. > > ----------------------------------------------------- > > > [root at ppa tmp]# cat kerberos_trace.log > > [12118] 1461855578.809966: ccselect module realm chose cache > FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for server > principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [12118] 1461855578.810171: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found > [12118] 1461855578.810252: Getting credentials admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmptSoqDX > [12118] 1461855578.810369: Retrieving admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with > result: -1765328243/Matching credential not found > [12118] 1461855578.810451: Retrieving admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with result: > 0/Success > [12118] 1461855578.810476: Found cached TGT for service realm: > admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > [12118] 1461855578.810509: Requesting tickets for > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on > [12118] 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377 > [12118] 1461855578.810679: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac > [12118] 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM > [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com > [12118] 1461855578.811466: Initiating TCP connection to stream > 192.168.0.90:88 > [12118] 1461855578.811935: Sending TCP request to stream 192.168.0.90:88 > [12118] 1461855578.816404: Received answer from stream 192.168.0.90:88 > [12118] 1461855578.816714: Response was from master KDC > [12118] 1461855578.816906: TGS reply is for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/BEB2 > [12118] 1461855578.816977: TGS request result: 0/Success > [12118] 1461855578.817018: Received creds for desired service > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [12118] 1461855578.817066: Removing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX > [12118] 1461855578.817107: Storing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmptSoqDX > [12118] 1461855578.817413: Creating authenticator for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 299651167, subkey > aes256-cts/98D3, session key aes256-cts/BEB2 > [12118] 1461855578.874786: ccselect module realm chose cache > FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for server > principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [12118] 1461855578.874938: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not found > [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, subkey > aes256-cts/4B32, seqnum 706045221 > [17304] 1461858424.873888: ccselect module realm chose cache > FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for server > principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [17304] 1461858424.874126: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found > [17304] 1461858424.874220: Getting credentials admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmpH0QF6P > [17304] 1461858424.874413: Retrieving admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with > result: -1765328243/Matching credential not found > [17304] 1461858424.874531: Retrieving admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result: > 0/Success > [17304] 1461858424.874603: Found cached TGT for service realm: > admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > [17304] 1461858424.874631: Requesting tickets for > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on > [17304] 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33 > [17304] 1461858424.874788: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac > [17304] 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM > [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com > [17304] 1461858424.875805: Initiating TCP connection to stream > 192.168.20.90:88 > [17304] 1461858424.877976: Sending TCP request to stream 192.168.20.90:88 > [17304] 1461858424.882385: Received answer from stream 192.168.20.90:88 > [17304] 1461858424.882531: Response was from master KDC > [17304] 1461858424.882775: TGS reply is for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/20DA > [17304] 1461858424.882850: TGS request result: 0/Success > [17304] 1461858424.882883: Received creds for desired service > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [17304] 1461858424.882918: Removing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P > [17304] 1461858424.882951: Storing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpH0QF6P > [17304] 1461858424.883271: Creating authenticator for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 443746416, subkey > aes256-cts/13DE, session key aes256-cts/20DA > [17304] 1461858424.898190: ccselect module realm chose cache > FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for server > principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [17304] 1461858424.898401: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not found > [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, subkey > aes256-cts/A0F5, seqnum 906104721 > [23457] 1461863053.621386: ccselect module realm chose cache > FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for server > principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [23457] 1461863053.621602: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found > [23457] 1461863053.621719: Getting credentials admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmp576FE3 > [23457] 1461863053.621918: Retrieving admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with > result: -1765328243/Matching credential not found > [23457] 1461863053.622097: Retrieving admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result: > 0/Success > [23457] 1461863053.622144: Found cached TGT for service realm: > admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > [23457] 1461863053.622176: Requesting tickets for > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on > [23457] 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C > [23457] 1461863053.622331: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac > [23457] 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM > [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com > [23457] 1461863053.623367: Initiating TCP connection to stream > 192.168.20.90:88 > [23457] 1461863053.623866: Sending TCP request to stream 192.168.20.90:88 > [23457] 1461863053.627939: Received answer from stream 192.168.20.90:88 > [23457] 1461863053.628229: Response was from master KDC > [23457] 1461863053.628485: TGS reply is for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/9E88 > [23457] 1461863053.628560: TGS request result: 0/Success > [23457] 1461863053.628610: Received creds for desired service > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [23457] 1461863053.628655: Removing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 > [23457] 1461863053.628689: Storing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmp576FE3 > [23457] 1461863053.629119: Creating authenticator for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 13046067, subkey > aes256-cts/BAC3, session key aes256-cts/9E88 > [23457] 1461863053.640471: ccselect module realm chose cache > FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for server > principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [23457] 1461863053.640721: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not found > [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, subkey > aes256-cts/8866, seqnum 421358565 > [23749] 1461863277.525338: ccselect module realm chose cache > FILE:/tmp/tmprfuOsj with client principal admin at CYBERFUEL.COM for server > principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [23749] 1461863277.525435: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found > [23749] 1461863277.525469: Getting credentials admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmprfuOsj > [23749] 1461863277.525529: Retrieving admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with > result: -1765328243/Matching credential not found > [23749] 1461863277.525572: Retrieving admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result: > 0/Success > [23749] 1461863277.525584: Found cached TGT for service realm: > admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > [23749] 1461863277.525593: Requesting tickets for > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on > [23749] 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D > [23749] 1461863277.525662: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac > [23749] 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM > [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com > [23749] 1461863277.526161: Initiating TCP connection to stream > 192.168.20.90:88 > [23749] 1461863277.526440: Sending TCP request to stream 192.168.20.90:88 > [23749] 1461863277.530652: Received answer from stream 192.168.20.90:88 > [23749] 1461863277.530737: Response was from master KDC > [23749] 1461863277.530881: TGS reply is for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/79C3 > [23749] 1461863277.530931: TGS request result: 0/Success > [23749] 1461863277.530948: Received creds for desired service > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [23749] 1461863277.530962: Removing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj > [23749] 1461863277.530971: Storing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmprfuOsj > [23749] 1461863277.531133: Creating authenticator for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 1019693263, subkey > aes256-cts/B3E0, session key aes256-cts/79C3 > [23749] 1461863277.542808: ccselect module realm chose cache > FILE:/tmp/tmprfuOsj with client principal admin at CYBERFUEL.COM for server > principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [23749] 1461863277.542889: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not found > [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, subkey > aes256-cts/5194, seqnum 376027188 > [25544] 1461864401.258277: ccselect module realm chose cache > FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for server > principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [25544] 1461864401.258584: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found > [25544] 1461864401.258678: Getting credentials admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmpbzX7EN > [25544] 1461864401.258873: Retrieving admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with > result: -1765328243/Matching credential not found > [25544] 1461864401.259040: Retrieving admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result: > 0/Success > [25544] 1461864401.259076: Found cached TGT for service realm: > admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > [25544] 1461864401.259102: Requesting tickets for > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on > [25544] 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A > [25544] 1461864401.259291: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac > [25544] 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM > [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com > [25544] 1461864401.260361: Initiating TCP connection to stream > 192.168.20.90:88 > [25544] 1461864401.260980: Sending TCP request to stream 192.168.20.90:88 > [25544] 1461864401.264399: Received answer from stream 192.168.20.90:88 > [25544] 1461864401.264593: Response was from master KDC > [25544] 1461864401.264893: TGS reply is for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/9106 > [25544] 1461864401.264966: TGS request result: 0/Success > [25544] 1461864401.264996: Received creds for desired service > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [25544] 1461864401.265029: Removing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN > [25544] 1461864401.265058: Storing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpbzX7EN > [25544] 1461864401.265581: Creating authenticator for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 921501424, subkey > aes256-cts/99EA, session key aes256-cts/9106 > [25544] 1461864401.275884: ccselect module realm chose cache > FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for server > principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [25544] 1461864401.276059: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not found > [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, subkey > aes256-cts/0E9F, seqnum 871496824 > [18097] 1461937028.664354: ccselect module realm chose cache > FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for server > principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [18097] 1461937028.664456: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found > [18097] 1461937028.664490: Getting credentials admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using ccache FILE:/tmp/tmpF9x_o8 > [18097] 1461937028.664549: Retrieving admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with > result: -1765328243/Matching credential not found > [18097] 1461937028.664590: Retrieving admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result: > 0/Success > [18097] 1461937028.664601: Found cached TGT for service realm: > admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > [18097] 1461937028.664611: Requesting tickets for > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on > [18097] 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372 > [18097] 1461937028.664727: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac > [18097] 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM > [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com > [18097] 1461937028.665136: Initiating TCP connection to stream > 192.168.20.90:88 > [18097] 1461937028.665510: Sending TCP request to stream 192.168.20.90:88 > [18097] 1461937028.668919: Received answer from stream 192.168.20.90:88 > [18097] 1461937028.668984: Response was from master KDC > [18097] 1461937028.669109: TGS reply is for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key aes256-cts/9592 > [18097] 1461937028.669136: TGS request result: 0/Success > [18097] 1461937028.669156: Received creds for desired service > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [18097] 1461937028.669167: Removing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 > [18097] 1461937028.669176: Storing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpF9x_o8 > [18097] 1461937028.669304: Creating authenticator for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, seqnum 940175329, subkey > aes256-cts/53B9, session key aes256-cts/9592 > [18097] 1461937028.676414: ccselect module realm chose cache > FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for server > principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [18097] 1461937028.676470: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not found > [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, subkey > aes256-cts/26C4, seqnum 864174069 > > ----------------------------------- > > > Regards > > Jose Alvarez > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: viernes 29 de abril de 2016 09:34 a.m. > To: Jose Alvarez R. ; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > Jose Alvarez R. wrote: >> Hi Users >> >> You can help me? >> >> I have the problem for join a client to my FREEIPA Server. The version >> IPA Server is 3.0 and IP client is 3.0 >> >> When I join my client to IPA server show these errors: >> >> [root at ppa ~]# tail -f /var/log/ipaclient-install.log >> >> 2016-04-28T17:26:41Z DEBUG stderr= >> >> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from >> ldap://freeipa.cyberfuel.com >> >> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are >> identical >> >> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s >> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com >> >> 2016-04-28T17:26:41Z DEBUG stdout= >> >> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 >> >> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code is >> 401, not 200 >> >> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. >> >> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. > > I'd look in the 389-ds access and error logs on the IPA server to see if > there are any more details. Look for the BIND from the client and see what > happens. > > More context from the log file might be helpful. I believe if you run the > client installer with --debug then additional flags are passed to ipa-join > to include the XML-RPC conversation and that might be useful too. > > What account are you using to enroll with, admin? > > rob > From bret.wortman at damascusgrp.com Fri Apr 29 17:22:16 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 29 Apr 2016 13:22:16 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <572394E9.2030208@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571F9E04.2050400@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> <57235944.1080306@damascusgrp.com> <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> <572374E1.1030902@damascusgrp.com> <49c392e7-3ed0-c46c-f09e-ec683644f0c1@redhat.com> <57238907.2000101@damascusgrp.com> <57238ECC.7010907@damascusgrp.com> <57239432.7000708@redhat.com> <572394E9.2030208@damascusgrp.com> Message-ID: <57239848.6060207@damascusgrp.com> Of course, I just remembered that the server still thinks it's April 4, and I still have some certs that are expiring as of 4-17-16. Before I screw anything else up, what's the RIGHT way to renew those certs and move the server back to real time? On 04/29/2016 01:07 PM, Bret Wortman wrote: > Hot damn! It's up and running. Web UI works. CLI works. > > The chgrp did the trick. > > Thank you Rob, Petr and Christian! > > > Bret > > On 04/29/2016 01:04 PM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> We run with selinux disabled. >>> >>> # getenforce >>> Disabled >>> # restorecon -R -v /etc/httpd/alias >>> # ipactl start >>> Starting Directory Service >>> Starting krb5kdc Service >>> Starting kadmin Service >>> Starting named Service >>> Starting ipa_memcached Service >>> Starting httpd Service >>> Starting pki-tomcatd Service >>> Failed to start pki-tomcatd Service >>> Shutting down >>> Aborting ipactl >>> # ipactl status >>> Directory Service: STOPPED >>> Directory Service must be running in order to obtain status of other >>> services >>> ipa: INFO: The ipactl command was successful >>> # >> >> The problem is permissions. Try: >> >> # chgrp apache /etc/httpd/alias/*.db >> >> The mode is ok, Apache only needs read access. >> >> The segfault is fixed upstream and actual usable error messages >> reported. The init system doesn't see it as a failure because this >> happens after Apache forks its children. >> >> I'd also consider re-enabling SELinux eventually. >> >> rob >> >>> >>> >>> >>> On 04/29/2016 12:25 PM, Christian Heimes wrote: >>>> On 2016-04-29 18:17, Bret Wortman wrote: >>>>> I'll put the results inline here, since they're short. >>>>> >>>>> [root at zsipa log]# ls -laZ /etc/httpd/ >>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 . >>>>> drwxr-xr-x. root root system_u:object_r:etc_t:s0 .. >>>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias >>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf >>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d >>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 >>>>> conf.modules.d >>>>> lrwxrwxrwx root root ? logs -> >>>>> ../../var/log/httpd >>>>> lrwxrwxrwx root root ? modules -> >>>>> ../../usr/lib64/httpd/modules >>>>> lrwxrwxrwx root root ? run -> >>>>> /run/httpd >>>>> [root at zsipa log]# ls -laZ /etc/httpd/alias >>>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 . >>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .. >>>>> -r--r--r-- root root ? cacert.asc >>>>> -r--r--r-- root root ? cacert.asc.orig >>>>> -rw-r----- root root ? cert8.db >>>>> -rw-rw---- root apache ? cert8.db.20160426 >>>>> -rw-rw---- root apache ? cert8.db.orig >>>>> -rw-------. root root system_u:object_r:cert_t:s0 install.log >>>>> -rw-r----- root root ? key3.db >>>>> -rw-rw---- root apache ? key3.db.20160426 >>>>> -rw-rw---- root apache ? key3.db.orig >>>>> lrwxrwxrwx root root ? libnssckbi.so >>>>> -> ../../..//usr/lib64/libnssckbi.so >>>>> -rw-rw---- root apache ? pwdfile.txt >>>>> -rw-rw---- root apache ? pwdfile.txt.orig >>>>> -rw-rw---- root apache ? secmod.db >>>>> -rw-rw---- root apache ? secmod.db.orig >>>> Some files don't have the correct SELinux context or are completely >>>> missing a context. SELinux prevents Apache from accessing this files. >>>> Did you replace some files or restore some from a backup? You >>>> should see >>>> a bunch of SELinux violations in your audit log. >>>> >>>> In order to restore the correct context, please run restorecon: >>>> >>>> # restorecon -R -v /etc/httpd/alias >>>> >>>> This should set correct contexts and allow you to start Apache >>>> HTTPD again. >>>> >>>> Christian >>>> >>> >>> >>> >> > From bret.wortman at damascusgrp.com Fri Apr 29 17:29:07 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 29 Apr 2016 13:29:07 -0400 Subject: [Freeipa-users] IPA server having cert issues In-Reply-To: <57239848.6060207@damascusgrp.com> References: <571F586E.2000302@damascusgrp.com> <571FA944.8040003@redhat.com> <571FAE1C.107@damascusgrp.com> <57208EE1.3000006@damascusgrp.com> <5720D0A8.505@damascusgrp.com> <5720F2AB.3000300@redhat.com> <572103CE.6030404@damascusgrp.com> <5722193A.40101@damascusgrp.com> <2dac740d-a1fe-5579-6841-d410ee0ec5fc@redhat.com> <5722311B.7040806@damascusgrp.com> <11f8848a-a71f-e98a-ac1c-6656f4cd4df1@redhat.com> <57223AC2.4020603@damascusgrp.com> <5723317B.8090900@damascusgrp.com> <054f2a45-6c3f-a88a-29aa-b4cf51bcb25c@redhat.com> <57235944.1080306@damascusgrp.com> <11761686-346d-7565-68d5-a6f8689ff3e4@redhat.com> <572374E1.1030902@damascusgrp.com> <49c392e7-3ed0-c46c-f09e-ec683644f0c1@redhat.com> <57238907.2000101@damascusgrp.com> <57238ECC.7010907@damascusgrp.com> <57239432.7000708@redhat.com> <572394E9.2030208@damascusgrp.com> <57239848.6060207@damascusgrp.com> Message-ID: <572399E3.9080808@damascusgrp.com> Scratch that. Decided to be daring and run "getcert resubmit -i" for each cert (after verifying the first one worked), then shut ipa down, advanced the date, re-enabled ntpd and started it back up. Looks clean. On 04/29/2016 01:22 PM, Bret Wortman wrote: > Of course, I just remembered that the server still thinks it's April > 4, and I still have some certs that are expiring as of 4-17-16. Before > I screw anything else up, what's the RIGHT way to renew those certs > and move the server back to real time? > > > > On 04/29/2016 01:07 PM, Bret Wortman wrote: >> Hot damn! It's up and running. Web UI works. CLI works. >> >> The chgrp did the trick. >> >> Thank you Rob, Petr and Christian! >> >> >> Bret >> >> On 04/29/2016 01:04 PM, Rob Crittenden wrote: >>> Bret Wortman wrote: >>>> We run with selinux disabled. >>>> >>>> # getenforce >>>> Disabled >>>> # restorecon -R -v /etc/httpd/alias >>>> # ipactl start >>>> Starting Directory Service >>>> Starting krb5kdc Service >>>> Starting kadmin Service >>>> Starting named Service >>>> Starting ipa_memcached Service >>>> Starting httpd Service >>>> Starting pki-tomcatd Service >>>> Failed to start pki-tomcatd Service >>>> Shutting down >>>> Aborting ipactl >>>> # ipactl status >>>> Directory Service: STOPPED >>>> Directory Service must be running in order to obtain status of other >>>> services >>>> ipa: INFO: The ipactl command was successful >>>> # >>> >>> The problem is permissions. Try: >>> >>> # chgrp apache /etc/httpd/alias/*.db >>> >>> The mode is ok, Apache only needs read access. >>> >>> The segfault is fixed upstream and actual usable error messages >>> reported. The init system doesn't see it as a failure because this >>> happens after Apache forks its children. >>> >>> I'd also consider re-enabling SELinux eventually. >>> >>> rob >>> >>>> >>>> >>>> >>>> On 04/29/2016 12:25 PM, Christian Heimes wrote: >>>>> On 2016-04-29 18:17, Bret Wortman wrote: >>>>>> I'll put the results inline here, since they're short. >>>>>> >>>>>> [root at zsipa log]# ls -laZ /etc/httpd/ >>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 . >>>>>> drwxr-xr-x. root root system_u:object_r:etc_t:s0 .. >>>>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias >>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf >>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 conf.d >>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 >>>>>> conf.modules.d >>>>>> lrwxrwxrwx root root ? logs -> >>>>>> ../../var/log/httpd >>>>>> lrwxrwxrwx root root ? modules -> >>>>>> ../../usr/lib64/httpd/modules >>>>>> lrwxrwxrwx root root ? run -> /run/httpd >>>>>> [root at zsipa log]# ls -laZ /etc/httpd/alias >>>>>> drwxr-xr-x. root root system_u:object_r:cert_t:s0 . >>>>>> drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .. >>>>>> -r--r--r-- root root ? cacert.asc >>>>>> -r--r--r-- root root ? cacert.asc.orig >>>>>> -rw-r----- root root ? cert8.db >>>>>> -rw-rw---- root apache ? cert8.db.20160426 >>>>>> -rw-rw---- root apache ? cert8.db.orig >>>>>> -rw-------. root root system_u:object_r:cert_t:s0 install.log >>>>>> -rw-r----- root root ? key3.db >>>>>> -rw-rw---- root apache ? key3.db.20160426 >>>>>> -rw-rw---- root apache ? key3.db.orig >>>>>> lrwxrwxrwx root root ? libnssckbi.so >>>>>> -> ../../..//usr/lib64/libnssckbi.so >>>>>> -rw-rw---- root apache ? pwdfile.txt >>>>>> -rw-rw---- root apache ? pwdfile.txt.orig >>>>>> -rw-rw---- root apache ? secmod.db >>>>>> -rw-rw---- root apache ? secmod.db.orig >>>>> Some files don't have the correct SELinux context or are completely >>>>> missing a context. SELinux prevents Apache from accessing this files. >>>>> Did you replace some files or restore some from a backup? You >>>>> should see >>>>> a bunch of SELinux violations in your audit log. >>>>> >>>>> In order to restore the correct context, please run restorecon: >>>>> >>>>> # restorecon -R -v /etc/httpd/alias >>>>> >>>>> This should set correct contexts and allow you to start Apache >>>>> HTTPD again. >>>>> >>>>> Christian >>>>> >>>> >>>> >>>> >>> >> > From gnotrica at candeal.com Fri Apr 29 17:37:29 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Fri, 29 Apr 2016 17:37:29 +0000 Subject: [Freeipa-users] Ldap error in ModifyPassword - 50: Insufficient access Message-ID: <0984AB34E553F54B8705D776686863E70AC0AE7F@cd-exchange01.CD-PRD.candeal.ca> Hey guys, After my previous issue, my password do not sync anymore with IPA. No password changed for the sync user. Any ideas? Thank you, 04/29/16 13:32:56: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:32:56: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:32:56: Deferring password change for jlaporte 04/29/16 13:32:58: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:32:58: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:32:58: Deferring password change for jlaporte 04/29/16 13:33:02: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:33:02: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:33:02: Deferring password change for jlaporte 04/29/16 13:33:10: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:33:10: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:33:10: Deferring password change for jlaporte Gady -------------- next part -------------- An HTML attachment was scrubbed... URL: From jalvarez at cyberfuel.com Fri Apr 29 18:05:48 2016 From: jalvarez at cyberfuel.com (Jose Alvarez R.) Date: Fri, 29 Apr 2016 12:05:48 -0600 Subject: [Freeipa-users] HTTP response code is 401, not 200 In-Reply-To: <5723965F.20102@redhat.com> References: <04e201d1a219$7a6497f0$6f2dc7d0$@cyberfuel.com> <57237EFE.4010705@redhat.com> <06b701d1a238$a151b590$e3f520b0$@cyberfuel.com> <5723965F.20102@redhat.com> Message-ID: <06f901d1a241$c2770910$47651b30$@cyberfuel.com> Hi, Rob Thanks!! The version the xmlrpc-c of my server IPA: xmlrpc-c-1.16.24-1210.1840.el6.x86_64 xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 The version the xmlrpc-c of my client IPA xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 xmlrpc-c-1.16.24-1210.1840.el6.x86_64 libiqxmlrpc-0.12.4-0.parallels.i686 xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64 The versions are the same, but the libcurl is different It's the version curl IPA server [root at freeipa log]# rpm -qa | grep curl python-pycurl-7.19.0-8.el6.x86_64 curl-7.19.7-46.el6.x86_64 libcurl-7.19.7-46.el6.x86_64 [root at freeipa log]# It's the version curl PPA server(IPA Client) [root at ppa named]# rpm -qa | grep curl curl-7.31.0-1.el6.x86_64 python-pycurl-7.19.0-8.el6.x86_64 libcurl-7.31.0-1.el6.x86_64 libcurl-7.31.0-1.el6.i686 Sorry, my english is not very well Regards. -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: viernes 29 de abril de 2016 11:14 a.m. To: Jose Alvarez R. ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 Jose Alvarez R. wrote: > Hi Rob, Thanks for your response > > Yes, It's with admin. I assume this is a problem with your version of xmlrpc-c. We use standard calls xmlrpc-c calls to setup authentication and IIRC that links against libcurl which provides the Kerberos/GSSAPI support. On EL6 you need xmlrpc-c >= 1.16.24-1200.1840.2 I'm confused about the versions. You mention PPA but include what look like RPM versions that seem to point to RHEL 6. rob > > I execute the command "ipa-client-install --debug" > ---------------------------------------------------------------------- > --- > > > [root at ppa named]# ipa-client-install --debug > /usr/sbin/ipa-client-install was invoked with options: {'domain': > None, > 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > 'primary': False, 'mkhomedir > ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, > 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': > False, 'principal': None > , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, > 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, > 'conf_sudo': True, 'conf_ssh': Tr > ue, 'force_join': False, 'ca_cert_file': None, 'server': None, > 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': > False, 'uninstall': False} > missing options might be asked for interactively later Loading Index > file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > [IPA Discovery] > Starting IPA discovery with domain=None, servers=None, > hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in > "cyberfuel.com" (domain of the > hostname) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior > ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > [Kerberos realm search] > Search DNS for TXT record of _kerberos.