From kay.y.zhou at ericsson.com Wed Jun 1 02:02:21 2016 From: kay.y.zhou at ericsson.com (Kay Zhou Y) Date: Wed, 1 Jun 2016 02:02:21 +0000 Subject: [Freeipa-users] IPA 2.2 Certificate Renewal issue In-Reply-To: <574DA955.2030004@redhat.com> References: <57486A9E.2050909@redhat.com> <574DA955.2030004@redhat.com> Message-ID: Hi Rob, The status for ipaCert is MONITORING no matter before or after resubmit this request ID, as below: Request ID '20140605220249': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=IPA RA,O=DRUTT.COM expires: 2014-06-24 14:08:50 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes I have restarted ipa service before renewal since there is no pki-cad service in our env. I have tried so many times for this processes, and I even want to recreate the ipaCert, but it failed. The references I used as below, but both of them are not available for my issue:( http://www.freeipa.org/page/Howto/CA_Certificate_Renewal http://www.freeipa.org/page/PKI and if it's feasible we modify the expiration date for these certs manually or recreate it directly ? Thanks, BR//Kay -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Tuesday, May 31, 2016 11:10 PM To: Kay Zhou Y; freeipa-users at redhat.com Cc: Doris Hongmei; Xionglin Gu Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue Kay Zhou Y wrote: > Hi Rob, > > Thanks for your reply. > > And about your suggestion, actually I have done it. but it just renew the two 389-ds certs and Apache certs. > Since the ipaCert and subsystem certs are expired at 20140624, so I must roll back time before it. then begin to renew, but after I done this: > > "Let's force renewal on all of the certificates: > # for line in `getcert list | grep Request | cut -d "'" -f2`; do > getcert resubmit -i $line; done ..." > > According to the wiki, (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ). The CA subsystem certificates will be renewed. But it did not. Ok, what state are the certificates in? When you go back in time are you restarting the pki-cad service before attempting to do the renewal? > Finally after I finish all action mentioned in the wiki page, I still can't renew ipaCert and other four CA subsystem certificates. > And the two 389-ds and apache certs will still expired after the date 20160623 ( expire date of ipaCert 20140624 + two years). > > If there is any other guide or doc about the ipaCert and CA subsystem certificates? Not really for IPA 2.x rob > Thanks a lot for your support! > > Thanks, > BR//Kay > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Friday, May 27, 2016 11:41 PM > To: Kay Zhou Y; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue > > Kay Zhou Y wrote: >> Hi, >> >> This is Kay. >> >> I am not sure if the email address is correct, and I am really >> appreciate if there is any help for my issue. it's baffling for few >> days, and the expire date is coming soon.. L >> >> There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds >> and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC. >> >> Two years ago, these certs were renewed by other guys according to >> this >> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal >> >> and it was successful then the certificates has been renewed until 20160605. >> >> But recently I want to renew it again since the expire date is coming. >> Then I follow the above guide, however things not go well. > > The problem looks to be because the IPA RA cert (ipaCert) isn't > matching what dogtag expects. See the wiki page starting at > > "For ipaCert, stored in /etc/httpd/alias you have another job to do..." > > You'll want to be sure that description correctly matches the certificate in the Apache database and confirm that the usercertificate value in LDAP matches the cert being presented. > > rob > >> >> As below, it's the 8 certs which certmonger are tracking: >> >> root at ecnshlx3039-test2(SH):~ #getcert list >> >> Number of certificates and requests being tracked: 8. >> >> Request ID '20120704140859': >> >> status: CA_UNREACHABLE >> >> ca-error: Server failed request, will retry: 4301 (RPC >> failed at server. Certificate operation cannot be completed: >> EXCEPTION (Invalid Credential.)). >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Ce >> r >> t',token='NSS >> Certificate DB',pinfile=' >> /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Ce >> r >> t',token='NSS >> Certificate DB' >> >> CA: IPA >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=ipa1.drutt.com,O=DRUTT.COM >> >> expires: 2016-06-05 22:03:17 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >> DRUTT-COM >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20120704140922': >> >> status: CA_UNREACHABLE >> >> ca-error: Server failed request, will retry: 4301 (RPC >> failed at server. Certificate operation cannot be completed: >> EXCEPTION (Invalid Credential.)). >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' >> ,token='NSS >> Certificate DB',pinfile='/e >> tc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' >> ,token='NSS >> Certificate DB' >> >> CA: IPA >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=ipa1.drutt.com,O=DRUTT.COM >> >> expires: 2016-06-05 22:03:17 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20120704141150': >> >> status: CA_UNREACHABLE >> >> ca-error: Server failed request, will retry: 4301 (RPC >> failed at server. Certificate operation cannot be completed: >> EXCEPTION (Invalid Credential.)). >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=' >> N >> SS >> Certificate >> DB',pinfile='/etc/httpd/ >> alias/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=' >> N >> SS >> Certificate DB' >> >> CA: IPA >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=ipa1.drutt.com,O=DRUTT.COM >> >> expires: 2016-06-05 22:03:17 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20140605220249': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> DB',pinfile='/etc/httpd/alia >> s/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=IPA RA,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:50 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20160527075219': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer >> t >> cert-pki-ca',token='NSS Certificate >> DB ',pin='565569846212' >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer >> t cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=CA Audit,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:42 UTC >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20160527075220': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate >> DB' ,pin='565569846212' >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=OCSP Subsystem,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:41 UTC >> >> eku: id-kp-OCSPSigning >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20160527075221': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate >> DB',p in='565569846212' >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=CA Subsystem,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:41 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20160527075222': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate >> DB',pin ='565569846212' >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=ipa1.drutt.com,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:41 UTC >> >> eku: id-kp-serverAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Follow all the steps in the guide, the result is just first three >> certificates are renewed to 20160622 if I set system time to >> 20140623(which the four CA subsystem certs and CA cert are valid). >> >> But other five are not renewed at all (the four CA subsystem certs >> and CA cert). there is no error information during these steps. >> >> I google a lot but still found nothing could resolve it. and then I >> found there was a similar thread: >> https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.h >> t >> ml >> >> But unfortunately the solution is not available for my issue either. >> >> Since I am not familiar with Freeipa, so it bothers me so much. >> >> Any help will be really appreciate. Thansks in advance! >> >> Thanks, >> >> BR//Kay >> >> >> > From rcritten at redhat.com Wed Jun 1 03:56:04 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 31 May 2016 23:56:04 -0400 Subject: [Freeipa-users] IPA 2.2 Certificate Renewal issue In-Reply-To: References: <57486A9E.2050909@redhat.com> <574DA955.2030004@redhat.com> Message-ID: <574E5CD4.1020108@redhat.com> Kay Zhou Y wrote: > Hi Rob, > > The status for ipaCert is MONITORING no matter before or after resubmit this request ID, as below: > > Request ID '20140605220249': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=DRUTT.COM > subject: CN=IPA RA,O=DRUTT.COM > expires: 2014-06-24 14:08:50 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > I have restarted ipa service before renewal since there is no pki-cad service in our env. Oh. So unfortunately the version of certmonger you have has a bug where the pre/post commands weren't displayed (it was only a display issue). If you look in /var/lib/certmonger/requests/ you can find the source for this output. See what the pre/post save command is for any of the CA subsystem certs and I guess perhaps ipaCert. I need to see how they are configured to do the renewal. Maybe my memory is failing but I'd have sworn the CA process name was pki-cad. ipactl restart will restart the world. Given that the certs are expired you need to restart things when you go back in time. I saw that you are tracking the subsystem certs on this master so the CA must be installed. > I have tried so many times for this processes, and I even want to recreate the ipaCert, but it failed. Before you go poking too manually into things I'd strongly recommend backing up the NSS databases first. You could easily break something. > The references I used as below, but both of them are not available for my issue:( > http://www.freeipa.org/page/Howto/CA_Certificate_Renewal > http://www.freeipa.org/page/PKI > > and if it's feasible we modify the expiration date for these certs manually or recreate it directly ? You can't change any attributes of a certificate without re-issuing it. You can't issue a new cert without the CA up and I suspect it isn't up. The cert may be in MONITORING when you go back in time because really, it's fine as long as it isn't expired, so MONITORING is a-ok. rob > > Thanks, > BR//Kay > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Tuesday, May 31, 2016 11:10 PM > To: Kay Zhou Y; freeipa-users at redhat.com > Cc: Doris Hongmei; Xionglin Gu > Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue > > Kay Zhou Y wrote: >> Hi Rob, >> >> Thanks for your reply. >> >> And about your suggestion, actually I have done it. but it just renew the two 389-ds certs and Apache certs. >> Since the ipaCert and subsystem certs are expired at 20140624, so I must roll back time before it. then begin to renew, but after I done this: >> >> "Let's force renewal on all of the certificates: >> # for line in `getcert list | grep Request | cut -d "'" -f2`; do >> getcert resubmit -i $line; done ..." >> >> According to the wiki, (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ). The CA subsystem c ertificates will be renewed. But it did not. > > Ok, what state are the certificates in? When you go back in time are you restarting the pki-cad service before attempting to do the renewal? > >> Finally after I finish all action mentioned in the wiki page, I still can't renew ipaCert and other four CA subsystem certificates. >> And the two 389-ds and apache certs will still expired after the date 20160623 ( expire date of ipaCert 20140624 + two years). >> >> If there is any other guide or doc about the ipaCert and CA subsystem certificates? > > Not really for IPA 2.x > > rob > > >> Thanks a lot for your support! > > >> >> Thanks, >> BR//Kay >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Friday, May 27, 2016 11:41 PM >> To: Kay Zhou Y; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue >> >> Kay Zhou Y wrote: >>> Hi, >>> >>> This is Kay. >>> >>> I am not sure if the email address is correct, and I am really >>> appreciate if there is any help for my issue. it's baffling for few >>> days, and the expire date is coming soon.. L >>> >>> There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds >>> and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC. >>> >>> Two years ago, these certs were renewed by other guys according to >>> this >>> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal >>> >>> and it was successful then the certificates has been renewed until 20160605. >>> >>> But recently I want to renew it again since the expire date is coming. >>> Then I follow the above guide, however things not go well. >> >> The problem looks to be because the IPA RA cert (ipaCert) isn't >> matching what dogtag expects. See the wiki page starting at >> >> "For ipaCert, stored in /etc/httpd/alias you have another job to do..." >> >> You'll want to be sure that description correctly matches the certificate in the Apache database and confirm that the usercertificate value in LDAP matches the cert being presented. >> >> rob >> >>> >>> As below, it's the 8 certs which certmonger are tracking: >>> >>> root at ecnshlx3039-test2(SH):~ #getcert list >>> >>> Number of certificates and requests being tracked: 8. >>> >>> Request ID '20120704140859': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC >>> failed at server. Certificate operation cannot be completed: >>> EXCEPTION (Invalid Credential.)). >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Ce >>> r >>> t',token='NSS >>> Certificate DB',pinfile=' >>> /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt' >>> >>> certificate: >>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Ce >>> r >>> t',token='NSS >>> Certificate DB' >>> >>> CA: IPA >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=ipa1.drutt.com,O=DRUTT.COM >>> >>> expires: 2016-06-05 22:03:17 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >>> DRUTT-COM >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20120704140922': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC >>> failed at server. Certificate operation cannot be completed: >>> EXCEPTION (Invalid Credential.)). >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' >>> ,token='NSS >>> Certificate DB',pinfile='/e >>> tc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >>> >>> certificate: >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' >>> ,token='NSS >>> Certificate DB' >>> >>> CA: IPA >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=ipa1.drutt.com,O=DRUTT.COM >>> >>> expires: 2016-06-05 22:03:17 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20120704141150': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC >>> failed at server. Certificate operation cannot be completed: >>> EXCEPTION (Invalid