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C > YBERFU > EL.COM} > Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p > riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > [LDAP server check] > Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA > server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > Search LDAP server for IPA base DN Check if naming context > 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' > is a valid IPA context Search for (objectClass=krbRealmContainer) in > dc=cyberfuel,dc=com (sub) > Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > Discovery result: Success; server=freeipa.cyberfuel.com, > domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, > basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com > will use discovered domain: cyberfuel.com Start searching for LDAP SRV > record in "cyberfuel.com" (Validating DNS > Discovery) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior > ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > DNS validated, enabling discovery > will use discovered server: freeipa.cyberfuel.com Discovery was > successful! > will use discovered realm: CYBERFUEL.COM will use discovered basedn: > dc=cyberfuel,dc=com > Hostname: ppa.cyberfuel.com > Hostname source: Machine's FQDN > Realm: CYBERFUEL.COM > Realm source: Discovered from LDAP DNS records in > freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: > Discovered LDAP SRV records from cyberfuel.com (domain of the > hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: > Discovered from LDAP DNS records in freeipa.cyberfuel.com > BaseDN: dc=cyberfuel,dc=com > BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 > > Continue to configure the system with these values? [no]: no > Installation failed. Rolling back changes. > IPA client is not configured on this system. > [root at ppa named]# > [root at ppa named]# ipa-client-install --debug > /usr/sbin/ipa-client-install was invoked with options: {'domain': > None, > 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, > 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': > True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'nisdomain': > None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac': > False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, > 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': > True, 'force_join': False, 'ca_cert_file': None, 'server': None, > 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': > False, 'uninstall': False} > missing options might be asked for interactively later Loading Index > file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > [IPA Discovery] > Starting IPA discovery with domain=None, servers=None, > hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in > "cyberfuel.com" (domain of the > hostname) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior > ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > [Kerberos realm search] > Search DNS for TXT record of _kerberos.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C > YBERFU > EL.COM} > Search DNS for SRV record of _kerberos._udp.cyberfuel.com. > DNS record found: > DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p > riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} > [LDAP server check] > Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA > server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 > Search LDAP server for IPA base DN Check if naming context > 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' > is a valid IPA context Search for (objectClass=krbRealmContainer) in > dc=cyberfuel,dc=com (sub) > Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com > Discovery result: Success; server=freeipa.cyberfuel.com, > domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, > basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com > will use discovered domain: cyberfuel.com Start searching for LDAP SRV > record in "cyberfuel.com" (Validating DNS > Discovery) and its sub-domains > Search DNS for SRV record of _ldap._tcp.cyberfuel.com. > DNS record found: > DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior > ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} > DNS validated, enabling discovery > will use discovered server: freeipa.cyberfuel.com Discovery was > successful! > will use discovered realm: CYBERFUEL.COM will use discovered basedn: > dc=cyberfuel,dc=com > Hostname: ppa.cyberfuel.com > Hostname source: Machine's FQDN > Realm: CYBERFUEL.COM > Realm source: Discovered from LDAP DNS records in > freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: > Discovered LDAP SRV records from cyberfuel.com (domain of the > hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: > Discovered from LDAP DNS records in freeipa.cyberfuel.com > BaseDN: dc=cyberfuel,dc=com > BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 > > Continue to configure the system with these values? [no]: yes > args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM > stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file > or directory > > User authorized to enroll computers: admin will use principal provided > as option: admin Synchronizing time with KDC... > Search DNS for SRV record of _ntp._udp.cyberfuel.com. > No DNS record found > args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= > stderr= Writing Kerberos configuration to /tmp/tmpqWSatK: > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = CYBERFUEL.COM > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > udp_preference_limit = 0 > > > [realms] > CYBERFUEL.COM = { > kdc = freeipa.cyberfuel.com:88 > master_kdc = freeipa.cyberfuel.com:88 > admin_server = freeipa.cyberfuel.com:749 > default_domain = cyberfuel.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > > } > > > [domain_realm] > .cyberfuel.com = CYBERFUEL.COM > cyberfuel.com = CYBERFUEL.COM > > > > Password for admin at CYBERFUEL.COM: > args=kinit admin at CYBERFUEL.COM > stdout=Password for admin at CYBERFUEL.COM: > > stderr= > trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com > Existing CA cert and Retrieved CA cert are identical > args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b > dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL: > > \r\n \r\n > join\r\n \r\n > \r\n > ppa.cyberfuel.com\r\n > \r\n > \r\n > nsosversion\r\n > 2.6.32-573.8.1.el6.x86_64\r\n > nshardwareplatform\r\n > x86_64\r\n > \r\n > \r\n > \r\n > > * About to connect() to freeipa.cyberfuel.com port 443 (#0) > * Trying 192.168.20.90... > * Adding handle: conn: 0x10bb2f0 > * Adding handle: send: 0 > * Adding handle: recv: 0 > * Curl_addHandleToPipeline: length: 1 > * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 > * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) > * successfully set certificate verify locations: > * CAfile: /etc/ipa/ca.crt > CApath: none > * SSL connection using AES256-SHA > * Server certificate: > * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com > * start date: 2015-09-30 17:52:11 GMT > * expire date: 2017-09-30 17:52:11 GMT > * common name: freeipa.cyberfuel.com (matched) > * issuer: O=CYBERFUEL.COM; CN=Certificate Authority > * SSL certificate verify ok. >> POST /ipa/xml HTTP/1.1 > Host: freeipa.cyberfuel.com > Accept: */* > Content-Type: text/xml > User-Agent: ipa-join/3.0.0 > Referer: https://freeipa.cyberfuel.com/ipa/xml > X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > Content-Length: 477 > > * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 > Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT > * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: > Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: > Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" > < Accept-Ranges: bytes > < Content-Length: 1370 > < Connection: close > < Content-Type: text/html; charset=UTF-8 < > * Closing connection 0 > HTTP response code is 401, not 200 > > Joining realm failed: XML-RPC CALL: > > \r\n \r\n > join\r\n \r\n > \r\n > ppa.cyberfuel.com\r\n > \r\n > \r\n > nsosversion\r\n > 2.6.32-573.8.1.el6.x86_64\r\n > nshardwareplatform\r\n > x86_64\r\n > \r\n > \r\n > \r\n > > * About to connect() to freeipa.cyberfuel.com port 443 (#0) > * Trying 192.168.20.90... > * Adding handle: conn: 0x10bb2f0 > * Adding handle: send: 0 > * Adding handle: recv: 0 > * Curl_addHandleToPipeline: length: 1 > * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 > * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) > * successfully set certificate verify locations: > * CAfile: /etc/ipa/ca.crt > CApath: none > * SSL connection using AES256-SHA > * Server certificate: > * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com > * start date: 2015-09-30 17:52:11 GMT > * expire date: 2017-09-30 17:52:11 GMT > * common name: freeipa.cyberfuel.com (matched) > * issuer: O=CYBERFUEL.COM; CN=Certificate Authority > * SSL certificate verify ok. >> POST /ipa/xml HTTP/1.1 > Host: freeipa.cyberfuel.com > Accept: */* > Content-Type: text/xml > User-Agent: ipa-join/3.0.0 > Referer: https://freeipa.cyberfuel.com/ipa/xml > X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 > Content-Length: 477 > > * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 > Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT > * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: > Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: > Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" > < Accept-Ranges: bytes > < Content-Length: 1370 > < Connection: close > < Content-Type: text/html; charset=UTF-8 < > * Closing connection 0 > HTTP response code is 401, not 200 > > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > ------------------------------------------------- > > It's the version curl IPA server > > [root at freeipa log]# rpm -qa | grep curl > python-pycurl-7.19.0-8.el6.x86_64 > curl-7.19.7-46.el6.x86_64 > libcurl-7.19.7-46.el6.x86_64 > [root at freeipa log]# > > > It's the version curl PPA server(IPA Client) > > [root at ppa named]# rpm -qa | grep curl > curl-7.31.0-1.el6.x86_64 > python-pycurl-7.19.0-8.el6.x86_64 > libcurl-7.31.0-1.el6.x86_64 > libcurl-7.31.0-1.el6.i686 > > > The version curl is different, but the version curl PPA is the > repository Odin Plesk. > > ----------------------------------------------------- > > > [root at ppa tmp]# cat kerberos_trace.log > > [12118] 1461855578.809966: ccselect module realm chose cache > FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for > server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [12118] 1461855578.810171: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not > found [12118] 1461855578.810252: Getting credentials > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > FILE:/tmp/tmptSoqDX with > result: -1765328243/Matching credential not found [12118] > 1461855578.810451: Retrieving admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with result: > 0/Success > [12118] 1461855578.810476: Found cached TGT for service realm: > admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > [12118] 1461855578.810509: Requesting tickets for > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [12118] > 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377 > [12118] 1461855578.810679: etypes requested in TGS request: > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118] > 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM > [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com > [12118] 1461855578.811466: Initiating TCP connection to stream > 192.168.0.90:88 > [12118] 1461855578.811935: Sending TCP request to stream > 192.168.0.90:88 [12118] 1461855578.816404: Received answer from stream > 192.168.0.90:88 [12118] 1461855578.816714: Response was from master > KDC [12118] 1461855578.816906: TGS reply is for admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key > aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result: > 0/Success [12118] 1461855578.817018: Received creds for desired > service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [12118] 1461855578.817066: Removing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX > [12118] 1461855578.817107: Storing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmptSoqDX > [12118] 1461855578.817413: Creating authenticator for > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2 > [12118] 1461855578.874786: ccselect module realm chose cache > FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for > server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [12118] 1461855578.874938: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not > found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, > subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888: > ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client > principal admin at CYBERFUEL.COM for server principal > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [17304] 1461858424.874126: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not > found [17304] 1461858424.874220: Getting credentials > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > FILE:/tmp/tmpH0QF6P with > result: -1765328243/Matching credential not found [17304] > 1461858424.874531: Retrieving admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result: > 0/Success > [17304] 1461858424.874603: Found cached TGT for service realm: > admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > [17304] 1461858424.874631: Requesting tickets for > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [17304] > 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33 > [17304] 1461858424.874788: etypes requested in TGS request: > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304] > 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM > [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com > [17304] 1461858424.875805: Initiating TCP connection to stream > 192.168.20.90:88 > [17304] 1461858424.877976: Sending TCP request to stream > 192.168.20.90:88 [17304] 1461858424.882385: Received answer from > stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from > master KDC [17304] 1461858424.882775: TGS reply is for > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > session key aes256-cts/20DA [17304] 1461858424.882850: TGS request > result: 0/Success [17304] 1461858424.882883: Received creds for > desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [17304] 1461858424.882918: Removing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P > [17304] 1461858424.882951: Storing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpH0QF6P > [17304] 1461858424.883271: Creating authenticator for > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA > [17304] 1461858424.898190: ccselect module realm chose cache > FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for > server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [17304] 1461858424.898401: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not > found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, > subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386: > ccselect module realm chose cache > FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for > server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [23457] 1461863053.621602: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not > found [23457] 1461863053.621719: Getting credentials > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > FILE:/tmp/tmp576FE3 with > result: -1765328243/Matching credential not found [23457] > 1461863053.622097: Retrieving admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result: > 0/Success > [23457] 1461863053.622144: Found cached TGT for service realm: > admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > [23457] 1461863053.622176: Requesting tickets for > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23457] > 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C > [23457] 1461863053.622331: etypes requested in TGS request: > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457] > 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM > [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com > [23457] 1461863053.623367: Initiating TCP connection to stream > 192.168.20.90:88 > [23457] 1461863053.623866: Sending TCP request to stream > 192.168.20.90:88 [23457] 1461863053.627939: Received answer from > stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from > master KDC [23457] 1461863053.628485: TGS reply is for > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request > result: 0/Success [23457] 1461863053.628610: Received creds for > desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [23457] 1461863053.628655: Removing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 > [23457] 1461863053.628689: Storing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmp576FE3 > [23457] 1461863053.629119: Creating authenticator for > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88 > [23457] 1461863053.640471: ccselect module realm chose cache > FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for > server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [23457] 1461863053.640721: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not > found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, > subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338: > ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client > principal admin at CYBERFUEL.COM for server principal > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [23749] 1461863277.525435: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not > found [23749] 1461863277.525469: Getting credentials > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > FILE:/tmp/tmprfuOsj with > result: -1765328243/Matching credential not found [23749] > 1461863277.525572: Retrieving admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result: > 0/Success > [23749] 1461863277.525584: Found cached TGT for service realm: > admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > [23749] 1461863277.525593: Requesting tickets for > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23749] > 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D > [23749] 1461863277.525662: etypes requested in TGS request: > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749] > 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM > [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com > [23749] 1461863277.526161: Initiating TCP connection to stream > 192.168.20.90:88 > [23749] 1461863277.526440: Sending TCP request to stream > 192.168.20.90:88 [23749] 1461863277.530652: Received answer from > stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from > master KDC [23749] 1461863277.530881: TGS reply is for > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request > result: 0/Success [23749] 1461863277.530948: Received creds for > desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [23749] 1461863277.530962: Removing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj > [23749] 1461863277.530971: Storing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmprfuOsj > [23749] 1461863277.531133: Creating authenticator for > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > seqnum 1019693263, subkey aes256-cts/B3E0, session key aes256-cts/79C3 > [23749] 1461863277.542808: ccselect module realm chose cache > FILE:/tmp/tmprfuOsj with client principal admin at CYBERFUEL.COM for > server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [23749] 1461863277.542889: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not > found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, > subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277: > ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client > principal admin at CYBERFUEL.COM for server principal > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [25544] 1461864401.258584: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not > found [25544] 1461864401.258678: Getting credentials > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > FILE:/tmp/tmpbzX7EN with > result: -1765328243/Matching credential not found [25544] > 1461864401.259040: Retrieving admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result: > 0/Success > [25544] 1461864401.259076: Found cached TGT for service realm: > admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > [25544] 1461864401.259102: Requesting tickets for > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [25544] > 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A > [25544] 1461864401.259291: etypes requested in TGS request: > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544] > 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM > [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com > [25544] 1461864401.260361: Initiating TCP connection to stream > 192.168.20.90:88 > [25544] 1461864401.260980: Sending TCP request to stream > 192.168.20.90:88 [25544] 1461864401.264399: Received answer from > stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from > master KDC [25544] 1461864401.264893: TGS reply is for > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > session key aes256-cts/9106 [25544] 1461864401.264966: TGS request > result: 0/Success [25544] 1461864401.264996: Received creds for > desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [25544] 1461864401.265029: Removing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN > [25544] 1461864401.265058: Storing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpbzX7EN > [25544] 1461864401.265581: Creating authenticator for > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106 > [25544] 1461864401.275884: ccselect module realm chose cache > FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for > server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [25544] 1461864401.276059: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not > found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, > subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354: > ccselect module realm chose cache > FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for > server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [18097] 1461937028.664456: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not > found [18097] 1461937028.664490: Getting credentials > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using > ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from > FILE:/tmp/tmpF9x_o8 with > result: -1765328243/Matching credential not found [18097] > 1461937028.664590: Retrieving admin at CYBERFUEL.COM -> > krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result: > 0/Success > [18097] 1461937028.664601: Found cached TGT for service realm: > admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM > [18097] 1461937028.664611: Requesting tickets for > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [18097] > 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372 > [18097] 1461937028.664727: etypes requested in TGS request: > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097] > 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM > [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com > [18097] 1461937028.665136: Initiating TCP connection to stream > 192.168.20.90:88 > [18097] 1461937028.665510: Sending TCP request to stream > 192.168.20.90:88 [18097] 1461937028.668919: Received answer from > stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from > master KDC [18097] 1461937028.669109: TGS reply is for > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with > session key aes256-cts/9592 [18097] 1461937028.669136: TGS request > result: 0/Success [18097] 1461937028.669156: Received creds for > desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [18097] 1461937028.669167: Removing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 > [18097] 1461937028.669176: Storing admin at CYBERFUEL.COM -> > ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpF9x_o8 > [18097] 1461937028.669304: Creating authenticator for > admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, > seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592 > [18097] 1461937028.676414: ccselect module realm chose cache > FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for > server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM > [18097] 1461937028.676470: Retrieving admin at CYBERFUEL.COM -> > krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from > FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not > found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, > subkey aes256-cts/26C4, seqnum 864174069 > > ----------------------------------- > > > Regards > > Jose Alvarez > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: viernes 29 de abril de 2016 09:34 a.m. > To: Jose Alvarez R. ; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > Jose Alvarez R. wrote: >> Hi Users >> >> You can help me? >> >> I have the problem for join a client to my FREEIPA Server. The >> version IPA Server is 3.0 and IP client is 3.0 >> >> When I join my client to IPA server show these errors: >> >> [root at ppa ~]# tail -f /var/log/ipaclient-install.log >> >> 2016-04-28T17:26:41Z DEBUG stderr= >> >> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from >> ldap://freeipa.cyberfuel.com >> >> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are >> identical >> >> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s >> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com >> >> 2016-04-28T17:26:41Z DEBUG stdout= >> >> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 >> >> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code >> is 401, not 200 >> >> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. >> >> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. > > I'd look in the 389-ds access and error logs on the IPA server to see > if there are any more details. Look for the BIND from the client and > see what happens. > > More context from the log file might be helpful. I believe if you run > the client installer with --debug then additional flags are passed to > ipa-join to include the XML-RPC conversation and that might be useful too. > > What account are you using to enroll with, admin? > > rob > From rcritten at redhat.com Fri Apr 29 18:19:29 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Apr 2016 14:19:29 -0400 Subject: [Freeipa-users] HTTP response code is 401, not 200 In-Reply-To: <06f901d1a241$c2770910$47651b30$@cyberfuel.com> References: <04e201d1a219$7a6497f0$6f2dc7d0$@cyberfuel.com> <57237EFE.4010705@redhat.com> <06b701d1a238$a151b590$e3f520b0$@cyberfuel.com> <5723965F.20102@redhat.com> <06f901d1a241$c2770910$47651b30$@cyberfuel.com> Message-ID: <5723A5B1.8080109@redhat.com> Jose Alvarez R. wrote: > Hi, Rob > > Thanks!! > > > The version the xmlrpc-c of my server IPA: > xmlrpc-c-1.16.24-1210.1840.el6.x86_64 > xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 > > > The version the xmlrpc-c of my client IPA > xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 > xmlrpc-c-1.16.24-1210.1840.el6.x86_64 > libiqxmlrpc-0.12.4-0.parallels.i686 > xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64 You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed https://bugzilla.redhat.com/show_bug.cgi?id=719945 The libcurl version on the client looks ok. This is only a client-side issue so no changes on the servers should be necessary IIRC. This appears to be EL 6.1 which at this point is quite old. rob > > The versions are the same, but the libcurl is different > > It's the version curl IPA server > [root at freeipa log]# rpm -qa | grep curl > python-pycurl-7.19.0-8.el6.x86_64 > curl-7.19.7-46.el6.x86_64 > libcurl-7.19.7-46.el6.x86_64 > [root at freeipa log]# > > > It's the version curl PPA server(IPA Client) > [root at ppa named]# rpm -qa | grep curl > curl-7.31.0-1.el6.x86_64 > python-pycurl-7.19.0-8.el6.x86_64 > libcurl-7.31.0-1.el6.x86_64 > libcurl-7.31.0-1.el6.i686 > > Sorry, my english is not very well > > > Regards. > > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: viernes 29 de abril de 2016 11:14 a.m. > To: Jose Alvarez R. ; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > Jose Alvarez R. wrote: >> Hi Rob, Thanks for your response >> >> Yes, It's with admin. > > I assume this is a problem with your version of xmlrpc-c. We use standard > calls xmlrpc-c calls to setup authentication and IIRC that links against > libcurl which provides the Kerberos/GSSAPI support. On EL6 you need xmlrpc-c >> = 1.16.24-1200.1840.2 > > I'm confused about the versions. You mention PPA but include what look like > RPM versions that seem to point to RHEL 6. > > rob > >> >> I execute the command "ipa-client-install --debug" >> ---------------------------------------------------------------------- >> --- >> >> >> [root at ppa named]# ipa-client-install --debug >> /usr/sbin/ipa-client-install was invoked with options: {'domain': >> None, >> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, >> 'primary': False, 'mkhomedir >> ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, >> 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': >> False, 'principal': None >> , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, >> 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, >> 'conf_sudo': True, 'conf_ssh': Tr >> ue, 'force_join': False, 'ca_cert_file': None, 'server': None, >> 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': >> False, 'uninstall': False} >> missing options might be asked for interactively later Loading Index >> file from '/var/lib/ipa-client/sysrestore/sysrestore.index' >> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' >> [IPA Discovery] >> Starting IPA discovery with domain=None, servers=None, >> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in >> "cyberfuel.com" (domain of the >> hostname) and its sub-domains >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior >> ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} >> [Kerberos realm search] >> Search DNS for TXT record of _kerberos.cyberfuel.com. >> DNS record found: >> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C >> YBERFU >> EL.COM} >> Search DNS for SRV record of _kerberos._udp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p >> riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} >> [LDAP server check] >> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA >> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 >> Search LDAP server for IPA base DN Check if naming context >> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' >> is a valid IPA context Search for (objectClass=krbRealmContainer) in >> dc=cyberfuel,dc=com (sub) >> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com >> Discovery result: Success; server=freeipa.cyberfuel.com, >> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, >> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com >> will use discovered domain: cyberfuel.com Start searching for LDAP SRV >> record in "cyberfuel.com" (Validating DNS >> Discovery) and its sub-domains >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior >> ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} >> DNS validated, enabling discovery >> will use discovered server: freeipa.cyberfuel.com Discovery was >> successful! >> will use discovered realm: CYBERFUEL.COM will use discovered basedn: >> dc=cyberfuel,dc=com >> Hostname: ppa.cyberfuel.com >> Hostname source: Machine's FQDN >> Realm: CYBERFUEL.COM >> Realm source: Discovered from LDAP DNS records in >> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: >> Discovered LDAP SRV records from cyberfuel.com (domain of the >> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: >> Discovered from LDAP DNS records in freeipa.cyberfuel.com >> BaseDN: dc=cyberfuel,dc=com >> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 >> >> Continue to configure the system with these values? [no]: no >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> [root at ppa named]# >> [root at ppa named]# ipa-client-install --debug >> /usr/sbin/ipa-client-install was invoked with options: {'domain': >> None, >> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, >> 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': >> True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, > 'nisdomain': >> None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac': >> False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, >> 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': >> True, 'force_join': False, 'ca_cert_file': None, 'server': None, >> 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': >> False, 'uninstall': False} >> missing options might be asked for interactively later Loading Index >> file from '/var/lib/ipa-client/sysrestore/sysrestore.index' >> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' >> [IPA Discovery] >> Starting IPA discovery with domain=None, servers=None, >> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in >> "cyberfuel.com" (domain of the >> hostname) and its sub-domains >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior >> ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} >> [Kerberos realm search] >> Search DNS for TXT record of _kerberos.cyberfuel.com. >> DNS record found: >> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:C >> YBERFU >> EL.COM} >> Search DNS for SRV record of _kerberos._udp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={p >> riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} >> [LDAP server check] >> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA >> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 >> Search LDAP server for IPA base DN Check if naming context >> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' >> is a valid IPA context Search for (objectClass=krbRealmContainer) in >> dc=cyberfuel,dc=com (sub) >> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com >> Discovery result: Success; server=freeipa.cyberfuel.com, >> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, >> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com >> will use discovered domain: cyberfuel.com Start searching for LDAP SRV >> record in "cyberfuel.com" (Validating DNS >> Discovery) and its sub-domains >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prior >> ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} >> DNS validated, enabling discovery >> will use discovered server: freeipa.cyberfuel.com Discovery was >> successful! >> will use discovered realm: CYBERFUEL.COM will use discovered basedn: >> dc=cyberfuel,dc=com >> Hostname: ppa.cyberfuel.com >> Hostname source: Machine's FQDN >> Realm: CYBERFUEL.COM >> Realm source: Discovered from LDAP DNS records in >> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: >> Discovered LDAP SRV records from cyberfuel.com (domain of the >> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: >> Discovered from LDAP DNS records in freeipa.cyberfuel.com >> BaseDN: dc=cyberfuel,dc=com >> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 >> >> Continue to configure the system with these values? [no]: yes >> args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM >> stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file >> or directory >> >> User authorized to enroll computers: admin will use principal provided >> as option: admin Synchronizing time with KDC... >> Search DNS for SRV record of _ntp._udp.cyberfuel.com. >> No DNS record found >> args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= >> stderr= Writing Kerberos configuration to /tmp/tmpqWSatK: >> #File modified by ipa-client-install >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = CYBERFUEL.COM >> dns_lookup_realm = false >> dns_lookup_kdc = false >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> udp_preference_limit = 0 >> >> >> [realms] >> CYBERFUEL.COM = { >> kdc = freeipa.cyberfuel.com:88 >> master_kdc = freeipa.cyberfuel.com:88 >> admin_server = freeipa.cyberfuel.com:749 >> default_domain = cyberfuel.com >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> >> } >> >> >> [domain_realm] >> .cyberfuel.com = CYBERFUEL.COM >> cyberfuel.com = CYBERFUEL.COM >> >> >> >> Password for admin at CYBERFUEL.COM: >> args=kinit admin at CYBERFUEL.COM >> stdout=Password for admin at CYBERFUEL.COM: >> >> stderr= >> trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com >> Existing CA cert and Retrieved CA cert are identical >> args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b >> dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL: >> >> \r\n \r\n >> join\r\n \r\n >> \r\n >> ppa.cyberfuel.com\r\n >> \r\n >> \r\n >> nsosversion\r\n >> 2.6.32-573.8.1.el6.x86_64\r\n >> nshardwareplatform\r\n >> x86_64\r\n >> \r\n >> \r\n >> \r\n >> >> * About to connect() to freeipa.cyberfuel.com port 443 (#0) >> * Trying 192.168.20.90... >> * Adding handle: conn: 0x10bb2f0 >> * Adding handle: send: 0 >> * Adding handle: recv: 0 >> * Curl_addHandleToPipeline: length: 1 >> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 >> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) >> * successfully set certificate verify locations: >> * CAfile: /etc/ipa/ca.crt >> CApath: none >> * SSL connection using AES256-SHA >> * Server certificate: >> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com >> * start date: 2015-09-30 17:52:11 GMT >> * expire date: 2017-09-30 17:52:11 GMT >> * common name: freeipa.cyberfuel.com (matched) >> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority >> * SSL certificate verify ok. >>> POST /ipa/xml HTTP/1.1 >> Host: freeipa.cyberfuel.com >> Accept: */* >> Content-Type: text/xml >> User-Agent: ipa-join/3.0.0 >> Referer: https://freeipa.cyberfuel.com/ipa/xml >> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 >> Content-Length: 477 >> >> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 >> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT >> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: >> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: >> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" >> < Accept-Ranges: bytes >> < Content-Length: 1370 >> < Connection: close >> < Content-Type: text/html; charset=UTF-8 < >> * Closing connection 0 >> HTTP response code is 401, not 200 >> >> Joining realm failed: XML-RPC CALL: >> >> \r\n \r\n >> join\r\n \r\n >> \r\n >> ppa.cyberfuel.com\r\n >> \r\n >> \r\n >> nsosversion\r\n >> 2.6.32-573.8.1.el6.x86_64\r\n >> nshardwareplatform\r\n >> x86_64\r\n >> \r\n >> \r\n >> \r\n >> >> * About to connect() to freeipa.cyberfuel.com port 443 (#0) >> * Trying 192.168.20.90... >> * Adding handle: conn: 0x10bb2f0 >> * Adding handle: send: 0 >> * Adding handle: recv: 0 >> * Curl_addHandleToPipeline: length: 1 >> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 >> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) >> * successfully set certificate verify locations: >> * CAfile: /etc/ipa/ca.crt >> CApath: none >> * SSL connection using AES256-SHA >> * Server certificate: >> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com >> * start date: 2015-09-30 17:52:11 GMT >> * expire date: 2017-09-30 17:52:11 GMT >> * common name: freeipa.cyberfuel.com (matched) >> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority >> * SSL certificate verify ok. >>> POST /ipa/xml HTTP/1.1 >> Host: freeipa.cyberfuel.com >> Accept: */* >> Content-Type: text/xml >> User-Agent: ipa-join/3.0.0 >> Referer: https://freeipa.cyberfuel.com/ipa/xml >> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 >> Content-Length: 477 >> >> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 >> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT >> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: >> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: >> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" >> < Accept-Ranges: bytes >> < Content-Length: 1370 >> < Connection: close >> < Content-Type: text/html; charset=UTF-8 < >> * Closing connection 0 >> HTTP response code is 401, not 200 >> >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> >> ------------------------------------------------- >> >> It's the version curl IPA server >> >> [root at freeipa log]# rpm -qa | grep curl >> python-pycurl-7.19.0-8.el6.x86_64 >> curl-7.19.7-46.el6.x86_64 >> libcurl-7.19.7-46.el6.x86_64 >> [root at freeipa log]# >> >> >> It's the version curl PPA server(IPA Client) >> >> [root at ppa named]# rpm -qa | grep curl >> curl-7.31.0-1.el6.x86_64 >> python-pycurl-7.19.0-8.el6.x86_64 >> libcurl-7.31.0-1.el6.x86_64 >> libcurl-7.31.0-1.el6.i686 >> >> >> The version curl is different, but the version curl PPA is the >> repository Odin Plesk. >> >> ----------------------------------------------------- >> >> >> [root at ppa tmp]# cat kerberos_trace.log >> >> [12118] 1461855578.809966: ccselect module realm chose cache >> FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [12118] 1461855578.810171: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not >> found [12118] 1461855578.810252: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmptSoqDX with >> result: -1765328243/Matching credential not found [12118] >> 1461855578.810451: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with result: >> 0/Success >> [12118] 1461855578.810476: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [12118] 1461855578.810509: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [12118] >> 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377 >> [12118] 1461855578.810679: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118] >> 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM >> [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com >> [12118] 1461855578.811466: Initiating TCP connection to stream >> 192.168.0.90:88 >> [12118] 1461855578.811935: Sending TCP request to stream >> 192.168.0.90:88 [12118] 1461855578.816404: Received answer from stream >> 192.168.0.90:88 [12118] 1461855578.816714: Response was from master >> KDC [12118] 1461855578.816906: TGS reply is for admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key >> aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result: >> 0/Success [12118] 1461855578.817018: Received creds for desired >> service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [12118] 1461855578.817066: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX >> [12118] 1461855578.817107: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmptSoqDX >> [12118] 1461855578.817413: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2 >> [12118] 1461855578.874786: ccselect module realm chose cache >> FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [12118] 1461855578.874938: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not >> found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, >> subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888: >> ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client >> principal admin at CYBERFUEL.COM for server principal >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [17304] 1461858424.874126: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not >> found [17304] 1461858424.874220: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmpH0QF6P with >> result: -1765328243/Matching credential not found [17304] >> 1461858424.874531: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result: >> 0/Success >> [17304] 1461858424.874603: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [17304] 1461858424.874631: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [17304] >> 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33 >> [17304] 1461858424.874788: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304] >> 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM >> [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com >> [17304] 1461858424.875805: Initiating TCP connection to stream >> 192.168.20.90:88 >> [17304] 1461858424.877976: Sending TCP request to stream >> 192.168.20.90:88 [17304] 1461858424.882385: Received answer from >> stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from >> master KDC [17304] 1461858424.882775: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/20DA [17304] 1461858424.882850: TGS request >> result: 0/Success [17304] 1461858424.882883: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [17304] 1461858424.882918: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P >> [17304] 1461858424.882951: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpH0QF6P >> [17304] 1461858424.883271: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA >> [17304] 1461858424.898190: ccselect module realm chose cache >> FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [17304] 1461858424.898401: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not >> found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, >> subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386: >> ccselect module realm chose cache >> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23457] 1461863053.621602: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not >> found [23457] 1461863053.621719: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmp576FE3 with >> result: -1765328243/Matching credential not found [23457] >> 1461863053.622097: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result: >> 0/Success >> [23457] 1461863053.622144: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [23457] 1461863053.622176: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23457] >> 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C >> [23457] 1461863053.622331: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457] >> 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM >> [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com >> [23457] 1461863053.623367: Initiating TCP connection to stream >> 192.168.20.90:88 >> [23457] 1461863053.623866: Sending TCP request to stream >> 192.168.20.90:88 [23457] 1461863053.627939: Received answer from >> stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from >> master KDC [23457] 1461863053.628485: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request >> result: 0/Success [23457] 1461863053.628610: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23457] 1461863053.628655: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 >> [23457] 1461863053.628689: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmp576FE3 >> [23457] 1461863053.629119: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88 >> [23457] 1461863053.640471: ccselect module realm chose cache >> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23457] 1461863053.640721: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not >> found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, >> subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338: >> ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client >> principal admin at CYBERFUEL.COM for server principal >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23749] 1461863277.525435: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not >> found [23749] 1461863277.525469: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmprfuOsj with >> result: -1765328243/Matching credential not found [23749] >> 1461863277.525572: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result: >> 0/Success >> [23749] 1461863277.525584: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [23749] 1461863277.525593: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23749] >> 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D >> [23749] 1461863277.525662: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749] >> 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM >> [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com >> [23749] 1461863277.526161: Initiating TCP connection to stream >> 192.168.20.90:88 >> [23749] 1461863277.526440: Sending TCP request to stream >> 192.168.20.90:88 [23749] 1461863277.530652: Received answer from >> stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from >> master KDC [23749] 1461863277.530881: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request >> result: 0/Success [23749] 1461863277.530948: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23749] 1461863277.530962: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj >> [23749] 1461863277.530971: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmprfuOsj >> [23749] 1461863277.531133: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 1019693263, subkey aes256-cts/B3E0, session key aes256-cts/79C3 >> [23749] 1461863277.542808: ccselect module realm chose cache >> FILE:/tmp/tmprfuOsj with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23749] 1461863277.542889: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not >> found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, >> subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277: >> ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client >> principal admin at CYBERFUEL.COM for server principal >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [25544] 1461864401.258584: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not >> found [25544] 1461864401.258678: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmpbzX7EN with >> result: -1765328243/Matching credential not found [25544] >> 1461864401.259040: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result: >> 0/Success >> [25544] 1461864401.259076: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [25544] 1461864401.259102: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [25544] >> 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A >> [25544] 1461864401.259291: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544] >> 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM >> [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com >> [25544] 1461864401.260361: Initiating TCP connection to stream >> 192.168.20.90:88 >> [25544] 1461864401.260980: Sending TCP request to stream >> 192.168.20.90:88 [25544] 1461864401.264399: Received answer from >> stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from >> master KDC [25544] 1461864401.264893: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/9106 [25544] 1461864401.264966: TGS request >> result: 0/Success [25544] 1461864401.264996: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [25544] 1461864401.265029: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN >> [25544] 1461864401.265058: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpbzX7EN >> [25544] 1461864401.265581: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106 >> [25544] 1461864401.275884: ccselect module realm chose cache >> FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [25544] 1461864401.276059: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not >> found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, >> subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354: >> ccselect module realm chose cache >> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [18097] 1461937028.664456: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not >> found [18097] 1461937028.664490: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmpF9x_o8 with >> result: -1765328243/Matching credential not found [18097] >> 1461937028.664590: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result: >> 0/Success >> [18097] 1461937028.664601: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [18097] 1461937028.664611: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [18097] >> 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372 >> [18097] 1461937028.664727: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097] >> 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM >> [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com >> [18097] 1461937028.665136: Initiating TCP connection to stream >> 192.168.20.90:88 >> [18097] 1461937028.665510: Sending TCP request to stream >> 192.168.20.90:88 [18097] 1461937028.668919: Received answer from >> stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from >> master KDC [18097] 1461937028.669109: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/9592 [18097] 1461937028.669136: TGS request >> result: 0/Success [18097] 1461937028.669156: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [18097] 1461937028.669167: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 >> [18097] 1461937028.669176: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpF9x_o8 >> [18097] 1461937028.669304: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592 >> [18097] 1461937028.676414: ccselect module realm chose cache >> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [18097] 1461937028.676470: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not >> found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, >> subkey aes256-cts/26C4, seqnum 864174069 >> >> ----------------------------------- >> >> >> Regards >> >> Jose Alvarez >> >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: viernes 29 de abril de 2016 09:34 a.m. >> To: Jose Alvarez R. ; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 >> >> Jose Alvarez R. wrote: >>> Hi Users >>> >>> You can help me? >>> >>> I have the problem for join a client to my FREEIPA Server. The >>> version IPA Server is 3.0 and IP client is 3.0 >>> >>> When I join my client to IPA server show these errors: >>> >>> [root at ppa ~]# tail -f /var/log/ipaclient-install.log >>> >>> 2016-04-28T17:26:41Z DEBUG stderr= >>> >>> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from >>> ldap://freeipa.cyberfuel.com >>> >>> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert are >>> identical >>> >>> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s >>> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com >>> >>> 2016-04-28T17:26:41Z DEBUG stdout= >>> >>> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 >>> >>> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code >>> is 401, not 200 >>> >>> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. >>> >>> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. >> >> I'd look in the 389-ds access and error logs on the IPA server to see >> if there are any more details. Look for the BIND from the client and >> see what happens. >> >> More context from the log file might be helpful. I believe if you run >> the client installer with --debug then additional flags are passed to >> ipa-join to include the XML-RPC conversation and that might be useful too. >> >> What account are you using to enroll with, admin? >> >> rob >> > > From schogan at us.ibm.com Fri Apr 29 20:32:14 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Fri, 29 Apr 2016 13:32:14 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> <5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> <57225110.1000708@redhat.com> <57237E09.5090603@redhat.com> Message-ID: <201604292032.u3TKWLwg004213@d03av04.boulder.ibm.com> Apparently making it the master ca will not work at this point since the replica is removed. So still stuck with non-changing ciphers. Sean Hogan From: Sean Hogan/Durham/IBM To: Rob Crittenden Cc: freeipa-users at redhat.com, Noriko Hosoi Date: 04/29/2016 08:56 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Hi Rob, I stopped IPA, modified dse.ldif, restarted with the cipher list and it started without issue however Same 13 ciphers. You know.. thinking about this now.. I going to try something. The box I am testing on it a replica master and not the first replica. I did not think this would make a difference since I removed the replica from the realm before testing but maybe it will not change anything thinking its stuck in the old realm? Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-29 11:51 EDT Nmap scan report for Host is up (0.000082s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (13) | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSL_RSA_FIPS_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_DES_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20150420131850Z modifyTimestamp: 20150420131906Z nsSSL3Ciphers: -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5 ,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_ sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha numSubordinates: 1 Sean Hogan Security Engineer Watson Security & Risk Assurance Watson Cloud Technology and Support email: schogan at us.ibm.com | Tel 919 486 1397 From: Rob Crittenden To: Sean Hogan/Durham/IBM at IBMUS, Noriko Hosoi Cc: freeipa-users at redhat.com Date: 04/29/2016 08:30 AM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sean Hogan wrote: > Hi Noriko, > > Thanks for the suggestions, > > I had to trim out the GCM ciphers in order to get IPA to start back up > or I would get the unknown cipher message The trick is getting the cipher name right (it doesn't always follow a pattern) and explicitly disabling some ciphers as they are enabled by default. Try this string: -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha I have an oldish install but I think it will still do what you need: 389-ds-base-1.2.11.15-68.el6_7.x86_64 Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT Nmap scan report for pacer.example.com (192.168.126.2) Host is up (0.00053s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | compressors: | NULL | cipher preference: server |_ least strength: C Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds $ sslscan pacer.example.com:636 |grep Accept Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 112 bits DES-CBC3-SHA Accepted TLS11 256 bits AES256-SHA Accepted TLS11 128 bits AES128-SHA Accepted TLS11 112 bits DES-CBC3-SHA Accepted TLS12 256 bits AES256-SHA256 Accepted TLS12 256 bits AES256-SHA Accepted TLS12 128 bits AES128-GCM-SHA256 Accepted TLS12 128 bits AES128-SHA256 Accepted TLS12 128 bits AES128-SHA Accepted TLS12 112 bits DES-CBC3-SHA rob > > Nmap is still showing the same 13 ciphers as before though like nothing > had changed and I did ipactl stop, made modification, ipactl start > > tarting Nmap 5.51 ( http://nmap.org ) at 2016-04-28 > 18:44 EDT > Nmap scan report for > Host is up (0.000053s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2 > | Ciphers (13) > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA256 > | TLS_RSA_WITH_AES_128_GCM_SHA256 > | TLS_RSA_WITH_AES_256_CBC_SHA > | TLS_RSA_WITH_AES_256_CBC_SHA256 > | TLS_RSA_WITH_DES_CBC_SHA > | TLS_RSA_WITH_RC4_128_MD5 > | TLS_RSA_WITH_RC4_128_SHA > | Compressors (1) > |_ uncompressed > > Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds > > Current Config: > > dse.ldif > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: off > creatorsName: cn=server,cn=plugins,cn=config > modifiersName: cn=directory manager > createTimestamp: 20150420131850Z > modifyTimestamp: 20150420131906Z > nsSSL3Ciphers: > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_ > rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha > ,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_ > aes_256_sha,+rsa_aes_256_sha > numSubordinates: 1 > > > nss.conf > # SSL 3 ciphers. SSL 2 is disabled by default. > NSSCipherSuite > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > Does nss.conf have anything to do with the dir srv ciphers? I know the > 389 docs says they are tied together so the way I have been looking at > it is nss.conf lists the allowed ciphers where dse.ldif lists which ones > to use for 389 from nss.conf. Is that correct? Is there any other place > where ciphers would be ignored? > > nss-3.19.1-8.el6_7.x86_64 > sssd-ipa-1.12.4-47.el6_7.4.x86_64 > ipa-client-3.0.0-47.el6_7.1.x86_64 > ipa-server-selinux-3.0.0-47.el6_7.1.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-3.0.0-47.el6_7.1.x86_64 > ipa-server-3.0.0-47.el6_7.1.x86_64 > libipa_hbac-python-1.12.4-47.el6_7.4.x86_64 > ipa-admintools-3.0.0-47.el6_7.1.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > 389-ds-base-libs-1.2.11.15-68.el6_7.x86_64 > > > I need to get rid of any rc4s > > Sean Hogan > Security Engineer > Watson Security & Risk Assurance > Watson Cloud Technology and Support > email: schogan at us.ibm.com | Tel 919 486 1397 > > > > > > > Inactive hide details for Noriko Hosoi ---04/28/2016 12:08:59 PM---Thank > you for including me in the loop, Ludwig. On 04/28/201Noriko Hosoi > ---04/28/2016 12:08:59 PM---Thank you for including me in the loop, > Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > From: Noriko Hosoi > To: Ludwig Krispenz , freeipa-users at redhat.com > Date: 04/28/2016 12:08 PM > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > Sent by: freeipa-users-bounces at redhat.com > > ------------------------------------------------------------------------ > > > > Thank you for including me in the loop, Ludwig. > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > If I remember correctly we did the change in default ciphers and the > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > adding Noriko to get confirmation. > > Ludwig is right. The way how to set nsSSL3Ciphers has been changed > since 1.3.3 which is available on RHEL-7. > > This is one of the newly supported values of nsSSL3Ciphers: > > Notes: if the value contains +all, then *-*is removed > from the list._ > __http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1_ > > On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if > "+all" is found in the value, all the available ciphers are enabled. > > To workaround it, could you try explicitely setting ciphers as follows? > nsSSL3Ciphers: > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha, > +tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha, > +tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > Thanks, > --noriko > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > wanted to add Noriko, but hit send to quickly > > On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > On 04/28/2016 12:06 PM, Martin Kosek wrote: > On 04/28/2016 01:23 AM, Sean Hogan wrote: > Hi Martin, > > No joy on placing - in front of the RC4s > > > I modified my nss.conf to now read > # SSL 3 ciphers. SSL 2 is disabled by > default. > NSSCipherSuite > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha > > > # SSL Protocol: > # Cryptographic protocols that provide > communication security. > # NSS handles the specified protocols as > "ranges", and automatically > # negotiates the use of the strongest > protocol for a connection starting > # with the maximum specified protocol > and downgrading as necessary to the > # minimum specified protocol that can be > used between two processes. > # Since all protocol ranges are > completely inclusive, and no protocol in > the > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > dse.ldif > > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: off > creatorsName: > cn=server,cn=plugins,cn=config > modifiersName: cn=directory manager > createTimestamp: 20150420131850Z > modifyTimestamp: 20150420131906Z > nsSSL3Ciphers: > +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 > > _56_sha,-tls_dhe_dss_1024_rc4_sha > numSubordinates: 1 > > > > But I still get this with nmap.. I > thought the above would remove > -tls_rsa_export1024_with_rc4_56_sha but > still showing. Is it the fact that I am not > offering > -tls_rsa_export1024_with_rc4_56_sha? If > so.. not really understanding > where it is coming from cept the +all > from DS but the - should be negating that? > > Starting Nmap 5.51 ( _http://nmap.org_ > __ > ) at 2016-04-27 17:37 EDT > Nmap scan report for > Host is up (0.000086s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2 > | Ciphers (13) > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA256 > | TLS_RSA_WITH_AES_128_GCM_SHA256 > | TLS_RSA_WITH_AES_256_CBC_SHA > | TLS_RSA_WITH_AES_256_CBC_SHA256 > | TLS_RSA_WITH_DES_CBC_SHA > | TLS_RSA_WITH_RC4_128_MD5 > | TLS_RSA_WITH_RC4_128_SHA > | Compressors (1) > |_ uncompressed > > Nmap done: 1 IP address (1 host up) > scanned in 0.32 seconds > > > > It seems no matter what config I put > into nss.conf or dse.ldif nothing changes > with my nmap results. Is there supposed > to be a be a section to add TLS ciphers > instead of SSL Not sure now, CCing Ludwig who was involved in > the original RHEL-6 > implementation. If I remember correctly we did the change in default > ciphers and the option for handling in 389-ds > 1.3.3, > so it would not be in RHEL6, adding Noriko to get > confirmation. > > but the below comments about changing ciphers in > dse.ldif could help in using the "old" way to set ciphers > Just to be sure, when you are modifying > dse.ldif, the procedure > should be always following: > > 1) Stop Directory Server service > 2) Modify dse.ldif > 3) Start Directory Server service > > Otherwise it won't get applied and will get > overwritten later. > > In any case, the ciphers with RHEL-6 should be > secure enough, the ones in > FreeIPA 4.3.1 should be even better. This is for > example an nmap taken on > FreeIPA Demo instance that runs on FreeIPA 4.3.1: > > $ nmap --script ssl-enum-ciphers -p 636 > ipa.demo1.freeipa.org > > Starting Nmap 7.12 ( _https://nmap.org_ > ) at 2016-04-28 12:02 CEST > Nmap scan report for ipa.demo1.freeipa.org > (209.132.178.99) > Host is up (0.18s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2: > | ciphers: > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > (secp256r1) - A > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > (secp256r1) - A > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh > 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh > 2048) - A > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh > 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh > 2048) - A > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh > 2048) - A > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa > 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa > 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa > 2048) - A > | compressors: > | NULL > | cipher preference: server > |_ least strength: A > > Nmap done: 1 IP address (1 host up) scanned in > 21.12 seconds > > Martin > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0D589339.jpg Type: image/jpeg Size: 27085 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0D434278.gif Type: image/gif Size: 1650 bytes Desc: not available URL: From rcritten at redhat.com Fri Apr 29 20:35:53 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Apr 2016 16:35:53 -0400 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <201604292025.u3TKPbqC002081@d01av05.pok.ibm.