Credential.)). >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=' >>> N >>> SS >>> Certificate >>> DB',pinfile='/etc/httpd/ >>> alias/pwdfile.txt' >>> >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=' >>> N >>> SS >>> Certificate DB' >>> >>> CA: IPA >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=ipa1.drutt.com,O=DRUTT.COM >>> >>> expires: 2016-06-05 22:03:17 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20140605220249': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate >>> DB',pinfile='/etc/httpd/alia >>> s/pwdfile.txt' >>> >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=IPA RA,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:50 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20160527075219': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer >>> t >>> cert-pki-ca',token='NSS Certificate >>> DB ',pin='565569846212' >>> >>> certificate: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer >>> t cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=CA Audit,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:42 UTC >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20160527075220': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> cert-pki-ca',token='NSS Certificate >>> DB' ,pin='565569846212' >>> >>> certificate: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=OCSP Subsystem,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:41 UTC >>> >>> eku: id-kp-OCSPSigning >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20160527075221': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate >>> DB',p in='565569846212' >>> >>> certificate: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=CA Subsystem,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:41 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20160527075222': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate >>> DB',pin ='565569846212' >>> >>> certificate: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=ipa1.drutt.com,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:41 UTC >>> >>> eku: id-kp-serverAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Follow all the steps in the guide, the result is just first three >>> certificates are renewed to 20160622 if I set system time to >>> 20140623(which the four CA subsystem certs and CA cert are valid). >>> >>> But other five are not renewed at all (the four CA subsystem certs >>> and CA cert). there is no error information during these steps. >>> >>> I google a lot but still found nothing could resolve it. and then I >>> found there was a similar thread: >>> https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.h >>> t >>> ml >>> >>> But unfortunately the solution is not available for my issue either. >>> >>> Since I am not familiar with Freeipa, so it bothers me so much. >>> >>> Any help will be really appreciate. Thansks in advance! >>> >>> Thanks, >>> >>> BR//Kay >>> >>> >>> >> > From mbasti at redhat.com Wed Jun 1 04:10:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jun 2016 06:10:37 +0200 Subject: [Freeipa-users] FreeIPA4.2: Recovering from an IPA master server failure In-Reply-To: References: Message-ID: <8d3233db-e7ac-cc2f-13bb-ce29f09cf0ad@redhat.com> On 31.05.2016 17:36, Michael Rainey (Contractor) wrote: > > Greetings community, > > I've run into an interesting problem which may be old hat to all of > you. I was working to bring down my IPA master server and did it > improperly. It was a rookie mistake, but I'm willing to view it as an > exercise in recovering from a massive system failure. > > The original master server is gone with no way of recovering and I > have managed to replace the server by promoting one of my replicas, > but I find myself in a situation where I cannot remove the original > master server from the LDAP directory. It is still seen as a master > server and the webUI will not let me delete the system from directory > server. Is there a process somewhere that will walk me through > demoting the old server so I can delete it from the directory and > officially promote its replacement? > > For reference, I followed the steps located at this link. > > Centos 7.2 / freeIPA 4.2 > > Your help is greatly appreciated. > > -- > *Michael Rainey* > > Hello, can you next time please continue with just one thread please? You haven't replied if this works for you https://www.redhat.com/archives/freeipa-users/2016-May/msg00521.html regards, Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Wed Jun 1 05:20:34 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 1 Jun 2016 08:20:34 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: References: <1006530.1464281903871.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> <20160527040554.dglitdvlfcg2asif@redhat.com> <20160527075339.3adp5oodpzup62qe@redhat.com> Message-ID: HI sorry it was issue with DNS (SRV records was missing) and it's been fixed now. i have created one way forest trust While issuing trust from IPA server, i have used