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> <5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> <57225110.1000708@redhat.com> <57237E09.5090603@redhat.com> <201604292025.u3TKPbqC002081@d01av05.pok.ibm.com> Message-ID: <5723C5A9.6080607@redhat.com> Sean Hogan wrote: > Apparently making it the master ca will not work at this point since the > replica is removed. So still stuck with non-changing ciphers. Other services running on the box have zero impact on the ciphers available. I'm not sure what is wrong because it took me just a minute to stop dirsrv, modify dse.ldif with the list I provided, restart it and confirm that the cipher list was better. Entries in cn=config are not replicated. rob > > > Sean Hogan > > > > > > Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob, > I stopped IPA, modified dse.ldif, restarted with the Sean > Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified > dse.ldif, restarted with the cipher list and it started without is > > From: Sean Hogan/Durham/IBM > To: Rob Crittenden > Cc: freeipa-users at redhat.com, Noriko Hosoi > Date: 04/29/2016 08:56 AM > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > > ------------------------------------------------------------------------ > > > Hi Rob, > > I stopped IPA, modified dse.ldif, restarted with the cipher list and it > started without issue however Same 13 ciphers. You know.. thinking about > this now.. I going to try something. The box I am testing on it a > replica master and not the first replica. I did not think this would > make a difference since I removed the replica from the realm before > testing but maybe it will not change anything thinking its stuck in the > old realm? > > Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-29 > 11:51 EDT > Nmap scan report for > Host is up (0.000082s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2 > | Ciphers (13) > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA256 > | TLS_RSA_WITH_AES_128_GCM_SHA256 > | TLS_RSA_WITH_AES_256_CBC_SHA > | TLS_RSA_WITH_AES_256_CBC_SHA256 > | TLS_RSA_WITH_DES_CBC_SHA > | TLS_RSA_WITH_RC4_128_MD5 > | TLS_RSA_WITH_RC4_128_SHA > | Compressors (1) > > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: off > creatorsName: cn=server,cn=plugins,cn=config > modifiersName: cn=directory manager > createTimestamp: 20150420131850Z > modifyTimestamp: 20150420131906Z > nsSSL3Ciphers: > -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5 > ,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_ > sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r > c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha > numSubordinates: 1 > > > > > > Sean Hogan > Security Engineer > Watson Security & Risk Assurance > Watson Cloud Technology and Support > email: schogan at us.ibm.com | Tel 919 486 1397 > > > > > > > > Inactive hide details for Rob Crittenden ---04/29/2016 08:30:29 > AM---Sean Hogan wrote: > Hi Noriko,Rob Crittenden ---04/29/2016 08:30:29 > AM---Sean Hogan wrote: > Hi Noriko, > > From: Rob Crittenden > To: Sean Hogan/Durham/IBM at IBMUS, Noriko Hosoi > Cc: freeipa-users at redhat.com > Date: 04/29/2016 08:30 AM > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > ------------------------------------------------------------------------ > > > > Sean Hogan wrote: > > Hi Noriko, > > > > Thanks for the suggestions, > > > > I had to trim out the GCM ciphers in order to get IPA to start back up > > or I would get the unknown cipher message > > The trick is getting the cipher name right (it doesn't always follow a > pattern) and explicitly disabling some ciphers as they are enabled by > default. > > Try this string: > > -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha > > I have an oldish install but I think it will still do what you need: > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT > Nmap scan report for pacer.example.com (192.168.126.2) > Host is up (0.00053s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2: > | ciphers: > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C > | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C > | compressors: > | NULL > | cipher preference: server > |_ least strength: C > > Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds > > $ sslscan pacer.example.com:636 |grep Accept > Accepted TLSv1 256 bits AES256-SHA > Accepted TLSv1 128 bits AES128-SHA > Accepted TLSv1 112 bits DES-CBC3-SHA > Accepted TLS11 256 bits AES256-SHA > Accepted TLS11 128 bits AES128-SHA > Accepted TLS11 112 bits DES-CBC3-SHA > Accepted TLS12 256 bits AES256-SHA256 > Accepted TLS12 256 bits AES256-SHA > Accepted TLS12 128 bits AES128-GCM-SHA256 > Accepted TLS12 128 bits AES128-SHA256 > Accepted TLS12 128 bits AES128-SHA > Accepted TLS12 112 bits DES-CBC3-SHA > > rob > > > > > Nmap is still showing the same 13 ciphers as before though like nothing > > had changed and I did ipactl stop, made modification, ipactl start > > > > tarting Nmap 5.51 ( http://nmap.org ) at 2016-04-28 > > 18:44 EDT > > Nmap scan report for > > Host is up (0.000053s latency). > > PORT STATE SERVICE > > 636/tcp open ldapssl > > | ssl-enum-ciphers: > > | TLSv1.2 > > | Ciphers (13) > > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA256 > > | TLS_RSA_WITH_AES_128_GCM_SHA256 > > | TLS_RSA_WITH_AES_256_CBC_SHA > > | TLS_RSA_WITH_AES_256_CBC_SHA256 > > | TLS_RSA_WITH_DES_CBC_SHA > > | TLS_RSA_WITH_RC4_128_MD5 > > | TLS_RSA_WITH_RC4_128_SHA > > | Compressors (1) > > |_ uncompressed > > > > Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds > > > > Current Config: > > > > dse.ldif > > dn: cn=encryption,cn=config > > objectClass: top > > objectClass: nsEncryptionConfig > > cn: encryption > > nsSSLSessionTimeout: 0 > > nsSSLClientAuth: allowed > > nsSSL2: off > > nsSSL3: off > > creatorsName: cn=server,cn=plugins,cn=config > > modifiersName: cn=directory manager > > createTimestamp: 20150420131850Z > > modifyTimestamp: 20150420131906Z > > nsSSL3Ciphers: > > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_ > > > rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha > > > ,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_ > > aes_256_sha,+rsa_aes_256_sha > > numSubordinates: 1 > > > > > > nss.conf > > # SSL 3 ciphers. SSL 2 is disabled by default. > > NSSCipherSuite > > > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > > > Does nss.conf have anything to do with the dir srv ciphers? I know the > > 389 docs says they are tied together so the way I have been looking at > > it is nss.conf lists the allowed ciphers where dse.ldif lists which ones > > to use for 389 from nss.conf. Is that correct? Is there any other place > > where ciphers would be ignored? > > > > nss-3.19.1-8.el6_7.x86_64 > > sssd-ipa-1.12.4-47.el6_7.4.x86_64 > > ipa-client-3.0.0-47.el6_7.1.x86_64 > > ipa-server-selinux-3.0.0-47.el6_7.1.x86_64 > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-python-3.0.0-47.el6_7.1.x86_64 > > ipa-server-3.0.0-47.el6_7.1.x86_64 > > libipa_hbac-python-1.12.4-47.el6_7.4.x86_64 > > ipa-admintools-3.0.0-47.el6_7.1.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > 389-ds-base-libs-1.2.11.15-68.el6_7.x86_64 > > > > > > I need to get rid of any rc4s > > > > Sean Hogan > > Security Engineer > > Watson Security & Risk Assurance > > Watson Cloud Technology and Support > > email: schogan at us.ibm.com | Tel 919 486 1397 > > > > > > > > > > > > > > Inactive hide details for Noriko Hosoi ---04/28/2016 12:08:59 PM---Thank > > you for including me in the loop, Ludwig. On 04/28/201Noriko Hosoi > > ---04/28/2016 12:08:59 PM---Thank you for including me in the loop, > > Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > > > From: Noriko Hosoi > > To: Ludwig Krispenz , freeipa-users at redhat.com > > Date: 04/28/2016 12:08 PM > > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > > Sent by: freeipa-users-bounces at redhat.com > > > > ------------------------------------------------------------------------ > > > > > > > > Thank you for including me in the loop, Ludwig. > > > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > > If I remember correctly we did the change in default ciphers and the > > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > > adding Noriko to get confirmation. > > > > Ludwig is right. The way how to set nsSSL3Ciphers has been changed > > since 1.3.3 which is available on RHEL-7. > > > > This is one of the newly supported values of nsSSL3Ciphers: > > > > Notes: if the value contains +all, then *-*is removed > > from the list._ > > > __http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1_ > > > > On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if > > "+all" is found in the value, all the available ciphers are enabled. > > > > To workaround it, could you try explicitely setting ciphers as follows? > > nsSSL3Ciphers: > > > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha, > > > +tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha, > > > +tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > > > Thanks, > > --noriko > > > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > > > wanted to add Noriko, but hit send to quickly > > > > On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > > > On 04/28/2016 12:06 PM, Martin Kosek wrote: > > On 04/28/2016 01:23 AM, Sean Hogan wrote: > > Hi Martin, > > > > No joy on placing - in front of the RC4s > > > > > > I modified my nss.conf to now read > > # SSL 3 ciphers. SSL 2 is disabled by > > default. > > NSSCipherSuite > > > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha > > > > > > # SSL Protocol: > > # Cryptographic protocols that provide > > communication security. > > # NSS handles the specified protocols as > > "ranges", and automatically > > # negotiates the use of the strongest > > protocol for a connection starting > > # with the maximum specified protocol > > and downgrading as necessary to the > > # minimum specified protocol that can be > > used between two processes. > > # Since all protocol ranges are > > completely inclusive, and no protocol in > > the > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > dse.ldif > > > > dn: cn=encryption,cn=config > > objectClass: top > > objectClass: nsEncryptionConfig > > cn: encryption > > nsSSLSessionTimeout: 0 > > nsSSLClientAuth: allowed > > nsSSL2: off > > nsSSL3: off > > creatorsName: > > cn=server,cn=plugins,cn=config > > modifiersName: cn=directory manager > > createTimestamp: 20150420131850Z > > modifyTimestamp: 20150420131906Z > > nsSSL3Ciphers: > > > +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 > > > > _56_sha,-tls_dhe_dss_1024_rc4_sha > > numSubordinates: 1 > > > > > > > > But I still get this with nmap.. I > > thought the above would remove > > -tls_rsa_export1024_with_rc4_56_sha but > > still showing. Is it the fact that I > am not > > offering > > -tls_rsa_export1024_with_rc4_56_sha? If > > so.. not really understanding > > where it is coming from cept the +all > > from DS but the - should be negating > that? > > > > Starting Nmap 5.51 ( _http://nmap.org_ > > __ > > ) at 2016-04-27 > 17:37 EDT > > Nmap scan report for > > Host is up (0.000086s latency). > > PORT STATE SERVICE > > 636/tcp open ldapssl > > | ssl-enum-ciphers: > > | TLSv1.2 > > | Ciphers (13) > > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA256 > > | TLS_RSA_WITH_AES_128_GCM_SHA256 > > | TLS_RSA_WITH_AES_256_CBC_SHA > > | TLS_RSA_WITH_AES_256_CBC_SHA256 > > | TLS_RSA_WITH_DES_CBC_SHA > > | TLS_RSA_WITH_RC4_128_MD5 > > | TLS_RSA_WITH_RC4_128_SHA > > | Compressors (1) > > |_ uncompressed > > > > Nmap done: 1 IP address (1 host up) > > scanned in 0.32 seconds > > > > > > > > It seems no matter what config I put > > into nss.conf or dse.ldif nothing changes > > with my nmap results. Is there supposed > > to be a be a section to add TLS ciphers > > instead of SSL Not sure now, CCing > Ludwig who was involved in > > the original RHEL-6 > > implementation. If I remember correctly we > did the change in default > > ciphers and the option for handling in 389-ds > 1.3.3, > > so it would not be in RHEL6, adding Noriko to get > > confirmation. > > > > but the below comments about changing ciphers in > > dse.ldif could help in using the "old" way to set ciphers > > Just to be sure, when you are modifying > > dse.ldif, the procedure > > should be always following: > > > > 1) Stop Directory Server service > > 2) Modify dse.ldif > > 3) Start Directory Server service > > > > Otherwise it won't get applied and will get > > overwritten later. > > > > In any case, the ciphers with RHEL-6 should be > > secure enough, the ones in > > FreeIPA 4.3.1 should be even better. This is for > > example an nmap taken on > > FreeIPA Demo instance that runs on FreeIPA 4.3.1: > > > > $ nmap --script ssl-enum-ciphers -p 636 > > ipa.demo1.freeipa.org > > > > Starting Nmap 7.12 ( _https://nmap.org_ > > ) at 2016-04-28 12:02 CEST > > Nmap scan report for ipa.demo1.freeipa.org > > (209.132.178.99) > > Host is up (0.18s latency). > > PORT STATE SERVICE > > 636/tcp open ldapssl > > | ssl-enum-ciphers: > > | TLSv1.2: > > | ciphers: > > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > > (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > > (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > > (secp256r1) - A > > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh > > 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh > > 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh > > 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh > > 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh > > 2048) - A > > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa > > 2048) - A > > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa > 2048) - A > > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa > > 2048) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa > 2048) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa > > 2048) - A > > | compressors: > > | NULL > > | cipher preference: server > > |_ least strength: A > > > > Nmap done: 1 IP address (1 host up) scanned in > > 21.12 seconds > > > > Martin > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > From schogan at us.ibm.com Fri Apr 29 20:49:12 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Fri, 29 Apr 2016 13:49:12 -0700 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <5723C5A9.6080607@redhat.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> <5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> <57225110.1000708@redhat.com> <57237E09.5090603@redhat.com> <201604292025.u3TKPbqC002081@d01av05.pok.ibm.com> <5723C5A9.6080607@redhat.com> Message-ID: <201604292042.u3TKganA017528@d01av05.pok.ibm.com> Thanks Rob... appreciate the help.. can you send me what you have in nss.conf, server.xml as well? If I start off playing with something you see working without issue then maybe I can come up with something or am I wrong thinking those might affect anything? IE .. can you send me the entire cn=encryption, cn=config section like this dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20150420131850Z modifyTimestamp: 20150420131906Z nsSSL3Ciphers: -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5 ,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_ sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha numSubordinates: 1 Sean Hogan From: Rob Crittenden To: Sean Hogan/Durham/IBM at IBMUS Cc: freeipa-users at redhat.com, Noriko Hosoi Date: 04/29/2016 01:36 PM Subject: Re: [Freeipa-users] IPA vulnerability management SSL Sean Hogan wrote: > Apparently making it the master ca will not work at this point since the > replica is removed. So still stuck with non-changing ciphers. Other services running on the box have zero impact on the ciphers available. I'm not sure what is wrong because it took me just a minute to stop dirsrv, modify dse.ldif with the list I provided, restart it and confirm that the cipher list was better. Entries in cn=config are not replicated. rob > > > Sean Hogan > > > > > > Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob, > I stopped IPA, modified dse.ldif, restarted with the Sean > Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified > dse.ldif, restarted with the cipher list and it started without is > > From: Sean Hogan/Durham/IBM > To: Rob Crittenden > Cc: freeipa-users at redhat.com, Noriko Hosoi > Date: 04/29/2016 08:56 AM > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > > ------------------------------------------------------------------------ > > > Hi Rob, > > I stopped IPA, modified dse.ldif, restarted with the cipher list and it > started without issue however Same 13 ciphers. You know.. thinking about > this now.. I going to try something. The box I am testing on it a > replica master and not the first replica. I did not think this would > make a difference since I removed the replica from the realm before > testing but maybe it will not change anything thinking its stuck in the > old realm? > > Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-29 > 11:51 EDT > Nmap scan report for > Host is up (0.000082s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2 > | Ciphers (13) > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA > | TLS_RSA_WITH_AES_128_CBC_SHA256 > | TLS_RSA_WITH_AES_128_GCM_SHA256 > | TLS_RSA_WITH_AES_256_CBC_SHA > | TLS_RSA_WITH_AES_256_CBC_SHA256 > | TLS_RSA_WITH_DES_CBC_SHA > | TLS_RSA_WITH_RC4_128_MD5 > | TLS_RSA_WITH_RC4_128_SHA > | Compressors (1) > > dn: cn=encryption,cn=config > objectClass: top > objectClass: nsEncryptionConfig > cn: encryption > nsSSLSessionTimeout: 0 > nsSSLClientAuth: allowed > nsSSL2: off > nsSSL3: off > creatorsName: cn=server,cn=plugins,cn=config > modifiersName: cn=directory manager > createTimestamp: 20150420131850Z > modifyTimestamp: 20150420131906Z > nsSSL3Ciphers: > -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5 > ,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_ > sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r > c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha > numSubordinates: 1 > > > > > > Sean Hogan > Security Engineer > Watson Security & Risk Assurance > Watson Cloud Technology and Support > email: schogan at us.ibm.com | Tel 919 486 1397 > > > > > > > > Inactive hide details for Rob Crittenden ---04/29/2016 08:30:29 > AM---Sean Hogan wrote: > Hi Noriko,Rob Crittenden ---04/29/2016 08:30:29 > AM---Sean Hogan wrote: > Hi Noriko, > > From: Rob Crittenden > To: Sean Hogan/Durham/IBM at IBMUS, Noriko Hosoi > Cc: freeipa-users at redhat.com > Date: 04/29/2016 08:30 AM > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > ------------------------------------------------------------------------ > > > > Sean Hogan wrote: > > Hi Noriko, > > > > Thanks for the suggestions, > > > > I had to trim out the GCM ciphers in order to get IPA to start back up > > or I would get the unknown cipher message > > The trick is getting the cipher name right (it doesn't always follow a > pattern) and explicitly disabling some ciphers as they are enabled by > default. > > Try this string: > > -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha > > I have an oldish install but I think it will still do what you need: > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT > Nmap scan report for pacer.example.com (192.168.126.2) > Host is up (0.00053s latency). > PORT STATE SERVICE > 636/tcp open ldapssl > | ssl-enum-ciphers: > | TLSv1.2: > | ciphers: > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C > | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C > | compressors: > | NULL > | cipher preference: server > |_ least strength: C > > Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds > > $ sslscan pacer.example.com:636 |grep Accept > Accepted TLSv1 256 bits AES256-SHA > Accepted TLSv1 128 bits AES128-SHA > Accepted TLSv1 112 bits DES-CBC3-SHA > Accepted TLS11 256 bits AES256-SHA > Accepted TLS11 128 bits AES128-SHA > Accepted TLS11 112 bits DES-CBC3-SHA > Accepted TLS12 256 bits AES256-SHA256 > Accepted TLS12 256 bits AES256-SHA > Accepted TLS12 128 bits AES128-GCM-SHA256 > Accepted TLS12 128 bits AES128-SHA256 > Accepted TLS12 128 bits AES128-SHA > Accepted TLS12 112 bits DES-CBC3-SHA > > rob > > > > > Nmap is still showing the same 13 ciphers as before though like nothing > > had changed and I did ipactl stop, made modification, ipactl start > > > > tarting Nmap 5.51 ( http://nmap.org ) at 2016-04-28 > > 18:44 EDT > > Nmap scan report for > > Host is up (0.000053s latency). > > PORT STATE SERVICE > > 636/tcp open ldapssl > > | ssl-enum-ciphers: > > | TLSv1.2 > > | Ciphers (13) > > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA256 > > | TLS_RSA_WITH_AES_128_GCM_SHA256 > > | TLS_RSA_WITH_AES_256_CBC_SHA > > | TLS_RSA_WITH_AES_256_CBC_SHA256 > > | TLS_RSA_WITH_DES_CBC_SHA > > | TLS_RSA_WITH_RC4_128_MD5 > > | TLS_RSA_WITH_RC4_128_SHA > > | Compressors (1) > > |_ uncompressed > > > > Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds > > > > Current Config: > > > > dse.ldif > > dn: cn=encryption,cn=config > > objectClass: top > > objectClass: nsEncryptionConfig > > cn: encryption > > nsSSLSessionTimeout: 0 > > nsSSLClientAuth: allowed > > nsSSL2: off > > nsSSL3: off > > creatorsName: cn=server,cn=plugins,cn=config > > modifiersName: cn=directory manager > > createTimestamp: 20150420131850Z > > modifyTimestamp: 20150420131906Z > > nsSSL3Ciphers: > > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_ > > > rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha > > > ,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_ > > aes_256_sha,+rsa_aes_256_sha > > numSubordinates: 1 > > > > > > nss.conf > > # SSL 3 ciphers. SSL 2 is disabled by default. > > NSSCipherSuite > > > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > > > Does nss.conf have anything to do with the dir srv ciphers? I know the > > 389 docs says they are tied together so the way I have been looking at > > it is nss.conf lists the allowed ciphers where dse.ldif lists which ones > > to use for 389 from nss.conf. Is that correct? Is there any other place > > where ciphers would be ignored? > > > > nss-3.19.1-8.el6_7.x86_64 > > sssd-ipa-1.12.4-47.el6_7.4.x86_64 > > ipa-client-3.0.0-47.el6_7.1.x86_64 > > ipa-server-selinux-3.0.0-47.el6_7.1.x86_64 > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-python-3.0.0-47.el6_7.1.x86_64 > > ipa-server-3.0.0-47.el6_7.1.x86_64 > > libipa_hbac-python-1.12.4-47.el6_7.4.x86_64 > > ipa-admintools-3.0.0-47.el6_7.1.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > 389-ds-base-libs-1.2.11.15-68.el6_7.x86_64 > > > > > > I need to get rid of any rc4s > > > > Sean Hogan > > Security Engineer > > Watson Security & Risk Assurance > > Watson Cloud Technology and Support > > email: schogan at us.ibm.com | Tel 919 486 1397 > > > > > > > > > > > > > > Inactive hide details for Noriko Hosoi ---04/28/2016 12:08:59 PM---Thank > > you for including me in the loop, Ludwig. On 04/28/201Noriko Hosoi > > ---04/28/2016 12:08:59 PM---Thank you for including me in the loop, > > Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > > > From: Noriko Hosoi > > To: Ludwig Krispenz , freeipa-users at redhat.com > > Date: 04/28/2016 12:08 PM > > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > > Sent by: freeipa-users-bounces at redhat.com > > > > ------------------------------------------------------------------------ > > > > > > > > Thank you for including me in the loop, Ludwig. > > > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > > If I remember correctly we did the change in default ciphers and the > > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > > adding Noriko to get confirmation. > > > > Ludwig is right. The way how to set nsSSL3Ciphers has been changed > > since 1.3.3 which is available on RHEL-7. > > > > This is one of the newly supported values of nsSSL3Ciphers: > > > > Notes: if the value contains +all, then *-*is removed > > from the list._ > > > __http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1_ > > > > On the older 389-ds-base including 389-ds-base-1.2.11.X on RHEL-6.X, if > > "+all" is found in the value, all the available ciphers are enabled. > > > > To workaround it, could you try explicitely setting ciphers as follows? > > nsSSL3Ciphers: > > > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha, > > > +tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha, > > > +tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > > > Thanks, > > --noriko > > > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > > > wanted to add Noriko, but hit send to quickly > > > > On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > > > On 04/28/2016 12:06 PM, Martin Kosek wrote: > > On 04/28/2016 01:23 AM, Sean Hogan wrote: > > Hi Martin, > > > > No joy on placing - in front of the RC4s > > > > > > I modified my nss.conf to now read > > # SSL 3 ciphers. SSL 2 is disabled by > > default. > > NSSCipherSuite > > > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha > > > > > > # SSL Protocol: > > # Cryptographic protocols that provide > > communication security. > > # NSS handles the specified protocols as > > "ranges", and automatically > > # negotiates the use of the strongest > > protocol for a connection starting > > # with the maximum specified protocol > > and downgrading as necessary to the > > # minimum specified protocol that can be > > used between two processes. > > # Since all protocol ranges are > > completely inclusive, and no protocol in > > the > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > dse.ldif > > > > dn: cn=encryption,cn=config > > objectClass: top > > objectClass: nsEncryptionConfig > > cn: encryption > > nsSSLSessionTimeout: 0 > > nsSSLClientAuth: allowed > > nsSSL2: off > > nsSSL3: off > > creatorsName: > > cn=server,cn=plugins,cn=config > > modifiersName: cn=directory manager > > createTimestamp: 20150420131850Z > > modifyTimestamp: 20150420131906Z > > nsSSL3Ciphers: > > > +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 > > > > _56_sha,-tls_dhe_dss_1024_rc4_sha > > numSubordinates: 1 > > > > > > > > But I still get this with nmap.. I > > thought the above would remove > > -tls_rsa_export1024_with_rc4_56_sha but > > still showing. Is it the fact that I > am not > > offering > > -tls_rsa_export1024_with_rc4_56_sha? If > > so.. not really understanding > > where it is coming from cept the +all > > from DS but the - should be negating > that? > > > > Starting Nmap 5.51 ( _http://nmap.org_ > > __ > > ) at 2016-04-27 > 17:37 EDT > > Nmap scan report for > > Host is up (0.000086s latency). > > PORT STATE SERVICE > > 636/tcp open ldapssl > > | ssl-enum-ciphers: > > | TLSv1.2 > > | Ciphers (13) > > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA256 > > | TLS_RSA_WITH_AES_128_GCM_SHA256 > > | TLS_RSA_WITH_AES_256_CBC_SHA > > | TLS_RSA_WITH_AES_256_CBC_SHA256 > > | TLS_RSA_WITH_DES_CBC_SHA > > | TLS_RSA_WITH_RC4_128_MD5 > > | TLS_RSA_WITH_RC4_128_SHA > > | Compressors (1) > > |_ uncompressed > > > > Nmap done: 1 IP address (1 host up) > > scanned in 0.32 seconds > > > > > > > > It seems no matter what config I put > > into nss.conf or dse.ldif nothing changes > > with my nmap results. Is there supposed > > to be a be a section to add TLS ciphers > > instead of SSL Not sure now, CCing > Ludwig who was involved in > > the original RHEL-6 > > implementation. If I remember correctly we > did the change in default > > ciphers and the option for handling in 389-ds > 1.3.3, > > so it would not be in RHEL6, adding Noriko to get > > confirmation. > > > > but the below comments about changing ciphers in > > dse.ldif could help in using the "old" way to set ciphers > > Just to be sure, when you are modifying > > dse.ldif, the procedure > > should be always following: > > > > 1) Stop Directory Server service > > 2) Modify dse.ldif > > 3) Start Directory Server service > > > > Otherwise it won't get applied and will get > > overwritten later. > > > > In any case, the ciphers with RHEL-6 should be > > secure enough, the ones in > > FreeIPA 4.3.1 should be even better. This is for > > example an nmap taken on > > FreeIPA Demo instance that runs on FreeIPA 4.3.1: > > > > $ nmap --script ssl-enum-ciphers -p 636 > > ipa.demo1.freeipa.org > > > > Starting Nmap 7.12 ( _https://nmap.org_ > > ) at 2016-04-28 12:02 CEST > > Nmap scan report for ipa.demo1.freeipa.org > > (209.132.178.99) > > Host is up (0.18s latency). > > PORT STATE SERVICE > > 636/tcp open ldapssl > > | ssl-enum-ciphers: > > | TLSv1.2: > > | ciphers: > > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > > (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > > (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > > (secp256r1) - A > > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh > > 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh > > 2048) - A > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh > > 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh > > 2048) - A > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh > > 2048) - A > > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa > > 2048) - A > > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa > 2048) - A > > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa > > 2048) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa > 2048) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa > > 2048) - A > > | compressors: > > | NULL > > | cipher preference: server > > |_ least strength: A > > > > Nmap done: 1 IP address (1 host up) scanned in > > 21.12 seconds > > > > Martin > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From anthony.wan.cheng at gmail.com Fri Apr 29 20:51:00 2016 From: anthony.wan.cheng at gmail.com (Anthony Cheng) Date: Fri, 29 Apr 2016 20:51:00 +0000 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: References: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> Message-ID: OK so I made process on my cert renew issue; I was able to get kinit working so I can follow the rest of the steps here ( http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) However, after using ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password and restarting apache (/sbin/service httpd restart), resubmitting 3 certs (ipa-getcert resubmit -i ) and restarting IPA (resubmit -i ) (/sbin/service ipa restart), I still see: [root at test ~]# ipa-getcert list | more Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be compl eted: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certific ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS Certificate D B' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:46 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be compl eted: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be compl eted: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinf ile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net,O=sample.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Here are other relevant output: root at test ~]# /sbin/service ipa restart Restarting Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Starting dirsrv: PKI-IPA... [ OK ] sample-NET... [ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting DNS Service Stopping named: . [ OK ] Starting named: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached: [ OK ] Starting ipa_memcached: [ OK ] Restarting HTTP Service Stopping httpd: [ OK ] Starting httpd: [ OK ] Restarting CA Service Stopping pki-ca: [ OK ] Starting pki-ca: [ OK ] [root at test ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: test at sample.NET Valid starting Expires Service principal 01/28/16 14:05:01 01/29/16 14:05:01 krbtgt/sample.NET at sample.NET 01/28/16 14:08:48 01/29/16 14:05:01 HTTP/test.sample.net at sample.NET [root at test ~]# ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) [root at caer ~]# /sbin/service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] Would really greatly appreciate any help on this. Also I noticed after I do ldapmodify of usercertificate binary data with add: usercertificate;binary usercertificate;binary: !@#$@!#$#@$ Then I re-run ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca I see 2 entries for usercertificate;binary (before modify there was only 1) but they are duplicate and NOT from data that I added. That seems incorrect to me. On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng wrote: > klist is actually empty; kinit admin fails. Sounds like then getcert > resubmit has a dependency on kerberoes. I can get a backup image that has > a valid ticket but it is only good for 1 day (and dated pasted the cert > expire). > > Also I had asked awhile back about whether there is dependency on DIRSRV > to renew the cert; didn't get any response but I suspect there is a > dependency. > > Regarding the clock skew, I found out from /var/log/message that shows me > this so it may be from named: > > Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew > too great) > Jan 28 14:10:42 test named[2911]: loading configuration: failure > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Creden > tials cache file '/tmp/krb5cc_496' not found) > > I don't have a krb5cc_496 file (since klist is empty), so sounds to me I > need to get a kerberoes ticket before going any further. Also is the file > /etc/krb5.keytab access/modification time important? I had changed time > back to before the cert expiration date and reboot and try renew but the > error message about clock skew is still there. That seems strange. > > Lastly, as a absolute last resort, can I regenerate a new cert myself? > https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html > > [root at test /]# klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > [root at test /]# service ipa start > Starting Directory Service > Starting dirsrv: > PKI-IPA... [ OK ] > sample-NET... [ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting DNS Service > Starting named: [FAILED] > Failed to start DNS Service > Shutting down > Stopping Kerberos 5 KDC: [ OK ] > Stopping Kerberos 5 Admin Server: [ OK ] > Stopping named: [ OK ] > Stopping httpd: [ OK ] > Stopping pki-ca: [ OK ] > Shutting down dirsrv: > PKI-IPA... [ OK ] > sample-NET... [ OK ] > Aborting ipactl > [root at test /]# klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > [root at test /]# service ipa status > Directory Service: STOPPED > Failed to get list of services to probe status: > Directory Server is stopped > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka wrote: > >> On 27/04/16 21:54, Anthony Cheng wrote: >> > Hi list, >> > >> > I am trying to renew expired certificates following the manual renewal >> procedure >> > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even >> with >> > resetting the system/hardware clock to a time before expires, I am >> getting the >> > error "ca-error: Error setting up ccache for local "host" service using >> default >> > keytab: Clock skew too great." >> > >> > With NTP disable and clock reset why would it complain about clock skew >> and how >> > does it even know about the current time? >> > >> > [root at test certs]# getcert list >> > Number of certificates and requests being tracked: 8. >> > Request ID '20111214223243': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net > >,O=sample.NET >> > expires: 2016-01-29 14:09:46 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223300': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net > >,O=sample.NET >> > expires: 2016-01-29 14:09:45 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223316': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net > >,O=sample.NET >> > expires: 2016-01-29 14:09:45 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130741': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=CA Audit,O=sample.NET >> > expires: 2017-10-13 14:10:49 UTC >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "auditSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130742': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=OCSP Subsystem,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-OCSPSigning >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "ocspSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130743': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=CA Subsystem,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "subsystemCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130744': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=RA Subsystem,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130745': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net > >,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes[root at test certs]# getcert list >> > Number of certificates and requests being tracked: 8. >> > Request ID '20111214223243': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net > >,O=sample.NET >> > expires: 2016-01-29 14:09:46 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223300': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net > >,O=sample.NET >> > expires: 2016-01-29 14:09:45 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223316': >> > status: MONITORING >> > ca-error: Error setting up ccache for local "host" service >> using >> > default keytab: Clock skew too great. >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net > >,O=sample.NET >> > expires: 2016-01-29 14:09:45 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130741': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=CA Audit,O=sample.NET >> > expires: 2017-10-13 14:10:49 UTC >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "auditSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130742': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=OCSP Subsystem,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-OCSPSigning >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "ocspSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130743': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=CA Subsystem,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "subsystemCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130744': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=RA Subsystem,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130745': >> > status: NEED_CSR_GEN_PIN >> > ca-error: Internal error: no response to >> > " >> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> > stuck: yes >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >> > ' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=sample.NET >> > subject: CN=test.sample.net > >,O=sample.NET >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > -- >> > >> > Thanks, Anthony >> > >> > >> > >> >> Hello Anthony! >> >> After stopping NTP (or other time synchronizing service) and setting >> time manually server really don't have a way to determine that its time >> differs from the real one. >> >> I think this might be issue with Kerberos ticket. You can show content >> of root's ticket cache using klist. If there is anything clean it with >> kdestroy and try to resubmit the request again. >> >> -- >> David Kupka >> > -- > > Thanks, Anthony > -- Thanks, Anthony -------------- next part -------------- An HTML attachment was scrubbed... URL: From jalvarez at cyberfuel.com Fri Apr 29 20:53:16 2016 From: jalvarez at cyberfuel.com (Jose Alvarez R.) Date: Fri, 29 Apr 2016 14:53:16 -0600 Subject: [Freeipa-users] HTTP response code is 401, not 200 In-Reply-To: <5723A5B1.8080109@redhat.com> References: <04e201d1a219$7a6497f0$6f2dc7d0$@cyberfuel.com> <57237EFE.4010705@redhat.com> <06b701d1a238$a151b590$e3f520b0$@cyberfuel.com> <5723965F.20102@redhat.com> <06f901d1a241$c2770910$47651b30$@cyberfuel.com> <5723A5B1.8080109@redhat.com> Message-ID: <076e01d1a259$276aba30$76402e90$@cyberfuel.com> Hi, Rob Thanks for your response The link https://bugzilla.redhat.com/show_bug.cgi?id=719945 I not have access.. I tried to install xmlrpc-c-1.16.24-1210.1840.el6.src.rpm in the server PPA(Client IPA), but still shows the same error. A moment ago I added another client server with same version xmlrpc and installed correctly. Thanks Regards. [root at bk1 ~]# ipa-client-install --debug /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True,nf_sudo': True, 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=None, servers=None, hostname=bk1.cyberfuel.com Start searching for LDAP SRV record in "cyberfuel.com" (domain of the hostname) and its sub-domains Search DNS for SRV record of _ldap._tcp.cyberfuel.com. DNS record found: DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, port:389,weight:50,server:freeipa.cyberfuel.com.} [Kerberos realm search] Search DNS for TXT record of _kerberos.cyberfuel.com. DNS record found: DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data:CYBERFU EL.COM} Search DNS for SRV record of _kerberos._udp.cyberfuel.com. DNS record found: DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={priorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} [LDAP server check] Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=cyberfuel,dc=com (sub) Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com Discovery result: Success; server=freeipa.cyberfuel.com, domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com will use discovered domain: cyberfuel.com Start searching for LDAP SRV record in "cyberfuel.com" (Validating DNS Discovery) and its sub-domains Search DNS for SRV record of _ldap._tcp.cyberfuel.com. DNS record found: DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={priority:0, port:389,weight:50,server:freeipa.cyberfuel.com.} DNS validated, enabling discovery will use discovered server: freeipa.cyberfuel.com Discovery was successful! will use discovered realm: CYBERFUEL.COM will use discovered basedn: dc=cyberfuel,dc=com Hostname: bk1.cyberfuel.com Hostname source: Machine's FQDN Realm: CYBERFUEL.COM Realm source: Discovered from LDAP DNS records in freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: Discovered LDAP SRV records from cyberfuel.com (domain of the hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: Discovered from LDAP DNS records in freeipa.cyberfuel.com BaseDN: dc=cyberfuel,dc=com BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 Continue to configure the system with these values? [no]: yes args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory User authorized to enroll computers: admin will use principal provided as option: admin Synchronizing time with KDC... Search DNS for SRV record of _ntp._udp.cyberfuel.com. No DNS record found args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= stderr= args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= stderr= args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= stderr= Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Writing Kerberos configuration to /tmp/tmp5msIum: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = CYBERFUEL.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 [realms] CYBERFUEL.COM = { kdc = freeipa.cyberfuel.com:88 master_kdc = freeipa.cyberfuel.com:88 admin_server = freeipa.cyberfuel.com:749 default_domain = cyberfuel.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .cyberfuel.com = CYBERFUEL.COM cyberfuel.com = CYBERFUEL.COM Password for admin at CYBERFUEL.COM: args=kinit admin at CYBERFUEL.COM stdout=Password for admin at CYBERFUEL.COM: stderr= trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com Successfully retrieved CA cert Subject: CN=Certificate Authority,O=CYBERFUEL.COM Issuer: CN=Certificate Authority,O=CYBERFUEL.COM Valid From: Wed Sep 30 17:46:50 2015 UTC Valid Until: Sun Sep 30 17:46:50 2035 UTC args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL: \r\n \r\n join\r\n \r\n \r\n bk1.cyberfuel.com\r\n \r\n \r\n nsosversion\r\n 2.6.32-573.12.1.el6.x86_64\r\n nshardwareplatform\r\n x86_64\r\n \r\n \r\n \r\n * About to connect() to freeipa.cyberfuel.com port 443 (#0) * Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM * start date: Sep 30 17:52:11 2015 GMT * expire date: Sep 30 17:52:11 2017 GMT * common name: freeipa.cyberfuel.com * issuer: CN=Certificate Authority,O=CYBERFUEL.COM > POST /ipa/xml HTTP/1.1 Host: freeipa.cyberfuel.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://freeipa.cyberfuel.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 478 < HTTP/1.1 401 Authorization Required < Date: Fri, 29 Apr 2016 20:42:25 GMT < Server: Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" < Accept-Ranges: bytes < Content-Length: 1370 < Connection: close < Content-Type: text/html; charset=UTF-8 < * Closing connection #0 * Issue another request to this URL: 'https://freeipa.cyberfuel.com:443/ipa/xml' * About to connect() to freeipa.cyberfuel.com port 443 (#0) * Trying 192.168.20.90... * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM * start date: Sep 30 17:52:11 2015 GMT * expire date: Sep 30 17:52:11 2017 GMT * common name: freeipa.cyberfuel.com * issuer: CN=Certificate Authority,O=CYBERFUEL.COM * Server auth using GSS-Negotiate with user '' > POST /ipa/xml HTTP/1.1 Authorization: Negotiate YIIFFAYJKoZIhvcSAQICAQBuggUDMIIE/6ADAgEFoQMCAQ6iBwMFAAAAAACjggFiYYIBXjCCAVqg AwIBBaEPGw1DWUJFUkZVRUwuQ09NoigwJqADAgEDoR8wHRsESFRUUBsVZnJlZWlwYS5MIZbbMHqa QcuYz6zysTVwY+I/uvLznfkDrkClgtyvEIsnBopXcWBenFEbqcmRIBa7bkXiIxc1tYEzNh1rME/4 ZUh0PjUjX+QQO9NDpYrAIxFLoP6b6J87wFt2Wi+Rx2LPGlcPrIwKPNwyaOqw/QQ8r11FLI5RVzpH eUL3uokQgZF6+GBoFo61lHY/W36Cb3JgxdG8Ge3TWWYgjEQKWlY48N6YNSPF2a2iKpgSuy/1Qe5E HTfpyiJWnZJnlEIHllpIIDgjCCA36gAwIBEqKCA3UEggNx1WXEz0IRl4aJlkL5Eq0bxky36jm7zI q3oiCcgWzqH9ma866TuD4ew++XcXmKZxszk6zf+c8tYhdRezxK74jF9XkpnRxTiBxOao7oPabJau yM0k637IWWzTb1m+cC46PRaysFc7x3z5CGBWNyu0DpGyw240za4cepY1J+Q+mm7bq51zCDyMU1CY 7+of3Z4Z7s6P5/x/pn8DJBegXVIYq2Wb3sQbMUJCSbCG37Xb8j2nzhAaup1l4xTINQxSSLZRIS7M H2YCE+z66P0607z7xBh7bwed97hHC2o3T0hDNnJOP7SRBUXquXCW9RbLUdOmYfcLcH8ygUWemm3A MqL+mDYN3jpe25O/7Z/wFxYiUIw/6CtHGjJ1nrDy47Y1sbsjU1XT/sJ8JqxRFwCm9ALpQP+rYZ0k v8/9OAaclw4vobu4Zmb3rVFBOzKpgRaUSvg4vSuRi/SPCzcH2PwBBSHpZuXWazWvZpnpTXYBl3nw lelW8gE1PWWeAhxbCDP/u5D6vAJ7q1287bL+UdpnCki0Ye0c1+LCsqzhscPDtWOMHAqzs5pwyyfC Qpg13GX93fHWJPRkrJbGTkGAknZkQFPtjks1C3JCRqhiz62KVLo6g5uRljHr8NNzvTBr2iRl9aK6 cDAEMaW5X26ko0XtO7urcbw/w6smuJLyYjroJH5Pe41bPMaUCls3RTvhxrlMzXSXgywPr3zDFpIg CirdIfqowkF5Utq6Uub2d9wdhXXYuH3PCj3KBzsAAHFv2iI+Xg3a7+7LlWUFnTLVEzEhsKVO3lO7 jFb8kKwop5o7yTyXsQmW4g0rdCam07GuRObob6yQ= Host: freeipa.cyberfuel.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://freeipa.cyberfuel.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 478 < HTTP/1.1 200 Success < Date: Fri, 29 Apr 2016 20:42:25 GMT < Server: Apache/2.2.15 (CentOS) * Added cookie ipa_session="4aeb2b4e2cfacb0691a94b71e2d0a0c9" for domain freeipa.cyberfuel.com, path /ipa, expire 1461963745 < Set-Cookie: ipa_session=4aeb2b4e2cfacb0691a94b71e2d0a0c9; Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:25 GMT; Secure; HttpOnly < Connection: close < Transfer-Encoding: chunked < Content-Type: text/xml; charset=utf-8 < * Expire cleared * Closing connection #0 XML-RPC RESPONSE: \n \n \n \n \n fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel, dc=com\n \n \n dn\n fqdn=bk1.cyberfuel.com,cn=computers,cn=accounts,dc=cyberfuel, dc=com\n \n \n ipacertificatesubjectbase\n \n O=CYBERFUEL.COM\n \n \n \n has_keytab\n 0\n \n \n objectclass\n \n ipaobject\n nshost\n ipahost\n pkiuser\n ipaservice\n krbprincipalaux\n krbprincipal\n ieee802device\n ipasshhost\n top\n ipaSshGroupOfPubKeys\n \n \n \n fqdn\n \n bk1.cyberfuel.com\n \n \n \n has_password\n 0\n \n \n ipauniqueid\n \n e1a08eb8-0e4a-11e6-8c5b-005056b027f1\n \n \n \n krbprincipalname\n \n host/bk1.cyberfuel.com at CYBERFUEL.COM\n \n \n \n managedby_host\n \n bk1.cyberfuel.com\n \n \n \n \n \n \n \n Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=CYBERFUEL.COM Enrolled in IPA realm CYBERFUEL.COM args=kdestroy stdout= stderr= Attempting to get host TGT... args=/usr/bin/kinit -k -t /etc/krb5.keytab host/bk1.cyberfuel.com at CYBERFUEL.COM stdout= stderr= Attempt 1/5 succeeded. Backing up system configuration file '/etc/ipa/default.conf' -> Not backing up - '/etc/ipa/default.conf' doesn't exist Created /etc/ipa/default.conf importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' args=klist -V stdout=Kerberos 5 version 1.10.3 stderr= importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' Backing up system configuration file '/etc/sssd/sssd.conf' -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist New SSSD config will be created Backing up system configuration file '/etc/nsswitch.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt stdout= stderr= Backing up system configuration file '/etc/krb5.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Writing Kerberos configuration to /etc/krb5.conf: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = CYBERFUEL.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 [realms] CYBERFUEL.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .cyberfuel.com = CYBERFUEL.COM cyberfuel.com = CYBERFUEL.COM Configured /etc/krb5.conf for IPA realm CYBERFUEL.COM args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM stdout= stderr=keyctl_search: Required key not available args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM stdout= stderr=keyctl_search: Required key not available failed to find session_cookie in persistent storage for principal 'host/bk1.cyberfuel.com at CYBERFUEL.COM' trying https://freeipa.cyberfuel.com/ipa/xml Created connection context.xmlclient raw: env(None, server=True) env(None, server=True, all=True) Forwarding 'env' to server u'https://freeipa.cyberfuel.com/ipa/xml' NSSConnection init freeipa.cyberfuel.com Connecting: 192.168.20.90:0 auth_certificate_callback: check_sig=True is_server=False Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=Certificate Authority,O=CYBERFUEL.COM Validity: Not Before: Wed Sep 30 17:52:11 2015 UTC Not After: Sat Sep 30 17:52:11 2017 UTC Subject: CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM Subject Public Key Info: Public Key Algorithm: Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ad:e7:d2:7f:c3:e1:91:0a:03:6d:5c:ba:54:14:3e:00: 0e:f9:e7:61:85:3c:4f:1b:8f:a8:fb:e4:b4:92:a3:7c: 7d:bb:06:b4:b8:43:8a:20:86:17:71:a2:a3:6a:a1:51: e5:89:44:0f:a1:43:67:3b:46:76:b0:81:9e:10:43:56: 86:9f:27:46:e1:5e:b3:d6:8c:17:73:e3:17:7d:e7:eb: a4:78:9c:7a:e8:6f:00:f8:36:d9:71:88:e1:90:bf:98: fa:40:0f:88:f4:2e:d8:a2:b3:a5:0c:5a:81:8b:2e:cf: 22:f9:cb:6d:bf:85:7c:c9:7f:17:de:5d:d4:1a:2b:09: 5b:1b:99:11:22:3f:1e:49:5f:26:1a:25:2f:a4:50:2a: 8b:f2:3c:12:db:45:3f:f4:06:64:a2:30:5f:f4:a1:c9: 2c:8c:60:b5:c6:aa:25:2e:1e:31:c2:ad:2c:63:b0:a4: bb:2c:fc:f8:b6:f9:13:eb:09:bc:b0:c1:4c:06:06:09: 2f:f9:08:ba:7d:a4:0a:57:d1:8e:86:87:cb:f9:3a:58: 60:f9:34:e1:5b:34:d1:2f:8e:54:87:2a:74:9c:e2:d6: 83:4f:78:6b:59:1e:95:ec:67:6e:86:25:ad:f0:d3:6c: 96:9c:db:c3:e5:3f:e5:bc:f4:ff:55:55:18:a8:3e:5d Exponent: 65537 (0x10001) Signed Extensions: (5 total) Name: Certificate Authority Key Identifier Critical: False Key ID: 31:4f:83:e1:70:d7:ea:96:e5:1b:b1:c2:2c:d8:8a:a8: d1:87:fa:ff Serial Number: None General Names: [0 total] Name: Authority Information Access Critical: False Authority Information Access: [1 total] Info [1]: Method: PKIX Online Certificate Status Protocol Location: URI: http://freeipa.cyberfuel.com:80/ca/ocsp Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage Critical: False Usages: TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: Certificate Subject Key ID Critical: False Data: 73:ed:ac:87:d3:0e:04:84:66:5c:1a:e1:10:8d:f8:e1: 89:b9:1e:70 Signature: Signature Algorithm: Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 40:da:c2:6b:20:08:7c:4a:05:1a:e2:cc:49:7f:25:6c: 48:3a:73:3c:b6:ab:35:6c:1a:d9:78:15:60:48:0b:0e: c1:3c:bf:76:90:35:bf:67:b5:9d:88:1c:98:ce:3b:8a: f6:86:c7:f9:1e:7b:3c:cd:98:00:99:23:a4:06:4f:ed: 0f:ee:44:65:9d:db:b6:9d:cc:cf:cb:83:f8:7c:23:93: 2a:0b:40:bb:5b:31:c5:9e:ed:74:eb:c0:c9:cc:30:1e: 78:19:69:64:60:24:58:f5:a7:6f:3b:bb:f6:7c:72:5c: 1c:50:33:0f:df:49:b7:0a:cb:ac:3f:7b:4f:e7:42:e9: 3b:19:e0:15:a3:fe:e3:43:aa:23:69:d0:28:7a:64:b7: 19:e3:8a:a9:bc:48:3a:de:f7:c0:67:8b:02:e9:af:74: 49:33:5e:2f:21:0b:4c:f3:3d:63:ea:1e:2e:4d:e9:ed: af:ef:61:35:ad:86:2b:93:ab:b6:7d:45:ed:b1:9b:12: 57:fc:55:ef:42:46:01:63:b1:b9:84:e9:f4:46:fb:39: fa:1e:55:2e:20:32:c1:45:ad:ac:54:c9:e6:4e:ca:f1: fb:da:9a:b5:bc:8b:6c:43:86:4e:df:06:97:46:3e:9b: a2:a1:ff:41:6e:80:df:a7:bd:5d:96:2c:ba:e0:d2:56 Fingerprint (MD5): 09:ad:08:87:8b:64:04:0f:d2:6c:25:ac:b1:1e:e1:48 Fingerprint (SHA1): c9:a0:1f:6d:8e:f6:d9:9b:53:6e:6b:92:ea:7c:ae:79: ca:4d:09:98 approved_usage = SSL Server intended_usage = SSL Server cert valid True for "CN=freeipa.cyberfuel.com,O=CYBERFUEL.COM" handshake complete, peer = 192.168.20.90:443 Protocol: TLS1.2 Cipher: TLS_RSA_WITH_AES_256_CBC_SHA received Set-Cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd; Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30 GMT; Secure; HttpOnly' storing cookie 'ipa_session=356b209ee6e852ebb3124bbc6ca112cd; Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:30 GMT; Secure; HttpOnly' for prin args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM stdout= stderr=keyctl_search: Required key not available args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM stdout= stderr=keyctl_search: Required key not available args=keyctl padd user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM @s stdout=640092261 stderr= Hostname (bk1.cyberfuel.com) not found in DNS Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone cyberfuel.com. update delete bk1.cyberfuel.com. IN A send update add bk1.cyberfuel.com. 1200 IN A 192.168.20.13 send args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt stdout= stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ns1.cyberfuel.com at CYBERFUEL.COM no nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 Failed to update DNS records. args=/sbin/service messagebus start stdout=Starting system message bus: [ OK ] stderr= args=/sbin/service messagebus status stdout=messagebus (pid 41820) is running... stderr= args=/sbin/service certmonger restart stdout=Stopping certmonger: [FAILED] Starting certmonger: [ OK ] stderr= args=/sbin/service certmonger status stdout=certmonger (pid 41859) is running... stderr= args=/sbin/service certmonger restart stdout=Stopping certmonger: [ OK ] Starting certmonger: [ OK ] stderr= args=/sbin/service certmonger status stdout=certmonger (pid 41927) is running... stderr= args=/sbin/chkconfig certmonger on stdout= stderr= args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - bk1.cyberfuel.com -N CN=bk1.cyberfuel.com,O=CYBERFUEL.COM -K host/bk1.cyberfuel.com at CYBERFUEL.CO stdout=New signing request "20160429204235" added. stderr= Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub raw: host_mod(u'bk1.cyberfuel.com', ipasshpubkey=[u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA xmV14vUYyyohaIWBBi87sXwqcNsWBUWAcg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1a1HEED7xczbIHF/YHF7u08WBbFe0Y40QA5gfa7 /hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BccDZfAAAAFShUVZUinN/bv 4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb 2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3CFIBt mZY3RF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv wfpc='], updatedns=False) host_mod(u'bk1.cyberfuel.com', random=False, ipasshpubkey=(u'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA071MP58tqZXKpba7ndVtIqtgZmGNxm/PJz/eqf7w9SNewATA xmV14vUYyyohaIWBBi87sXwlVqxX+L95cg2ezfKfKYqc3YPqaNq2poRL3+vhpNnHDBdfh2NzqdId slZEMt2H+v/0g3G52ycOoRCfhwbGasV+ZCxLGyCPnYTAb7gvpms+/JNf1FWjQpTHt+dZ8CtCcfvL ctY5pjdxT4kQTtK8kyyGwlXH/Oh4qisMsS57/1aAN359BmDxbIHF/YHF7u08WBbFe0Y40QA5gfa7 /hhu+JoblQBH55iKzR8l8RfZXt1Vcam2pr2nj/w0oYxyB+JkO0CuR/mWu93aLRkxFxtwEoUUiWMm M3mXs1gsTFKClFnTbOzwg8QyFlCj+An4GrzrsbAA/rfLvb+VmwOS/BcXJiFI6Ub3ShUVZUinN/bv 4/xv1ejRLk62VxtHxw1z+w/JLc0WbTtIj4cB4nE03et3id5ZT6yDz5XKduyhAeCYPGXepmWXqSxb 2N/Ia5OZbEfwNcEivzWdeRzxnk+W8OErBuOkRcCYmT1aIFGmIAAACANrKXEgH6qjJZdpFM3mdAXb 7imVRF1adYeI7i8daJxkwxPv55idHkphc4aDX4lUPzvcw+r5jtE+rm4huv03qlTKy+/0HlTyIRJv wfpc='), rights=False, updatedns=False, all=False, raw=False, no_members=False) Forwarding 'host_mod' to server u'https://freeipa.cyberfuel.com/ipa/xml' NSSConnection init freeipa.cyberfuel.com Connecting: 192.168.20.90:0 handshake complete, peer = 192.168.20.90:443 Protocol: TLS1.2 Cipher: TLS_RSA_WITH_AES_256_CBC_SHA received Set-Cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0; Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35 GMT; Secure; HttpOnly' storing cookie 'ipa_session=efae42241c1d4ecc0c222d477f64e3a0; Domain=freeipa.cyberfuel.com; Path=/ipa; Expires=Fri, 29 Apr 2016 21:02:35 GMT; Secure; HttpOnly' for prin args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM stdout=640092261 stderr= args=keyctl search @s user ipa_session_cookie:host/bk1.cyberfuel.com at CYBERFUEL.COM stdout=640092261 stderr= args=keyctl pupdate 640092261 stdout= stderr= Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone cyberfuel.com. update delete bk1.cyberfuel.com. IN SSHFP send update add bk1.cyberfuel.com. 1200 IN SSHFP 1 1 B40F0F3FF14223B021F206C3E3276AC48F6EEAF0 update add bk1.cyberfuel.com. 1200 IN SSHFP 2 1 30D2331BC69452EFE65445B5C990773EA41A2FE8 send args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt stdout= stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ns1.cyberfuel.com at CYBERFUEL.COM no nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 Could not update DNS SSHFP records. args=/sbin/service nscd status stdout= stderr=nscd: unrecognized service Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd stdout= stderr= SSSD enabled Configuring cyberfuel.com as NIS domain args=/bin/nisdomainname stdout=(none) stderr= Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' args=/usr/sbin/authconfig --update --nisdomain cyberfuel.com stdout= stderr= args=/bin/nisdomainname cyberfuel.com stdout= stderr= args=/sbin/service sssd restart stdout=Stopping sssd: [FAILED] Starting sssd: [ OK ] stderr=cat: /var/run/sssd.pid: No such file or directory args=/sbin/service sssd status stdout=sssd (pid 42071) is running... stderr= args=/sbin/chkconfig sssd on stdout= stderr= Backing up system configuration file '/etc/openldap/ldap.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Configured /etc/openldap/ldap.conf args=getent passwd admin stdout=admin:*:1045400000:1045400000:Administrator:/home/admin:/bin/bash stderr= Backing up system configuration file '/etc/ntp/step-tickers' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' args=/usr/sbin/selinuxenabled stdout= stderr= args=/sbin/chkconfig ntpd stdout= stderr= Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Backing up system configuration file '/etc/ntp.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' args=/usr/sbin/selinuxenabled stdout= stderr= Backing up system configuration file '/etc/sysconfig/ntpd' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' args=/usr/sbin/selinuxenabled stdout= stderr= args=/sbin/chkconfig ntpd on stdout= stderr= args=/sbin/service ntpd restart stdout=Shutting down ntpd: [ OK ] Starting ntpd: [ OK ] stderr= args=/sbin/service ntpd status stdout=ntpd (pid 42133) is running... stderr= NTP enabled Backing up system configuration file '/etc/ssh/ssh_config' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Configured /etc/ssh/ssh_config Backing up system configuration file '/etc/ssh/sshd_config' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' args=sshd -t -f /dev/null -o AuthorizedKeysCommand= stdout= stderr= Configured /etc/ssh/sshd_config args=/sbin/service sshd status stdout=openssh-daemon (pid 46497) is running... stderr= args=/sbin/service sshd restart stdout=Stopping sshd: [ OK ] Starting sshd: [ OK ] stderr= args=/sbin/service sshd status stdout=openssh-daemon (pid 42190) is running... stderr= Client configuration complete. -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: viernes 29 de abril de 2016 12:19 p.m. To: Jose Alvarez R. ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 Jose Alvarez R. wrote: > Hi, Rob > > Thanks!! > > > The version the xmlrpc-c of my server IPA: > xmlrpc-c-1.16.24-1210.1840.el6.x86_64 > xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 > > > The version the xmlrpc-c of my client IPA > xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 > xmlrpc-c-1.16.24-1210.1840.el6.x86_64 > libiqxmlrpc-0.12.4-0.parallels.i686 > xmlrpc-c-c++-1.16.24-1210.1840.el6.x86_64 You need xmlrpc-c-1.16.24-1200.1840.2.el6 on the client which fixed https://bugzilla.redhat.com/show_bug.cgi?id=719945 The libcurl version on the client looks ok. This is only a client-side issue so no changes on the servers should be necessary IIRC. This appears to be EL 6.1 which at this point is quite old. rob > > The versions are the same, but the libcurl is different > > It's the version curl IPA server > [root at freeipa log]# rpm -qa | grep curl > python-pycurl-7.19.0-8.el6.x86_64 > curl-7.19.7-46.el6.x86_64 > libcurl-7.19.7-46.el6.x86_64 > [root at freeipa log]# > > > It's the version curl PPA server(IPA Client) [root at ppa named]# rpm -qa > | grep curl > curl-7.31.0-1.el6.x86_64 > python-pycurl-7.19.0-8.el6.x86_64 > libcurl-7.31.0-1.el6.x86_64 > libcurl-7.31.0-1.el6.i686 > > Sorry, my english is not very well > > > Regards. > > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: viernes 29 de abril de 2016 11:14 a.m. > To: Jose Alvarez R. ; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 > > Jose Alvarez R. wrote: >> Hi Rob, Thanks for your response >> >> Yes, It's with admin. > > I assume this is a problem with your version of xmlrpc-c. We use > standard calls xmlrpc-c calls to setup authentication and IIRC that > links against libcurl which provides the Kerberos/GSSAPI support. On > EL6 you need xmlrpc-c >> = 1.16.24-1200.1840.2 > > I'm confused about the versions. You mention PPA but include what look > like RPM versions that seem to point to RHEL 6. > > rob > >> >> I execute the command "ipa-client-install --debug" >> --------------------------------------------------------------------- >> - >> --- >> >> >> [root at ppa named]# ipa-client-install --debug >> /usr/sbin/ipa-client-install was invoked with options: {'domain': >> None, >> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, >> 'primary': False, 'mkhomedir >> ': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, >> 'on_master': False, 'ntp_server': None, 'nisdomain': None, 'no_nisdomain': >> False, 'principal': None >> , 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, >> 'trust_sshfp': False, 'kinit_attempts': 5, 'dns_updates': False, >> 'conf_sudo': True, 'conf_ssh': Tr >> ue, 'force_join': False, 'ca_cert_file': None, 'server': None, >> 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': >> False, 'uninstall': False} >> missing options might be asked for interactively later Loading Index >> file from '/var/lib/ipa-client/sysrestore/sysrestore.index' >> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' >> [IPA Discovery] >> Starting IPA discovery with domain=None, servers=None, >> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in >> "cyberfuel.com" (domain of the >> hostname) and its sub-domains >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} >> [Kerberos realm search] >> Search DNS for TXT record of _kerberos.cyberfuel.com. >> DNS record found: >> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data: >> C >> YBERFU >> EL.COM} >> Search DNS for SRV record of _kerberos._udp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={ >> p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} >> [LDAP server check] >> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA >> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 >> Search LDAP server for IPA base DN Check if naming context >> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' >> is a valid IPA context Search for (objectClass=krbRealmContainer) in >> dc=cyberfuel,dc=com (sub) >> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com >> Discovery result: Success; server=freeipa.cyberfuel.com, >> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, >> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com >> will use discovered domain: cyberfuel.com Start searching for LDAP >> SRV record in "cyberfuel.com" (Validating DNS >> Discovery) and its sub-domains >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} >> DNS validated, enabling discovery >> will use discovered server: freeipa.cyberfuel.com Discovery was >> successful! >> will use discovered realm: CYBERFUEL.COM will use discovered basedn: >> dc=cyberfuel,dc=com >> Hostname: ppa.cyberfuel.com >> Hostname source: Machine's FQDN >> Realm: CYBERFUEL.COM >> Realm source: Discovered from LDAP DNS records in >> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: >> Discovered LDAP SRV records from cyberfuel.com (domain of the >> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: >> Discovered from LDAP DNS records in freeipa.cyberfuel.com >> BaseDN: dc=cyberfuel,dc=com >> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 >> >> Continue to configure the system with these values? [no]: no >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> [root at ppa named]# >> [root at ppa named]# ipa-client-install --debug >> /usr/sbin/ipa-client-install was invoked with options: {'domain': >> None, >> 'force': False, 'realm_name': None, 'krb5_offline_passwords': True, >> 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': >> True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, > 'nisdomain': >> None, 'no_nisdomain': False, 'principal': None, 'hostname': None, 'no_ac': >> False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, >> 'kinit_attempts': 5, 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': >> True, 'force_join': False, 'ca_cert_file': None, 'server': None, >> 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': >> False, 'uninstall': False} >> missing options might be asked for interactively later Loading Index >> file from '/var/lib/ipa-client/sysrestore/sysrestore.index' >> Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' >> [IPA Discovery] >> Starting IPA discovery with domain=None, servers=None, >> hostname=ppa.cyberfuel.com Start searching for LDAP SRV record in >> "cyberfuel.com" (domain of the >> hostname) and its sub-domains >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} >> [Kerberos realm search] >> Search DNS for TXT record of _kerberos.cyberfuel.com. >> DNS record found: >> DNSResult::name:_kerberos.cyberfuel.com.,type:16,class:1,rdata={data: >> C >> YBERFU >> EL.COM} >> Search DNS for SRV record of _kerberos._udp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_kerberos._udp.cyberfuel.com.,type:33,class:1,rdata={ >> p riorit y:0,port:88,weight:50,server:freeipa.cyberfuel.com.} >> [LDAP server check] >> Verifying that freeipa.cyberfuel.com (realm CYBERFUEL.COM) is an IPA >> server Init LDAP connection with: ldap://freeipa.cyberfuel.com:389 >> Search LDAP server for IPA base DN Check if naming context >> 'dc=cyberfuel,dc=com' is for IPA Naming context 'dc=cyberfuel,dc=com' >> is a valid IPA context Search for (objectClass=krbRealmContainer) in >> dc=cyberfuel,dc=com (sub) >> Found: cn=CYBERFUEL.COM,cn=kerberos,dc=cyberfuel,dc=com >> Discovery result: Success; server=freeipa.cyberfuel.com, >> domain=cyberfuel.com, kdc=freeipa.cyberfuel.com, >> basedn=dc=cyberfuel,dc=com Validated servers: freeipa.cyberfuel.com >> will use discovered domain: cyberfuel.com Start searching for LDAP >> SRV record in "cyberfuel.com" (Validating DNS >> Discovery) and its sub-domains >> Search DNS for SRV record of _ldap._tcp.cyberfuel.com. >> DNS record found: >> DNSResult::name:_ldap._tcp.cyberfuel.com.,type:33,class:1,rdata={prio >> r ity:0, port:389,weight:50,server:freeipa.cyberfuel.com.} >> DNS validated, enabling discovery >> will use discovered server: freeipa.cyberfuel.com Discovery was >> successful! >> will use discovered realm: CYBERFUEL.COM will use discovered basedn: >> dc=cyberfuel,dc=com >> Hostname: ppa.cyberfuel.com >> Hostname source: Machine's FQDN >> Realm: CYBERFUEL.COM >> Realm source: Discovered from LDAP DNS records in >> freeipa.cyberfuel.com DNS Domain: cyberfuel.com DNS Domain source: >> Discovered LDAP SRV records from cyberfuel.com (domain of the >> hostname) IPA Server: freeipa.cyberfuel.com IPA Server source: >> Discovered from LDAP DNS records in freeipa.cyberfuel.com >> BaseDN: dc=cyberfuel,dc=com >> BaseDN source: From IPA server ldap://freeipa.cyberfuel.com:389 >> >> Continue to configure the system with these values? [no]: yes >> args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r CYBERFUEL.COM >> stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file >> or directory >> >> User authorized to enroll computers: admin will use principal >> provided as option: admin Synchronizing time with KDC... >> Search DNS for SRV record of _ntp._udp.cyberfuel.com. >> No DNS record found >> args=/usr/sbin/ntpdate -U ntp -s -b -v freeipa.cyberfuel.com stdout= >> stderr= Writing Kerberos configuration to /tmp/tmpqWSatK: >> #File modified by ipa-client-install >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = CYBERFUEL.COM >> dns_lookup_realm = false >> dns_lookup_kdc = false >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> udp_preference_limit = 0 >> >> >> [realms] >> CYBERFUEL.COM = { >> kdc = freeipa.cyberfuel.com:88 >> master_kdc = freeipa.cyberfuel.com:88 >> admin_server = freeipa.cyberfuel.com:749 >> default_domain = cyberfuel.com >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> >> } >> >> >> [domain_realm] >> .cyberfuel.com = CYBERFUEL.COM >> cyberfuel.com = CYBERFUEL.COM >> >> >> >> Password for admin at CYBERFUEL.COM: >> args=kinit admin at CYBERFUEL.COM >> stdout=Password for admin at CYBERFUEL.COM: >> >> stderr= >> trying to retrieve CA cert via LDAP from ldap://freeipa.cyberfuel.com >> Existing CA cert and Retrieved CA cert are identical >> args=/usr/sbin/ipa-join -s freeipa.cyberfuel.com -b >> dc=cyberfuel,dc=com -d stdout= stderr=XML-RPC CALL: >> >> \r\n \r\n >> join\r\n \r\n >> \r\n >> ppa.cyberfuel.com\r\n >> \r\n >> \r\n >> nsosversion\r\n >> 2.6.32-573.8.1.el6.x86_64\r\ >> n nshardwareplatform\r\n >> x86_64\r\n >> \r\n >> \r\n >> \r\n >> >> * About to connect() to freeipa.cyberfuel.com port 443 (#0) >> * Trying 192.168.20.90... >> * Adding handle: conn: 0x10bb2f0 >> * Adding handle: send: 0 >> * Adding handle: recv: 0 >> * Curl_addHandleToPipeline: length: 1 >> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 >> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) >> * successfully set certificate verify locations: >> * CAfile: /etc/ipa/ca.crt >> CApath: none >> * SSL connection using AES256-SHA >> * Server certificate: >> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com >> * start date: 2015-09-30 17:52:11 GMT >> * expire date: 2017-09-30 17:52:11 GMT >> * common name: freeipa.cyberfuel.com (matched) >> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority >> * SSL certificate verify ok. >>> POST /ipa/xml HTTP/1.1 >> Host: freeipa.cyberfuel.com >> Accept: */* >> Content-Type: text/xml >> User-Agent: ipa-join/3.0.0 >> Referer: https://freeipa.cyberfuel.com/ipa/xml >> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 >> Content-Length: 477 >> >> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 >> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT >> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: >> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: >> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" >> < Accept-Ranges: bytes >> < Content-Length: 1370 >> < Connection: close >> < Content-Type: text/html; charset=UTF-8 < >> * Closing connection 0 >> HTTP response code is 401, not 200 >> >> Joining realm failed: XML-RPC CALL: >> >> \r\n \r\n >> join\r\n \r\n >> \r\n >> ppa.cyberfuel.com\r\n >> \r\n >> \r\n >> nsosversion\r\n >> 2.6.32-573.8.1.el6.x86_64\r\ >> n nshardwareplatform\r\n >> x86_64\r\n >> \r\n >> \r\n >> \r\n >> >> * About to connect() to freeipa.cyberfuel.com port 443 (#0) >> * Trying 192.168.20.90... >> * Adding handle: conn: 0x10bb2f0 >> * Adding handle: send: 0 >> * Adding handle: recv: 0 >> * Curl_addHandleToPipeline: length: 1 >> * - Conn 0 (0x10bb2f0) send_pipe: 1, recv_pipe: 0 >> * Connected to freeipa.cyberfuel.com (192.168.20.90) port 443 (#0) >> * successfully set certificate verify locations: >> * CAfile: /etc/ipa/ca.crt >> CApath: none >> * SSL connection using AES256-SHA >> * Server certificate: >> * subject: O=CYBERFUEL.COM; CN=freeipa.cyberfuel.com >> * start date: 2015-09-30 17:52:11 GMT >> * expire date: 2017-09-30 17:52:11 GMT >> * common name: freeipa.cyberfuel.com (matched) >> * issuer: O=CYBERFUEL.COM; CN=Certificate Authority >> * SSL certificate verify ok. >>> POST /ipa/xml HTTP/1.1 >> Host: freeipa.cyberfuel.com >> Accept: */* >> Content-Type: text/xml >> User-Agent: ipa-join/3.0.0 >> Referer: https://freeipa.cyberfuel.com/ipa/xml >> X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 >> Content-Length: 477 >> >> * upload completely sent off: 477 out of 477 bytes < HTTP/1.1 401 >> Authorization Required < Date: Fri, 29 Apr 2016 16:16:32 GMT >> * Server Apache/2.2.15 (CentOS) is not blacklisted < Server: >> Apache/2.2.15 (CentOS) < WWW-Authenticate: Negotiate < Last-Modified: >> Tue, 12 Apr 2016 23:07:44 GMT < ETag: "a0528-55a-53051ba8f7000" >> < Accept-Ranges: bytes >> < Content-Length: 1370 >> < Connection: close >> < Content-Type: text/html; charset=UTF-8 < >> * Closing connection 0 >> HTTP response code is 401, not 200 >> >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> >> ------------------------------------------------- >> >> It's the version curl IPA server >> >> [root at freeipa log]# rpm -qa | grep curl >> python-pycurl-7.19.0-8.el6.x86_64 >> curl-7.19.7-46.el6.x86_64 >> libcurl-7.19.7-46.el6.x86_64 >> [root at freeipa log]# >> >> >> It's the version curl PPA server(IPA Client) >> >> [root at ppa named]# rpm -qa | grep curl >> curl-7.31.0-1.el6.x86_64 >> python-pycurl-7.19.0-8.el6.x86_64 >> libcurl-7.31.0-1.el6.x86_64 >> libcurl-7.31.0-1.el6.i686 >> >> >> The version curl is different, but the version curl PPA is the >> repository Odin Plesk. >> >> ----------------------------------------------------- >> >> >> [root at ppa tmp]# cat kerberos_trace.log >> >> [12118] 1461855578.809966: ccselect module realm chose cache >> FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [12118] 1461855578.810171: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not >> found [12118] 1461855578.810252: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmptSoqDX [12118] 1461855578.810369: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmptSoqDX with >> result: -1765328243/Matching credential not found [12118] >> 1461855578.810451: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX with result: >> 0/Success >> [12118] 1461855578.810476: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [12118] 1461855578.810509: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [12118] >> 1461855578.810612: Generated subkey for TGS request: aes256-cts/7377 >> [12118] 1461855578.810679: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [12118] >> 1461855578.810913: Sending request (704 bytes) to CYBERFUEL.COM >> [12118] 1461855578.811239: Resolving hostname freeipa.cyberfuel.com >> [12118] 1461855578.811466: Initiating TCP connection to stream >> 192.168.0.90:88 >> [12118] 1461855578.811935: Sending TCP request to stream >> 192.168.0.90:88 [12118] 1461855578.816404: Received answer from >> stream >> 192.168.0.90:88 [12118] 1461855578.816714: Response was from master >> KDC [12118] 1461855578.816906: TGS reply is for admin at CYBERFUEL.COM >> -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with session key >> aes256-cts/BEB2 [12118] 1461855578.816977: TGS request result: >> 0/Success [12118] 1461855578.817018: Received creds for desired >> service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [12118] 1461855578.817066: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmptSoqDX >> [12118] 1461855578.817107: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmptSoqDX >> [12118] 1461855578.817413: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 299651167, subkey aes256-cts/98D3, session key aes256-cts/BEB2 >> [12118] 1461855578.874786: ccselect module realm chose cache >> FILE:/tmp/tmptSoqDX with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [12118] 1461855578.874938: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmptSoqDX with result: -1765328243/Matching credential not >> found [12118] 1461855578.875079: Read AP-REP, time 1461855578.817442, >> subkey aes256-cts/4B32, seqnum 706045221 [17304] 1461858424.873888: >> ccselect module realm chose cache FILE:/tmp/tmpH0QF6P with client >> principal admin at CYBERFUEL.COM for server principal >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [17304] 1461858424.874126: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not >> found [17304] 1461858424.874220: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmpH0QF6P [17304] 1461858424.874413: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmpH0QF6P with >> result: -1765328243/Matching credential not found [17304] >> 1461858424.874531: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P with result: >> 0/Success >> [17304] 1461858424.874603: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [17304] 1461858424.874631: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [17304] >> 1461858424.874747: Generated subkey for TGS request: aes256-cts/8C33 >> [17304] 1461858424.874788: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [17304] >> 1461858424.875121: Sending request (704 bytes) to CYBERFUEL.COM >> [17304] 1461858424.875525: Resolving hostname freeipa.cyberfuel.com >> [17304] 1461858424.875805: Initiating TCP connection to stream >> 192.168.20.90:88 >> [17304] 1461858424.877976: Sending TCP request to stream >> 192.168.20.90:88 [17304] 1461858424.882385: Received answer from >> stream 192.168.20.90:88 [17304] 1461858424.882531: Response was from >> master KDC [17304] 1461858424.882775: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/20DA [17304] 1461858424.882850: TGS request >> result: 0/Success [17304] 1461858424.882883: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [17304] 1461858424.882918: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpH0QF6P >> [17304] 1461858424.882951: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpH0QF6P >> [17304] 1461858424.883271: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 443746416, subkey aes256-cts/13DE, session key aes256-cts/20DA >> [17304] 1461858424.898190: ccselect module realm chose cache >> FILE:/tmp/tmpH0QF6P with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [17304] 1461858424.898401: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpH0QF6P with result: -1765328243/Matching credential not >> found [17304] 1461858424.898615: Read AP-REP, time 1461858424.883334, >> subkey aes256-cts/A0F5, seqnum 906104721 [23457] 1461863053.621386: >> ccselect module realm chose cache >> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23457] 1461863053.621602: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not >> found [23457] 1461863053.621719: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmp576FE3 [23457] 1461863053.621918: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmp576FE3 with >> result: -1765328243/Matching credential not found [23457] >> 1461863053.622097: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 with result: >> 0/Success >> [23457] 1461863053.622144: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [23457] 1461863053.622176: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23457] >> 1461863053.622288: Generated subkey for TGS request: aes256-cts/897C >> [23457] 1461863053.622331: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23457] >> 1461863053.622662: Sending request (704 bytes) to CYBERFUEL.COM >> [23457] 1461863053.623133: Resolving hostname freeipa.cyberfuel.com >> [23457] 1461863053.623367: Initiating TCP connection to stream >> 192.168.20.90:88 >> [23457] 1461863053.623866: Sending TCP request to stream >> 192.168.20.90:88 [23457] 1461863053.627939: Received answer from >> stream 192.168.20.90:88 [23457] 1461863053.628229: Response was from >> master KDC [23457] 1461863053.628485: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/9E88 [23457] 1461863053.628560: TGS request >> result: 0/Success [23457] 1461863053.628610: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23457] 1461863053.628655: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmp576FE3 >> [23457] 1461863053.628689: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmp576FE3 >> [23457] 1461863053.629119: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 13046067, subkey aes256-cts/BAC3, session key aes256-cts/9E88 >> [23457] 1461863053.640471: ccselect module realm chose cache >> FILE:/tmp/tmp576FE3 with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23457] 1461863053.640721: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmp576FE3 with result: -1765328243/Matching credential not >> found [23457] 1461863053.640909: Read AP-REP, time 1461863053.629208, >> subkey aes256-cts/8866, seqnum 421358565 [23749] 1461863277.525338: >> ccselect module realm chose cache FILE:/tmp/tmprfuOsj with client >> principal admin at CYBERFUEL.COM for server principal >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23749] 1461863277.525435: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not >> found [23749] 1461863277.525469: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmprfuOsj [23749] 1461863277.525529: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmprfuOsj with >> result: -1765328243/Matching credential not found [23749] >> 1461863277.525572: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj with result: >> 0/Success >> [23749] 1461863277.525584: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [23749] 1461863277.525593: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [23749] >> 1461863277.525645: Generated subkey for TGS request: aes256-cts/C22D >> [23749] 1461863277.525662: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [23749] >> 1461863277.525806: Sending request (704 bytes) to CYBERFUEL.COM >> [23749] 1461863277.526052: Resolving hostname freeipa.cyberfuel.com >> [23749] 1461863277.526161: Initiating TCP connection to stream >> 192.168.20.90:88 >> [23749] 1461863277.526440: Sending TCP request to stream >> 192.168.20.90:88 [23749] 1461863277.530652: Received answer from >> stream 192.168.20.90:88 [23749] 1461863277.530737: Response was from >> master KDC [23749] 1461863277.530881: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/79C3 [23749] 1461863277.530931: TGS request >> result: 0/Success [23749] 1461863277.530948: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23749] 1461863277.530962: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmprfuOsj >> [23749] 1461863277.530971: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmprfuOsj >> [23749] 1461863277.531133: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 1019693263, subkey aes256-cts/B3E0, session key >> aes256-cts/79C3 [23749] 1461863277.542808: ccselect module realm >> chose cache FILE:/tmp/tmprfuOsj with client principal >> admin at CYBERFUEL.COM for server principal >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [23749] 1461863277.542889: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmprfuOsj with result: -1765328243/Matching credential not >> found [23749] 1461863277.542988: Read AP-REP, time 1461863277.531150, >> subkey aes256-cts/5194, seqnum 376027188 [25544] 1461864401.258277: >> ccselect module realm chose cache FILE:/tmp/tmpbzX7EN with client >> principal admin at CYBERFUEL.COM for server principal >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [25544] 1461864401.258584: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not >> found [25544] 1461864401.258678: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmpbzX7EN [25544] 1461864401.258873: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmpbzX7EN with >> result: -1765328243/Matching credential not found [25544] >> 1461864401.259040: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN with result: >> 0/Success >> [25544] 1461864401.259076: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [25544] 1461864401.259102: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [25544] >> 1461864401.259244: Generated subkey for TGS request: aes256-cts/277A >> [25544] 1461864401.259291: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [25544] >> 1461864401.259676: Sending request (704 bytes) to CYBERFUEL.COM >> [25544] 1461864401.260108: Resolving hostname freeipa.cyberfuel.com >> [25544] 1461864401.260361: Initiating TCP connection to stream >> 192.168.20.90:88 >> [25544] 1461864401.260980: Sending TCP request to stream >> 192.168.20.90:88 [25544] 1461864401.264399: Received answer from >> stream 192.168.20.90:88 [25544] 1461864401.264593: Response was from >> master KDC [25544] 1461864401.264893: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/9106 [25544] 1461864401.264966: TGS request >> result: 0/Success [25544] 1461864401.264996: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [25544] 1461864401.265029: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpbzX7EN >> [25544] 1461864401.265058: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpbzX7EN >> [25544] 1461864401.265581: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 921501424, subkey aes256-cts/99EA, session key aes256-cts/9106 >> [25544] 1461864401.275884: ccselect module realm chose cache >> FILE:/tmp/tmpbzX7EN with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [25544] 1461864401.276059: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpbzX7EN with result: -1765328243/Matching credential not >> found [25544] 1461864401.276196: Read AP-REP, time 1461864401.265627, >> subkey aes256-cts/0E9F, seqnum 871496824 [18097] 1461937028.664354: >> ccselect module realm chose cache >> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [18097] 1461937028.664456: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not >> found [18097] 1461937028.664490: Getting credentials >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM using >> ccache FILE:/tmp/tmpF9x_o8 [18097] 1461937028.664549: Retrieving >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from >> FILE:/tmp/tmpF9x_o8 with >> result: -1765328243/Matching credential not found [18097] >> 1461937028.664590: Retrieving admin at CYBERFUEL.COM -> >> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 with result: >> 0/Success >> [18097] 1461937028.664601: Found cached TGT for service realm: >> admin at CYBERFUEL.COM -> krbtgt/CYBERFUEL.COM at CYBERFUEL.COM >> [18097] 1461937028.664611: Requesting tickets for >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, referrals on [18097] >> 1461937028.664700: Generated subkey for TGS request: aes256-cts/6372 >> [18097] 1461937028.664727: etypes requested in TGS request: >> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [18097] >> 1461937028.664865: Sending request (704 bytes) to CYBERFUEL.COM >> [18097] 1461937028.665035: Resolving hostname freeipa.cyberfuel.com >> [18097] 1461937028.665136: Initiating TCP connection to stream >> 192.168.20.90:88 >> [18097] 1461937028.665510: Sending TCP request to stream >> 192.168.20.90:88 [18097] 1461937028.668919: Received answer from >> stream 192.168.20.90:88 [18097] 1461937028.668984: Response was from >> master KDC [18097] 1461937028.669109: TGS reply is for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM with >> session key aes256-cts/9592 [18097] 1461937028.669136: TGS request >> result: 0/Success [18097] 1461937028.669156: Received creds for >> desired service ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [18097] 1461937028.669167: Removing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM from FILE:/tmp/tmpF9x_o8 >> [18097] 1461937028.669176: Storing admin at CYBERFUEL.COM -> >> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM in FILE:/tmp/tmpF9x_o8 >> [18097] 1461937028.669304: Creating authenticator for >> admin at CYBERFUEL.COM -> ldap/freeipa.cyberfuel.com at CYBERFUEL.COM, >> seqnum 940175329, subkey aes256-cts/53B9, session key aes256-cts/9592 >> [18097] 1461937028.676414: ccselect module realm chose cache >> FILE:/tmp/tmpF9x_o8 with client principal admin at CYBERFUEL.COM for >> server principal ldap/freeipa.cyberfuel.com at CYBERFUEL.COM >> [18097] 1461937028.676470: Retrieving admin at CYBERFUEL.COM -> >> krb5_ccache_conf_data/proxy_impersonator at X-CACHECONF: from >> FILE:/tmp/tmpF9x_o8 with result: -1765328243/Matching credential not >> found [18097] 1461937028.676534: Read AP-REP, time 1461937028.669328, >> subkey aes256-cts/26C4, seqnum 864174069 >> >> ----------------------------------- >> >> >> Regards >> >> Jose Alvarez >> >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: viernes 29 de abril de 2016 09:34 a.m. >> To: Jose Alvarez R. ; >> freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] HTTP response code is 401, not 200 >> >> Jose Alvarez R. wrote: >>> Hi Users >>> >>> You can help me? >>> >>> I have the problem for join a client to my FREEIPA Server. The >>> version IPA Server is 3.0 and IP client is 3.0 >>> >>> When I join my client to IPA server show these errors: >>> >>> [root at ppa ~]# tail -f /var/log/ipaclient-install.log >>> >>> 2016-04-28T17:26:41Z DEBUG stderr= >>> >>> 2016-04-28T17:26:41Z DEBUG trying to retrieve CA cert via LDAP from >>> ldap://freeipa.cyberfuel.com >>> >>> 2016-04-28T17:26:41Z DEBUG Existing CA cert and Retrieved CA cert >>> are identical >>> >>> 2016-04-28T17:26:41Z DEBUG args=/usr/sbin/ipa-join -s >>> freeipa.cyberfuel.com -b dc=cyberfuel,dc=com >>> >>> 2016-04-28T17:26:41Z DEBUG stdout= >>> >>> 2016-04-28T17:26:41Z DEBUG stderr=HTTP response code is 401, not 200 >>> >>> 2016-04-28T17:26:41Z ERROR Joining realm failed: HTTP response code >>> is 401, not 200 >>> >>> 2016-04-28T17:26:41Z ERROR Installation failed. Rolling back changes. >>> >>> 2016-04-28T17:26:41Z ERROR IPA client is not configured on this system. >> >> I'd look in the 389-ds access and error logs on the IPA server to see >> if there are any more details. Look for the BIND from the client and >> see what happens. >> >> More context from the log file might be helpful. I believe if you run >> the client installer with --debug then additional flags are passed to >> ipa-join to include the XML-RPC conversation and that might be useful too. >> >> What account are you using to enroll with, admin? >> >> rob >> > > From rcritten at redhat.com Fri Apr 29 20:54:05 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 29 Apr 2016 16:54:05 -0400 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <201604292042.u3TKgZwn017518@d01av05.pok.ibm.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> <5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> <57225110.1000708@redhat.com> <57237E09.5090603@redhat.com> <201604292025.u3TKPbqC002081@d01av05.pok.ibm.com> <5723C5A9.6080607@redhat.com> <201604292042.u3TKgZwn017518@d01av05.pok.ibm.com> Message-ID: <5723C9ED.7050000@redhat.com> Sean Hogan wrote: > Thanks Rob... appreciate the help.. can you send me what you have in > nss.conf, server.xml as well? If I start off playing with something you > see working without issue then maybe I can come up with something or am > I wrong thinking those might affect anything? The only config that matters in this case is in dse.ldif because you are only testing port 636 and this is what drives it. My config is: dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: off creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=directory manager createTimestamp: 20150102143402Z modifyTimestamp: 20150102143427Z nsSSL3Ciphers: -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5 ,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_ sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha numSubordinates: 1 What did was: # service dirsrv stop EXAMPLE-COM # vi /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif # service dirsrv start EXAMPLE-COM # nmap ... rob > > > > > > Inactive hide details for Rob Crittenden ---04/29/2016 01:36:02 > PM---Sean Hogan wrote: > Apparently making it the master ca wilRob > Crittenden ---04/29/2016 01:36:02 PM---Sean Hogan wrote: > Apparently > making it the master ca will not work at this point since the > > From: Rob Crittenden > To: Sean Hogan/Durham/IBM at IBMUS > Cc: freeipa-users at redhat.com, Noriko Hosoi > Date: 04/29/2016 01:36 PM > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > > ------------------------------------------------------------------------ > > > > Sean Hogan wrote: > > Apparently making it the master ca will not work at this point since the > > replica is removed. So still stuck with non-changing ciphers. > > Other services running on the box have zero impact on the ciphers available. > > I'm not sure what is wrong because it took me just a minute to stop > dirsrv, modify dse.ldif with the list I provided, restart it and confirm > that the cipher list was better. > > Entries in cn=config are not replicated. > > rob > > > > > > > Sean Hogan > > > > > > > > > > > > Inactive hide details for Sean Hogan---04/29/2016 08:56:57 AM---Hi Rob, > > I stopped IPA, modified dse.ldif, restarted with the Sean > > Hogan---04/29/2016 08:56:57 AM---Hi Rob, I stopped IPA, modified > > dse.ldif, restarted with the cipher list and it started without is > > > > From: Sean Hogan/Durham/IBM > > To: Rob Crittenden > > Cc: freeipa-users at redhat.com, Noriko Hosoi > > Date: 04/29/2016 08:56 AM > > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > > > > ------------------------------------------------------------------------ > > > > > > Hi Rob, > > > > I stopped IPA, modified dse.ldif, restarted with the cipher list and it > > started without issue however Same 13 ciphers. You know.. thinking about > > this now.. I going to try something. The box I am testing on it a > > replica master and not the first replica. I did not think this would > > make a difference since I removed the replica from the realm before > > testing but maybe it will not change anything thinking its stuck in the > > old realm? > > > > Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-29 > > 11:51 EDT > > Nmap scan report for > > Host is up (0.000082s latency). > > PORT STATE SERVICE > > 636/tcp open ldapssl > > | ssl-enum-ciphers: > > | TLSv1.2 > > | Ciphers (13) > > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA > > | TLS_RSA_WITH_AES_128_CBC_SHA256 > > | TLS_RSA_WITH_AES_128_GCM_SHA256 > > | TLS_RSA_WITH_AES_256_CBC_SHA > > | TLS_RSA_WITH_AES_256_CBC_SHA256 > > | TLS_RSA_WITH_DES_CBC_SHA > > | TLS_RSA_WITH_RC4_128_MD5 > > | TLS_RSA_WITH_RC4_128_SHA > > | Compressors (1) > > > > dn: cn=encryption,cn=config > > objectClass: top > > objectClass: nsEncryptionConfig > > cn: encryption > > nsSSLSessionTimeout: 0 > > nsSSLClientAuth: allowed > > nsSSL2: off > > nsSSL3: off > > creatorsName: cn=server,cn=plugins,cn=config > > modifiersName: cn=directory manager > > createTimestamp: 20150420131850Z > > modifyTimestamp: 20150420131906Z > > nsSSL3Ciphers: > > -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5 > > > ,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_ > > > sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_r > > c4_56_sha,-tls_rsa_export1024_with_des_cbc_sha > > numSubordinates: 1 > > > > > > > > > > > > Sean Hogan > > Security Engineer > > Watson Security & Risk Assurance > > Watson Cloud Technology and Support > > email: schogan at us.ibm.com | Tel 919 486 1397 > > > > > > > > > > > > > > > > Inactive hide details for Rob Crittenden ---04/29/2016 08:30:29 > > AM---Sean Hogan wrote: > Hi Noriko,Rob Crittenden ---04/29/2016 08:30:29 > > AM---Sean Hogan wrote: > Hi Noriko, > > > > From: Rob Crittenden > > To: Sean Hogan/Durham/IBM at IBMUS, Noriko Hosoi > > Cc: freeipa-users at redhat.com > > Date: 04/29/2016 08:30 AM > > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > > ------------------------------------------------------------------------ > > > > > > > > Sean Hogan wrote: > > > Hi Noriko, > > > > > > Thanks for the suggestions, > > > > > > I had to trim out the GCM ciphers in order to get IPA to start back up > > > or I would get the unknown cipher message > > > > The trick is getting the cipher name right (it doesn't always follow a > > pattern) and explicitly disabling some ciphers as they are enabled by > > default. > > > > Try this string: > > > > > -rsa_null_md5,-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_des_sha,-rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-tls_rsa_export1024_with_rc4_56_sha,-tls_rsa_export1024_with_des_cbc_sha > > > > I have an oldish install but I think it will still do what you need: > > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > > > Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-29 11:24 EDT > > Nmap scan report for pacer.example.com (192.168.126.2) > > Host is up (0.00053s latency). > > PORT STATE SERVICE > > 636/tcp open ldapssl > > | ssl-enum-ciphers: > > | TLSv1.2: > > | ciphers: > > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A > > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A > > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A > > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A > > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C > > | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C > > | compressors: > > | NULL > > | cipher preference: server > > |_ least strength: C > > > > Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds > > > > $ sslscan pacer.example.com:636 |grep Accept > > Accepted TLSv1 256 bits AES256-SHA > > Accepted TLSv1 128 bits AES128-SHA > > Accepted TLSv1 112 bits DES-CBC3-SHA > > Accepted TLS11 256 bits AES256-SHA > > Accepted TLS11 128 bits AES128-SHA > > Accepted TLS11 112 bits DES-CBC3-SHA > > Accepted TLS12 256 bits AES256-SHA256 > > Accepted TLS12 256 bits AES256-SHA > > Accepted TLS12 128 bits AES128-GCM-SHA256 > > Accepted TLS12 128 bits AES128-SHA256 > > Accepted TLS12 128 bits AES128-SHA > > Accepted TLS12 112 bits DES-CBC3-SHA > > > > rob > > > > > > > > Nmap is still showing the same 13 ciphers as before though like > nothing > > > had changed and I did ipactl stop, made modification, ipactl start > > > > > > tarting Nmap 5.51 ( http://nmap.org ) at 2016-04-28 > > > 18:44 EDT > > > Nmap scan report for > > > Host is up (0.000053s latency). > > > PORT STATE SERVICE > > > 636/tcp open ldapssl > > > | ssl-enum-ciphers: > > > | TLSv1.2 > > > | Ciphers (13) > > > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > > > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > > > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > > > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > > > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > > > | TLS_RSA_WITH_AES_128_CBC_SHA > > > | TLS_RSA_WITH_AES_128_CBC_SHA256 > > > | TLS_RSA_WITH_AES_128_GCM_SHA256 > > > | TLS_RSA_WITH_AES_256_CBC_SHA > > > | TLS_RSA_WITH_AES_256_CBC_SHA256 > > > | TLS_RSA_WITH_DES_CBC_SHA > > > | TLS_RSA_WITH_RC4_128_MD5 > > > | TLS_RSA_WITH_RC4_128_SHA > > > | Compressors (1) > > > |_ uncompressed > > > > > > Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds > > > > > > Current Config: > > > > > > dse.ldif > > > dn: cn=encryption,cn=config > > > objectClass: top > > > objectClass: nsEncryptionConfig > > > cn: encryption > > > nsSSLSessionTimeout: 0 > > > nsSSLClientAuth: allowed > > > nsSSL2: off > > > nsSSL3: off > > > creatorsName: cn=server,cn=plugins,cn=config > > > modifiersName: cn=directory manager > > > createTimestamp: 20150420131850Z > > > modifyTimestamp: 20150420131906Z > > > nsSSL3Ciphers: > > > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_ > > > > > > rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha > > > > > > ,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_ > > > aes_256_sha,+rsa_aes_256_sha > > > numSubordinates: 1 > > > > > > > > > nss.conf > > > # SSL 3 ciphers. SSL 2 is disabled by default. > > > NSSCipherSuite > > > > > > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha,+tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha,+tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > > > > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > > > > > > Does nss.conf have anything to do with the dir srv ciphers? I know the > > > 389 docs says they are tied together so the way I have been looking at > > > it is nss.conf lists the allowed ciphers where dse.ldif lists > which ones > > > to use for 389 from nss.conf. Is that correct? Is there any other > place > > > where ciphers would be ignored? > > > > > > nss-3.19.1-8.el6_7.x86_64 > > > sssd-ipa-1.12.4-47.el6_7.4.x86_64 > > > ipa-client-3.0.0-47.el6_7.1.x86_64 > > > ipa-server-selinux-3.0.0-47.el6_7.1.x86_64 > > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > > ipa-python-3.0.0-47.el6_7.1.x86_64 > > > ipa-server-3.0.0-47.el6_7.1.x86_64 > > > libipa_hbac-python-1.12.4-47.el6_7.4.x86_64 > > > ipa-admintools-3.0.0-47.el6_7.1.x86_64 > > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > > 389-ds-base-1.2.11.15-68.el6_7.x86_64 > > > 389-ds-base-libs-1.2.11.15-68.el6_7.x86_64 > > > > > > > > > I need to get rid of any rc4s > > > > > > Sean Hogan > > > Security Engineer > > > Watson Security & Risk Assurance > > > Watson Cloud Technology and Support > > > email: schogan at us.ibm.com | Tel 919 486 1397 > > > > > > > > > > > > > > > > > > > > > Inactive hide details for Noriko Hosoi ---04/28/2016 12:08:59 > PM---Thank > > > you for including me in the loop, Ludwig. On 04/28/201Noriko Hosoi > > > ---04/28/2016 12:08:59 PM---Thank you for including me in the loop, > > > Ludwig. On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > > > > > From: Noriko Hosoi > > > To: Ludwig Krispenz , freeipa-users at redhat.com > > > Date: 04/28/2016 12:08 PM > > > Subject: Re: [Freeipa-users] IPA vulnerability management SSL > > > Sent by: freeipa-users-bounces at redhat.com > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > Thank you for including me in the loop, Ludwig. > > > > > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > > > If I remember correctly we did the change in default ciphers > and the > > > option for handling in 389-ds > 1.3.3, so it would not be in RHEL6, > > > adding Noriko to get confirmation. > > > > > > Ludwig is right. The way how to set nsSSL3Ciphers has been changed > > > since 1.3.3 which is available on RHEL-7. > > > > > > This is one of the newly supported values of nsSSL3Ciphers: > > > > > > Notes: if the value contains +all, then *-*is removed > > > from the list._ > > > > > > __http://www.port389.org/docs/389ds/design/nss-cipher-design.html#available-by-setting-all----nss-3162-1_ > > > > > > On the older 389-ds-base including 389-ds-base-1.2.11.X on > RHEL-6.X, if > > > "+all" is found in the value, all the available ciphers are enabled. > > > > > > To workaround it, could you try explicitely setting ciphers as > follows? > > > nsSSL3Ciphers: > > > > > > -rsa_null_md5,-rsa_null_sha,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4_56_sha,-tls_dhe_dss_1024_rc4_sha, > > > > > > +tls_rsa_aes_128_sha,+rsa_aes_128_sha,+tls_dhe_dss_aes_128_sha,+tls_dhe_rsa_aes_128_sha,+tls_rsa_aes_256_sha,+rsa_aes_256_sha, > > > > > > +tls_rsa_aes_128_gcm_sha,+tls_dhe_rsa_aes_128_gcm_sha,+tls_dhe_dss_aes_128_gcm_sha > > > > > > Thanks, > > > --noriko > > > > > > On 04/28/2016 04:34 AM, Ludwig Krispenz wrote: > > > > > > wanted to add Noriko, but hit send to quickly > > > > > > On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: > > > > > > On 04/28/2016 12:06 PM, Martin Kosek wrote: > > > On 04/28/2016 01:23 AM, Sean Hogan wrote: > > > Hi Martin, > > > > > > No joy on placing - in front of > the RC4s > > > > > > > > > I modified my nss.conf to now read > > > # SSL 3 ciphers. SSL 2 is disabled by > > > default. > > > NSSCipherSuite > > > > > > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha > > > > > > > > > # SSL Protocol: > > > # Cryptographic protocols that provide > > > communication security. > > > # NSS handles the specified > protocols as > > > "ranges", and automatically > > > # negotiates the use of the strongest > > > protocol for a connection starting > > > # with the maximum specified protocol > > > and downgrading as necessary to the > > > # minimum specified protocol that > can be > > > used between two processes. > > > # Since all protocol ranges are > > > completely inclusive, and no > protocol in > > > the > > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > > > > > dse.ldif > > > > > > dn: cn=encryption,cn=config > > > objectClass: top > > > objectClass: nsEncryptionConfig > > > cn: encryption > > > nsSSLSessionTimeout: 0 > > > nsSSLClientAuth: allowed > > > nsSSL2: off > > > nsSSL3: off > > > creatorsName: > > > cn=server,cn=plugins,cn=config > > > modifiersName: cn=directory manager > > > createTimestamp: 20150420131850Z > > > modifyTimestamp: 20150420131906Z > > > nsSSL3Ciphers: > > > > > +all,-rsa_null_sha,-rsa_rc4_56_sha,-tls_rsa_export1024_with_rc4 > > > > > > _56_sha,-tls_dhe_dss_1024_rc4_sha > > > numSubordinates: 1 > > > > > > > > > > > > But I still get this with nmap.. I > > > thought the above would remove > > > > -tls_rsa_export1024_with_rc4_56_sha but > > > still showing. Is it the fact that I > > am not > > > offering > > > > -tls_rsa_export1024_with_rc4_56_sha? If > > > so.. not really understanding > > > where it is coming from cept the +all > > > from DS but the - should be negating > > that? > > > > > > Starting Nmap 5.51 ( _http://nmap.org_ > > > __ > > > ) at 2016-04-27 > > 17:37 EDT > > > Nmap scan report for > > > Host is up (0.000086s latency). > > > PORT STATE SERVICE > > > 636/tcp open ldapssl > > > | ssl-enum-ciphers: > > > | TLSv1.2 > > > | Ciphers (13) > > > | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA > > > | SSL_RSA_FIPS_WITH_DES_CBC_SHA > > > | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > > > | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > > > | TLS_RSA_WITH_3DES_EDE_CBC_SHA > > > | TLS_RSA_WITH_AES_128_CBC_SHA > > > | TLS_RSA_WITH_AES_128_CBC_SHA256 > > > | TLS_RSA_WITH_AES_128_GCM_SHA256 > > > | TLS_RSA_WITH_AES_256_CBC_SHA > > > | TLS_RSA_WITH_AES_256_CBC_SHA256 > > > | TLS_RSA_WITH_DES_CBC_SHA > > > | TLS_RSA_WITH_RC4_128_MD5 > > > | TLS_RSA_WITH_RC4_128_SHA > > > | Compressors (1) > > > |_ uncompressed > > > > > > Nmap done: 1 IP address (1 host up) > > > scanned in 0.32 seconds > > > > > > > > > > > > It seems no matter what config I put > > > into nss.conf or dse.ldif nothing > changes > > > with my nmap results. Is there > supposed > > > to be a be a section to add TLS > ciphers > > > instead of SSL Not sure now, CCing > > Ludwig who was involved in > > > the original RHEL-6 > > > implementation. If I remember correctly we > > did the change in default > > > ciphers and the option for handling in 389-ds > 1.3.3, > > > so it would not be in RHEL6, adding Noriko to get > > > confirmation. > > > > > > but the below comments about changing ciphers in > > > dse.ldif could help in using the "old" way to set > ciphers > > > Just to be sure, when you are modifying > > > dse.ldif, the procedure > > > should be always following: > > > > > > 1) Stop Directory Server service > > > 2) Modify dse.ldif > > > 3) Start Directory Server service > > > > > > Otherwise it won't get applied and will get > > > overwritten later. > > > > > > In any case, the ciphers with RHEL-6 should be > > > secure enough, the ones in > > > FreeIPA 4.3.1 should be even better. This > is for > > > example an nmap taken on > > > FreeIPA Demo instance that runs on FreeIPA > 4.3.1: > > > > > > $ nmap --script ssl-enum-ciphers -p 636 > > > ipa.demo1.freeipa.org > > > > > > Starting Nmap 7.12 ( _https://nmap.org_ > > > ) at 2016-04-28 12:02 CEST > > > Nmap scan report for ipa.demo1.freeipa.org > > > (209.132.178.99) > > > Host is up (0.18s latency). > > > PORT STATE SERVICE > > > 636/tcp open ldapssl > > > | ssl-enum-ciphers: > > > | TLSv1.2: > > > | ciphers: > > > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > > (secp256r1) - A > > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > > > (secp256r1) - A > > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > > > (secp256r1) - A > > > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > > > (secp256r1) - A > > > | > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh > > > 2048) - A > > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh > > > 2048) - A > > > | > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh > > > 2048) - A > > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh > > > 2048) - A > > > | > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh > > > 2048) - A > > > | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa > > > 2048) - A > > > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa > > 2048) - A > > > | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa > > > 2048) - A > > > | TLS_RSA_WITH_AES_256_CBC_SHA (rsa > > 2048) - A > > > | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa > > > 2048) - A > > > | compressors: > > > | NULL > > > | cipher preference: server > > > |_ least strength: A > > > > > > Nmap done: 1 IP address (1 host up) scanned in > > > 21.12 seconds > > > > > > Martin > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > > > > > > > > > > > > > > From bentech4you at gmail.com Fri Apr 29 21:00:14 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Sat, 30 Apr 2016 00:00:14 +0300 Subject: [Freeipa-users] ipa trust-fetch-domains failing. In-Reply-To: References: Message-ID: Hi Anyone please help me to fix this issue. i have created new group in AD( 4 hours back) and while i was mapping this group as --external, i am getting below error. *[root at freeipa sysctl.d]# ipa group-add --external ad_admins_external --desc "KWTTESTDC.com.KW AD Administrators-External"* *----------------------------------* *Added group "ad_admins_external"* *----------------------------------* * Group name: ad_admins_external* * Description: KWTTESTDC.com.KW AD Administrators-External* *[root at freeipa sysctl.d]# ipa group-add-member ad_admins_external --external "KWTTESTDC\test admins"* *[member user]:* *[member group]:* * Group name: ad_admins_external* * Description: KWTTESTDC.com.KW AD Administrators-External* * Failed members:* * member user:* * member group: KWTTESTDC\test admins: Cannot find specified domain or server name* *-------------------------* *Number of members added 0* ------------------------- On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George wrote: > Hi > > while issuing ipa trust-fetch-domains, i am getting below error. > > i have created new security group in AD and i want to add this to external > group. > > [root at freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw" > ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from > trusted fo rest > failed. See details in the error_log > > help me to fi/expalin more about this error > > Regards > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zwolfinger at myemma.com Fri Apr 29 21:16:09 2016 From: zwolfinger at myemma.com (Zak Wolfinger) Date: Fri, 29 Apr 2016 16:16:09 -0500 Subject: [Freeipa-users] Password Encryption Method Message-ID: <88C04EE0-A5BD-4322-8E95-9E196D48D919@myemma.com> Did the password encryption method change between V3.0 and newer versions? Where can I find out what method is being used? I?m running into hash issues when using GADS to sync to Google. Cheers, Zak Wolfinger Infrastructure Engineer | Emma? zak.wolfinger at myemma.com 800.595.4401 or 615.292.5888 x197 615.292.0777 (fax) Emma helps organizations everywhere communicate & market in style. Visit us online at www.myemma.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From anthony.wan.cheng at gmail.com Fri Apr 29 22:34:37 2016 From: anthony.wan.cheng at gmail.com (Anthony Cheng) Date: Fri, 29 Apr 2016 22:34:37 +0000 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: References: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> Message-ID: I make further progress, I managed to get it to be in NEED_TO_SUBMIT state again after a reboot and this time klist and clock looks good. However getting this error while restarting IPA, Starting dirsrv: PKI-IPA...[29/Apr/2016:21:41:48 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) The error time is different than the time I changed to; after search for all files on the computer and found some files that has that time: var/log/dirsrv/slapd-SAMPLE-NET/access.rotationinfo /var/tmp/DNS_25 I changed access time on them and restart and got the correct time in error log: Starting dirsrv: PKI-IPA...[28/Sep/2014:14:58:15 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] sample-NET...[28/Sep/2014:14:58:16 +0000] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) In looking at server cert, there is actually 2 and one is expired no matter what time I set it to due to a time lapse between them; seems to indicate that I need to remove one of them: [root at test ~]# certutil -L -d /etc/httpd/alias -n Server-Cert | grep 'Issuer\|Not\|Subject\|Name' Issuer: "CN=Certificate Authority,O=sample.NET" Not Before: Sun Aug 02 14:09:45 2015 Not After : Fri Jan 29 14:09:45 2016 Subject: "CN=test.sample.net,O=sample.NET" Subject Public Key Info: Name: Certificate Authority Key Identifier Name: Authority Information Access Name: Certificate Key Usage Name: Extended Key Usage Name: Certificate Subject Key ID Issuer: "CN=Certificate Authority,O=sample.NET" Not Before: Sat May 03 00:20:37 2014 Not After : Thu Oct 30 00:20:37 2014 Subject: "CN=test.sample.net,O=sample.NET" Subject Public Key Info: Name: Certificate Authority Key Identifier Name: Authority Information Access Name: Certificate Key Usage Name: Extended Key Usage Name: Certificate Subject Key ID On Fri, Apr 29, 2016 at 4:50 PM Anthony Cheng wrote: > OK so I made process on my cert renew issue; I was able to get kinit > working so I can follow the rest of the steps here ( > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > However, after using > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password > > and restarting apache (/sbin/service httpd restart), resubmitting 3 certs > (ipa-getcert resubmit -i ) and restarting IPA (resubmit -i ) > (/sbin/service ipa restart), I still see: > > [root at test ~]# ipa-getcert list | more > > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be compl > eted: Unable to communicate with CMS (Not Found)). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certific > > ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > Certificate D > B' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > > expires: 2016-01-29 14:09:46 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be compl > eted: Unable to communicate with CMS (Not Found)). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be compl > eted: Unable to communicate with CMS (Not Found)). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinf > > ile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=sample.NET > subject: CN=test.sample.net,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > > Here are other relevant output: > > root at test ~]# /sbin/service ipa restart > Restarting Directory Service > > Shutting down dirsrv: > PKI-IPA... [ OK ] > sample-NET... [ OK ] > Starting dirsrv: > PKI-IPA... [ OK ] > sample-NET... [ OK ] > Restarting KDC Service > > Stopping Kerberos 5 KDC: [ OK ] > Starting Kerberos 5 KDC: [ OK ] > Restarting KPASSWD Service > > Stopping Kerberos 5 Admin Server: [ OK ] > Starting Kerberos 5 Admin Server: [ OK ] > Restarting DNS Service > Stopping named: . [ OK ] > Starting named: [ OK ] > Restarting MEMCACHE Service > Stopping ipa_memcached: [ OK ] > Starting ipa_memcached: [ OK ] > Restarting HTTP Service > Stopping httpd: [ OK ] > Starting httpd: [ OK ] > Restarting CA Service > Stopping pki-ca: [ OK ] > Starting pki-ca: [ OK ] > > [root at test ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: test at sample.NET > > Valid starting Expires Service principal > 01/28/16 14:05:01 01/29/16 14:05:01 krbtgt/sample.NET at sample.NET > 01/28/16 14:08:48 01/29/16 14:05:01 HTTP/test.sample.net at sample.NET > > [root at test ~]# ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > [root at caer ~]# /sbin/service httpd restart > Stopping httpd: [ OK ] > Starting httpd: [ OK ] > > > Would really greatly appreciate any help on this. > > Also I noticed after I do ldapmodify of usercertificate binary data with > > add: usercertificate;binary > usercertificate;binary: !@#$@!#$#@$ > > Then I re-run > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca > > I see 2 entries for usercertificate;binary (before modify there was only > 1) but they are duplicate and NOT from data that I added. That seems > incorrect to me. > > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng > wrote: > >> klist is actually empty; kinit admin fails. Sounds like then getcert >> resubmit has a dependency on kerberoes. I can get a backup image that has >> a valid ticket but it is only good for 1 day (and dated pasted the cert >> expire). >> >> Also I had asked awhile back about whether there is dependency on DIRSRV >> to renew the cert; didn't get any response but I suspect there is a >> dependency. >> >> Regarding the clock skew, I found out from /var/log/message that shows me >> this so it may be from named: >> >> Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew >> too great) >> Jan 28 14:10:42 test named[2911]: loading configuration: failure >> Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) >> Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (Creden >> tials cache file '/tmp/krb5cc_496' not found) >> >> I don't have a krb5cc_496 file (since klist is empty), so sounds to me I >> need to get a kerberoes ticket before going any further. Also is the file >> /etc/krb5.keytab access/modification time important? I had changed time >> back to before the cert expiration date and reboot and try renew but the >> error message about clock skew is still there. That seems strange. >> >> Lastly, as a absolute last resort, can I regenerate a new cert myself? >> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html >> >> [root at test /]# klist >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) >> [root at test /]# service ipa start >> Starting Directory Service >> Starting dirsrv: >> PKI-IPA... [ OK ] >> sample-NET... [ OK ] >> Starting KDC Service >> Starting Kerberos 5 KDC: [ OK ] >> Starting KPASSWD Service >> Starting Kerberos 5 Admin Server: [ OK ] >> Starting DNS Service >> Starting named: [FAILED] >> Failed to start DNS Service >> Shutting down >> Stopping Kerberos 5 KDC: [ OK ] >> Stopping Kerberos 5 Admin Server: [ OK ] >> Stopping named: [ OK ] >> Stopping httpd: [ OK ] >> Stopping pki-ca: [ OK ] >> Shutting down dirsrv: >> PKI-IPA... [ OK ] >> sample-NET... [ OK ] >> Aborting ipactl >> [root at test /]# klist >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) >> [root at test /]# service ipa status >> Directory Service: STOPPED >> Failed to get list of services to probe status: >> Directory Server is stopped >> >> On Thu, Apr 28, 2016 at 3:21 AM David Kupka wrote: >> >>> On 27/04/16 21:54, Anthony Cheng wrote: >>> > Hi list, >>> > >>> > I am trying to renew expired certificates following the manual renewal >>> procedure >>> > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but >>> even with >>> > resetting the system/hardware clock to a time before expires, I am >>> getting the >>> > error "ca-error: Error setting up ccache for local "host" service >>> using default >>> > keytab: Clock skew too great." >>> > >>> > With NTP disable and clock reset why would it complain about clock >>> skew and how >>> > does it even know about the current time? >>> > >>> > [root at test certs]# getcert list >>> > Number of certificates and requests being tracked: 8. >>> > Request ID '20111214223243': >>> > status: MONITORING >>> > ca-error: Error setting up ccache for local "host" service >>> using >>> > default keytab: Clock skew too great. >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>> > Certificate DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net >> >,O=sample.NET >>> > expires: 2016-01-29 14:09:46 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20111214223300': >>> > status: MONITORING >>> > ca-error: Error setting up ccache for local "host" service >>> using >>> > default keytab: Clock skew too great. >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> Certificate >>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> Certificate >>> > DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net >> >,O=sample.NET >>> > expires: 2016-01-29 14:09:45 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20111214223316': >>> > status: MONITORING >>> > ca-error: Error setting up ccache for local "host" service >>> using >>> > default keytab: Clock skew too great. >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > Certificate DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net >> >,O=sample.NET >>> > expires: 2016-01-29 14:09:45 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130741': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=CA Audit,O=sample.NET >>> > expires: 2017-10-13 14:10:49 UTC >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "auditSigningCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130742': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=OCSP Subsystem,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-OCSPSigning >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "ocspSigningCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130743': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=CA Subsystem,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "subsystemCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130744': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate >>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=RA Subsystem,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130745': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net >> >,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes[root at test certs]# getcert list >>> > Number of certificates and requests being tracked: 8. >>> > Request ID '20111214223243': >>> > status: MONITORING >>> > ca-error: Error setting up ccache for local "host" service >>> using >>> > default keytab: Clock skew too great. >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>> > Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>> > Certificate DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net >> >,O=sample.NET >>> > expires: 2016-01-29 14:09:46 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20111214223300': >>> > status: MONITORING >>> > ca-error: Error setting up ccache for local "host" service >>> using >>> > default keytab: Clock skew too great. >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> Certificate >>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> Certificate >>> > DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net >> >,O=sample.NET >>> > expires: 2016-01-29 14:09:45 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20111214223316': >>> > status: MONITORING >>> > ca-error: Error setting up ccache for local "host" service >>> using >>> > default keytab: Clock skew too great. >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > Certificate DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net >> >,O=sample.NET >>> > expires: 2016-01-29 14:09:45 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130741': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=CA Audit,O=sample.NET >>> > expires: 2017-10-13 14:10:49 UTC >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "auditSigningCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130742': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=OCSP Subsystem,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-OCSPSigning >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "ocspSigningCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130743': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=CA Subsystem,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "subsystemCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130744': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate >>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=RA Subsystem,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130745': >>> > status: NEED_CSR_GEN_PIN >>> > ca-error: Internal error: no response to >>> > " >>> http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >>> ". >>> > stuck: yes >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 >>> > ' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=sample.NET >>> > subject: CN=test.sample.net >> >,O=sample.NET >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > -- >>> > >>> > Thanks, Anthony >>> > >>> > >>> > >>> >>> Hello Anthony! >>> >>> After stopping NTP (or other time synchronizing service) and setting >>> time manually server really don't have a way to determine that its time >>> differs from the real one. >>> >>> I think this might be issue with Kerberos ticket. You can show content >>> of root's ticket cache using klist. If there is anything clean it with >>> kdestroy and try to resubmit the request again. >>> >>> -- >>> David Kupka >>> >> -- >> >> Thanks, Anthony >> > -- > > Thanks, Anthony > -- Thanks, Anthony -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Sat Apr 30 06:16:46 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Sat, 30 Apr 2016 09:16:46 +0300 Subject: [Freeipa-users] ipa trust-fetch-domains failing. In-Reply-To: References: Message-ID: when i am running ipa trust-fetch-domains "kwttestdc.com.kw" , i am getting below error in error_log [Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed to call com.redhat.idm.trust.fetch_domains helper.DBus exception is org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.. [Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO: [jsonserver_session] admin at IDM.LOCAL: trust_fetch_domains(u'kwttestdc.com.kw', rights=False, all=False, raw=False, version=u'2.156'): ServerCommandError On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George wrote: > Hi > > Anyone please help me to fix this issue. > > i have created new group in AD( 4 hours back) and while i was mapping this > group as --external, i am getting below error. > > > *[root at freeipa sysctl.d]# ipa group-add --external ad_admins_external > --desc "KWTTESTDC.com.KW AD > Administrators-External"* > *----------------------------------* > *Added group "ad_admins_external"* > *----------------------------------* > * Group name: ad_admins_external* > * Description: KWTTESTDC.com.KW AD > Administrators-External* > *[root at freeipa sysctl.d]# ipa group-add-member ad_admins_external > --external "KWTTESTDC\test admins"* > *[member user]:* > *[member group]:* > * Group name: ad_admins_external* > * Description: KWTTESTDC.com.KW AD > Administrators-External* > * Failed members:* > * member user:* > * member group: KWTTESTDC\test admins: Cannot find specified domain or > server name* > *-------------------------* > *Number of members added 0* > ------------------------- > > > > On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George > wrote: > >> Hi >> >> while issuing ipa trust-fetch-domains, i am getting below error. >> >> i have created new security group in AD and i want to add this to >> external group. >> >> [root at freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw" >> ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from >> trusted fo rest >> failed. See details in the error_log >> >> help me to fi/expalin more about this error >> >> Regards >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Sat Apr 30 06:23:35 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Sat, 30 Apr 2016 09:23:35 +0300 Subject: [Freeipa-users] ipa trust-fetch-domains failing. In-Reply-To: References: Message-ID: HI All this issue has solved On Sat, Apr 30, 2016 at 9:16 AM, Ben .T.George wrote: > when i am running ipa trust-fetch-domains "kwttestdc.com.kw" , i am > getting below error in error_log > > [Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed > to call com.redhat.idm.trust.fetch_domains helper.DBus exception is > org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible > causes include: the remote application did not send a reply, the message > bus security policy blocked the reply, the reply timeout expired, or the > network connection was broken.. > [Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO: > [jsonserver_session] admin at IDM.LOCAL: trust_fetch_domains(u' > kwttestdc.com.kw', rights=False, all=False, raw=False, version=u'2.156'): > ServerCommandError > > On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George > wrote: > >> Hi >> >> Anyone please help me to fix this issue. >> >> i have created new group in AD( 4 hours back) and while i was mapping >> this group as --external, i am getting below error. >> >> >> *[root at freeipa sysctl.d]# ipa group-add --external ad_admins_external >> --desc "KWTTESTDC.com.KW AD >> Administrators-External"* >> *----------------------------------* >> *Added group "ad_admins_external"* >> *----------------------------------* >> * Group name: ad_admins_external* >> * Description: KWTTESTDC.com.KW AD >> Administrators-External* >> *[root at freeipa sysctl.d]# ipa group-add-member ad_admins_external >> --external "KWTTESTDC\test admins"* >> *[member user]:* >> *[member group]:* >> * Group name: ad_admins_external* >> * Description: KWTTESTDC.com.KW AD >> Administrators-External* >> * Failed members:* >> * member user:* >> * member group: KWTTESTDC\test admins: Cannot find specified domain or >> server name* >> *-------------------------* >> *Number of members added 0* >> ------------------------- >> >> >> >> On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George >> wrote: >> >>> Hi >>> >>> while issuing ipa trust-fetch-domains, i am getting below error. >>> >>> i have created new security group in AD and i want to add this to >>> external group. >>> >>> [root at freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw" >>> ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from >>> trusted fo rest >>> failed. See details in the error_log >>> >>> help me to fi/expalin more about this error >>> >>> Regards >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Sat Apr 30 07:06:16 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Sat, 30 Apr 2016 10:06:16 +0300 Subject: [Freeipa-users] HBAC with Active directory group is not working In-Reply-To: References: <20160429145932.GM25181@hendrix> <20160429155606.GN25181@hendrix> Message-ID: Hi Adding this this. in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this specific external group and (were these users) but while checking the rule from IPA server using hbactest, both users test passes and showing one rol. but in actual only ben can able to login to client machine , while jude cannot. [root at freeipa ~]# ipa hbactest --user *ben at kwttestdc.com.kw * --host client.kwttestdc.com.kw --service sshd -------------------- *Access granted: True* -------------------- Matched rules: test_admins Not matched rules: ad_can_login Not matched rules: local_admin_can_login [root at freeipa ~]# ipa hbactest --user* jude at kwttestdc.com.kw * --host client.kwttestdc.com.kw --service sshd -------------------- *Access granted: True* -------------------- Matched rules: test_admins Not matched rules: ad_can_login Not matched rules: local_admin_can_login so my hbac is working partially. How can i fix this. Regards, Ben On Fri, Apr 29, 2016 at 7:27 PM, Ben .T.George wrote: > surprisingly i have created some local IPA users and added to same HBAC > rule, and removed AD grop ad applied this rule to client, and that got > worked. > > How can i make this AD group with HBAC working? > > Regards, > Ben > > On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George > wrote: > >> HI >> >> If i disable allow_all rule, >> i cannot able to login to client machine. >> >> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George >> wrote: >> >>> HI >>> >>> actually i have added Domain Admins and the user ben is not part of >>> Domain Admins. But when i login to client machine, i am getting below >>> >>> -sh-4.2$ id >>> uid=1827801104(ben at kwttestdc.com.kw) gid=1827801104(ben at kwttestdc.com.kw) >>> groups=1827801104(ben at kwttestdc.com.kw),1827800513(*domain >>> users at kwttestdc.com.kw *),1827801105(sudo >>> admins at kwttestdc.com.kw) >>> >>> >>> >>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George >>> wrote: >>> >>>> HI >>>> >>>> while explaning here it went wrong. actually i did is" >>>> Added external group to POSIX group" >>>> >>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek >>>> wrote: >>>> >>>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >>>>> > HI, >>>>> > >>>>> > "The other is that the groups might not show up on the client (do >>>>> they?)" >>>>> >>>>> id $user. >>>>> >>>>> But I think Alexander noticed the root cause. >>>>> >>>>> > >>>>> > how can i check that. >>>>> > >>>>> > Thanks >>>>> > Ben >>>>> > >>>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek >>>>> wrote: >>>>> > >>>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >>>>> > > > Hi List, >>>>> > > > >>>>> > > > I have working setup of one AD, one IPA server and one client >>>>> server. by >>>>> > > > default i can login to client server by using AD username. >>>>> > > > >>>>> > > > i want to apply HBAC rules against this client server. For that >>>>> i have >>>>> > > done >>>>> > > > below steps. >>>>> > > > >>>>> > > > 1. created External group in IPA erver >>>>> > > > 2. created local POSIX group n IPA server >>>>> > > > 3. Added AD group to external group >>>>> > > > 4. added POSIX group to external group. >>>>> > > > >>>>> > > > After that have created HBAC rule by adding both local and >>>>> external IPA >>>>> > > > groups, added sshd as service and selected service group as sudo. >>>>> > > > >>>>> > > > i have applied this HBAC rule to client server and from web UI >>>>> and while >>>>> > > > testing HBAC from web, i am getting access denied . >>>>> > > >>>>> > > Sorry, not enough info. >>>>> > > >>>>> > > One guess would be that you need to add the "sudo-i" service as >>>>> well. >>>>> > > The other is that the groups might not show up on the client (do >>>>> they?) >>>>> > > >>>>> > > Anyway, it might be good idea to follow >>>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >>>>> > > >>>>> > > -- >>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> > > Go to http://freeipa.org for more info on the project >>>>> > > >>>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Sat Apr 30 07:24:06 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Sat, 30 Apr 2016 10:24:06 +0300 Subject: [Freeipa-users] HBAC with Active directory group is not working In-Reply-To: References: <20160429145932.GM25181@hendrix> <20160429155606.GN25181@hendrix> Message-ID: and here is my sssd debug log from client side http://pastebin.com/ud2q3FR5 On Sat, Apr 30, 2016 at 10:06 AM, Ben .T.George wrote: > Hi > > Adding this this. > > in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this > specific external group and (were these users) > > but while checking the rule from IPA server using hbactest, both users > test passes and showing one rol. but in actual only ben can able to login > to client machine , while jude cannot. > > [root at freeipa ~]# ipa hbactest --user *ben at kwttestdc.com.kw > * --host client.kwttestdc.com.kw --service sshd > -------------------- > *Access granted: True* > -------------------- > Matched rules: test_admins > Not matched rules: ad_can_login > Not matched rules: local_admin_can_login > [root at freeipa ~]# ipa hbactest --user* jude at kwttestdc.com.kw > * --host client.kwttestdc.com.kw --service sshd > -------------------- > *Access granted: True* > -------------------- > Matched rules: test_admins > Not matched rules: ad_can_login > Not matched rules: local_admin_can_login > > so my hbac is working partially. How can i fix this. > > Regards, > Ben > > On Fri, Apr 29, 2016 at 7:27 PM, Ben .T.George > wrote: > >> surprisingly i have created some local IPA users and added to same HBAC >> rule, and removed AD grop ad applied this rule to client, and that got >> worked. >> >> How can i make this AD group with HBAC working? >> >> Regards, >> Ben >> >> On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George >> wrote: >> >>> HI >>> >>> If i disable allow_all rule, >>> i cannot able to login to client machine. >>> >>> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George >>> wrote: >>> >>>> HI >>>> >>>> actually i have added Domain Admins and the user ben is not part of >>>> Domain Admins. But when i login to client machine, i am getting below >>>> >>>> -sh-4.2$ id >>>> uid=1827801104(ben at kwttestdc.com.kw) gid=1827801104( >>>> ben at kwttestdc.com.kw) groups=1827801104(ben at kwttestdc.com.kw >>>> ),1827800513(*domain users at kwttestdc.com.kw *),1827801105(sudo >>>> admins at kwttestdc.com.kw) >>>> >>>> >>>> >>>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George >>>> wrote: >>>> >>>>> HI >>>>> >>>>> while explaning here it went wrong. actually i did is" >>>>> Added external group to POSIX group" >>>>> >>>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek >>>>> wrote: >>>>> >>>>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >>>>>> > HI, >>>>>> > >>>>>> > "The other is that the groups might not show up on the client (do >>>>>> they?)" >>>>>> >>>>>> id $user. >>>>>> >>>>>> But I think Alexander noticed the root cause. >>>>>> >>>>>> > >>>>>> > how can i check that. >>>>>> > >>>>>> > Thanks >>>>>> > Ben >>>>>> > >>>>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek >>>>>> wrote: >>>>>> > >>>>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >>>>>> > > > Hi List, >>>>>> > > > >>>>>> > > > I have working setup of one AD, one IPA server and one client >>>>>> server. by >>>>>> > > > default i can login to client server by using AD username. >>>>>> > > > >>>>>> > > > i want to apply HBAC rules against this client server. For that >>>>>> i have >>>>>> > > done >>>>>> > > > below steps. >>>>>> > > > >>>>>> > > > 1. created External group in IPA erver >>>>>> > > > 2. created local POSIX group n IPA server >>>>>> > > > 3. Added AD group to external group >>>>>> > > > 4. added POSIX group to external group. >>>>>> > > > >>>>>> > > > After that have created HBAC rule by adding both local and >>>>>> external IPA >>>>>> > > > groups, added sshd as service and selected service group as >>>>>> sudo. >>>>>> > > > >>>>>> > > > i have applied this HBAC rule to client server and from web UI >>>>>> and while >>>>>> > > > testing HBAC from web, i am getting access denied . >>>>>> > > >>>>>> > > Sorry, not enough info. >>>>>> > > >>>>>> > > One guess would be that you need to add the "sudo-i" service as >>>>>> well. >>>>>> > > The other is that the groups might not show up on the client (do >>>>>> they?) >>>>>> > > >>>>>> > > Anyway, it might be good idea to follow >>>>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >>>>>> > > >>>>>> > > -- >>>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> > > Go to http://freeipa.org for more info on the project >>>>>> > > >>>>>> >>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sat Apr 30 14:08:10 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 30 Apr 2016 10:08:10 -0400 Subject: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great. In-Reply-To: References: <1e4b516f-1532-0f55-034d-98f21833d53a@redhat.com> Message-ID: <5724BC4A.3060400@redhat.com> Anthony Cheng wrote: > OK so I made process on my cert renew issue; I was able to get kinit > working so I can follow the rest of the steps here > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > > However, after using > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password > > and restarting apache (/sbin/service httpd restart), resubmitting 3 > certs (ipa-getcert resubmit -i ) and restarting IPA (resubmit -i ) > (/sbin/service ipa restart), I still see: > > [root at test ~]# ipa-getcert list | more > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be compl > eted: Unable to communicate with CMS (Not Found)). IPA proxies requests to the CA through Apache. This means that while tomcat started ok it didn't load the dogtag CA application, hence the Not Found. Check the CA debug and selftest logs to see why it failed to start properly. [ snip ] > Would really greatly appreciate any help on this. > > Also I noticed after I do ldapmodify of usercertificate binary data with > > add: usercertificate;binary > usercertificate;binary: !@#$@!#$#@$ You really pasted in binary? Or was this base64-encoded data? I wonder if there is a problem in the wiki. If this is really a binary value you should start with a DER-encoded cert and load it using something like: dn: uid=ipara,ou=people,o=ipaca changetype: modify add: usercertificate;binary usercertificate;binary:< file:///path/to/cert.der You can use something like openssl x509 to switch between PEM and DER formats. I have a vague memory that dogtag can deal with a multi-valued usercertificate attribute. rob > > Then I re-run > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca > > I see 2 entries for usercertificate;binary (before modify there was only > 1) but they are duplicate and NOT from data that I added. That seems > incorrect to me. > > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng > > wrote: > > klist is actually empty; kinit admin fails. Sounds like then > getcert resubmit has a dependency on kerberoes. I can get a backup > image that has a valid ticket but it is only good for 1 day (and > dated pasted the cert expire). > > Also I had asked awhile back about whether there is dependency on > DIRSRV to renew the cert; didn't get any response but I suspect > there is a dependency. > > Regarding the clock skew, I found out from /var/log/message that > shows me this so it may be from named: > > Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock > skew too great) > Jan 28 14:10:42 test named[2911]: loading configuration: failure > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error) > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Creden > tials cache file '/tmp/krb5cc_496' not found) > > I don't have a krb5cc_496 file (since klist is empty), so sounds to > me I need to get a kerberoes ticket before going any further. Also > is the file /etc/krb5.keytab access/modification time important? I > had changed time back to before the cert expiration date and reboot > and try renew but the error message about clock skew is still > there. That seems strange. > > Lastly, as a absolute last resort, can I regenerate a new cert > myself? > https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html > > [root at test /]# klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > [root at test /]# service ipa start > Starting Directory Service > Starting dirsrv: > PKI-IPA... [ OK ] > sample-NET... [ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting DNS Service > Starting named: [FAILED] > Failed to start DNS Service > Shutting down > Stopping Kerberos 5 KDC: [ OK ] > Stopping Kerberos 5 Admin Server: [ OK ] > Stopping named: [ OK ] > Stopping httpd: [ OK ] > Stopping pki-ca: [ OK ] > Shutting down dirsrv: > PKI-IPA... [ OK ] > sample-NET... [ OK ] > Aborting ipactl > [root at test /]# klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > [root at test /]# service ipa status > Directory Service: STOPPED > Failed to get list of services to probe status: > Directory Server is stopped > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka > wrote: > > On 27/04/16 21:54, Anthony Cheng wrote: > > Hi list, > > > > I am trying to renew expired certificates following the > manual renewal procedure > > here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) > but even with > > resetting the system/hardware clock to a time before expires, > I am getting the > > error "ca-error: Error setting up ccache for local "host" > service using default > > keytab: Clock skew too great." > > > > With NTP disable and clock reset why would it complain about > clock skew and how > > does it even know about the current time? > > > > [root at test certs]# getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" > service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net > ,O=sample.NET > > expires: 2016-01-29 14:09:46 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" > service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net > ,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223316': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" > service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net > ,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=CA Audit,O=sample.NET > > expires: 2017-10-13 14:10:49 UTC > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=OCSP Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=CA Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no response to > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=RA Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net > ,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes[root at test certs]# getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" > service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net > ,O=sample.NET > > expires: 2016-01-29 14:09:46 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" > service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net > ,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223316': > > status: MONITORING > > ca-error: Error setting up ccache for local "host" > service using > > default keytab: Clock skew too great. > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net > ,O=sample.NET > > expires: 2016-01-29 14:09:45 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=CA Audit,O=sample.NET > > expires: 2017-10-13 14:10:49 UTC > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=OCSP Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=CA Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no response to > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=RA Subsystem,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: NEED_CSR_GEN_PIN > > ca-error: Internal error: no response to > > > "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > > stuck: yes > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664 > > ' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=sample.NET > > subject: CN=test.sample.net > ,O=sample.NET > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > -- > > > > Thanks, Anthony > > > > > > > > Hello Anthony! > > After stopping NTP (or other time synchronizing service) and setting > time manually server really don't have a way to determine that > its time > differs from the real one. > > I think this might be issue with Kerberos ticket. You can show > content > of root's ticket cache using klist. If there is anything clean > it with > kdestroy and try to resubmit the request again. > > -- > David Kupka > > -- > > Thanks, Anthony > > -- > > Thanks, Anthony > > > From rcritten at redhat.com Sat Apr 30 14:30:49 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 30 Apr 2016 10:30:49 -0400 Subject: [Freeipa-users] Password Encryption Method In-Reply-To: <88C04EE0-A5BD-4322-8E95-9E196D48D919@myemma.com> References: <88C04EE0-A5BD-4322-8E95-9E196D48D919@myemma.com> Message-ID: <5724C199.40108@redhat.com> Zak Wolfinger wrote: > Did the password encryption method change between V3.0 and newer > versions? Where can I find out what method is being used? I?m running > into hash issues when using GADS to sync to Google. I don't think so, I think SSHA is still the default. Knowing what versions of 389-ds-base you're asking about would probably be helpful. rob > > Cheers, > *Zak Wolfinger* > > Infrastructure Engineer | Emma? > zak.wolfinger at myemma.com > 800.595.4401 or 615.292.5888 x197 > 615.292.0777 (fax) > * > * > Emma helps organizations everywhere communicate & market in style. > Visit us online at www.myemma.com > > > > From phosakotenagesh at ebay.com Fri Apr 29 17:16:11 2016 From: phosakotenagesh at ebay.com (Hosakote Nagesh, Pawan) Date: Fri, 29 Apr 2016 17:16:11 +0000 Subject: [Freeipa-users] Free IPA Client in Docker In-Reply-To: <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> References: <96C5B8B7-8C00-4B30-B317-286AB2CCD94B@ebay.com> <9ae47ccb-cec5-4d55-1ecd-42ebef019185@redhat.com> Message-ID: Thanks for your quick response. I am trying this on ubuntu. This is the bug I m facing right now: https://lists.launchpad.net/freeipa/msg00236.html They say its fixed in Trusty release of Ubuntu. But it doesn?t work for me. There is no other material also On how to fix this dbus error. root at jupyterhub:/# lsb_release -rd Description: Ubuntu 14.04.4 LTS Release: 14.04 root at jupyterhub:/# - Best, Pawan On 4/29/16, 2:40 AM, "Martin Kosek" wrote: >On 04/28/2016 08:14 PM, Hosakote Nagesh, Pawan wrote: >> Hi, >> I am planning to deploy FreeIPA Client in a docker where my Apps are >> running. However I hit a road block as there seems to be problem with the >> docker?s hostname settings >> In DNS records. > >CCing Jan on this one. Did you try to use SSSD Docker container we already have >instead? > >https://hub.docker.com/r/fedora/sssd/ >https://www.adelton.com/docs/docker/fedora-sssd-container > >Martin > >> Debug Log >> ??????? >> >> ipa-client-install --hostname=`hostname -f` --mkhomedir -N --force-join ?debug >> >> . >> >> . >> >> . >> >> . >> >> debug >> >> zone phx01.eaz.ebayc3.com. >> >> update delete . IN A >> >> show >> >> send >> >> update add . 1200 IN A 172.17.0.3 >> >> show >> >> send >> >> >> Starting external process >> >> args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt >> >> Process execution failed >> >> Traceback (most recent call last): >> >> File "/usr/sbin/ipa-client-install", line 2603, in >> >> sys.exit(main()) >> >> File "/usr/sbin/ipa-client-install", line 2584, in main >> >> rval = install(options, env, fstore, statestore) >> >> File "/usr/sbin/ipa-client-install", line 2387, in install >> >> client_dns(cli_server[0], hostname, options.dns_updates) >> >> File "/usr/sbin/ipa-client-install", line 1423, in client_dns >> >> update_dns(server, hostname) >> >> File "/usr/sbin/ipa-client-install", line 1410, in update_dns >> >> if do_nsupdate(update_txt): >> >> File "/usr/sbin/ipa-client-install", line 1346, in do_nsupdate >> >> ipautil.run(['/usr/bin/nsupdate', '-g', UPDATE_FILE]) >> >> File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 303, in run >> >> close_fds=True, env=env, cwd=cwd) >> >> File "/usr/lib/python2.7/subprocess.py", line 710, in __init__ >> >> errread, errwrite) >> >> File "/usr/lib/python2.7/subprocess.py", line 1327, in _execute_child >> >> raise child_exception >> >> OSError: [Errno 2] No such file or directory >> >> >> >> As a Follow up question I also wanted to know why is absolutely necessary for >> Kerberos Client to have hostname? Wont Client initiate the connection and >> FreeIPA server can take it from there. >> If so what is the need of FQDN for FreeIPA client at all? >> >> - >> Best, >> Pawan >> >> > From rstory at tislabs.com Sat Apr 30 19:50:12 2016 From: rstory at tislabs.com (Robert Story) Date: Sat, 30 Apr 2016 15:50:12 -0400 Subject: [Freeipa-users] IPA vulnerability management SSL In-Reply-To: <201604291557.u3TFvBLq030809@d01av03.pok.ibm.com> References: <201604270527.u3R5RvrE005517@d03av01.boulder.ibm.com> <6c44a1aa-b1d5-cd85-fc64-38b38d8a1e4b@redhat.com> <201604272324.u3RNOR6U009479@d01av01.pok.ibm.com> <2c9f4e2c-f86d-75a8-2f9f-c8f57284f7d6@redhat.com> <5721F34C.9010107@redhat.com> <5721F536.1000807@redhat.com> <57225110.1000708@redhat.com> <57237E09.5090603@redhat.com> <201604291557.u3TFvBLq030809@d01av03.pok.ibm.com> Message-ID: <20160430155012.75a9cfc9@ispx.vb.futz.org> On Fri, 29 Apr 2016 08:56:57 -0700 Sean wrote: SH> Hi Rob, SH> SH> I stopped IPA, modified dse.ldif, restarted with the cipher list and it SH> started without issue Just thought I'd point out the other recent thread, "freeipa update changed my cipher set", which mentions that dse.ldif can get reset on upgrades, along with a way to make persistent overrides. Robert -- Senior Software Engineer @ Parsons -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From gnotrica at candeal.com Sat Apr 30 20:16:25 2016 From: gnotrica at candeal.com (Gady Notrica) Date: Sat, 30 Apr 2016 20:16:25 +0000 Subject: [Freeipa-users] Ldap error in ModifyPassword - 50: Insufficient access Message-ID: <0984AB34E553F54B8705D776686863E70AC100DB@cd-exchange01.CD-PRD.candeal.ca> Any help guys? Gady From: Gady Notrica Sent: April 29, 2016 1:37 PM To: 'freeipa-users at redhat.com' Subject: Ldap error in ModifyPassword - 50: Insufficient access Hey guys, After my previous issue, my password do not sync anymore with IPA. No password changed for the sync user. Any ideas? Thank you, 04/29/16 13:32:56: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:32:56: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:32:56: Deferring password change for jlaporte 04/29/16 13:32:58: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:32:58: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:32:58: Deferring password change for jlaporte 04/29/16 13:33:02: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:33:02: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:33:02: Deferring password change for jlaporte 04/29/16 13:33:10: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:33:10: Modify password failed for remote entry: uid=jlaporte,cn=users,cn=accounts,dc=ipa,dc=domain,dc=local 04/29/16 13:33:10: Deferring password change for jlaporte Gady -------------- next part -------------- An HTML attachment was scrubbed... URL: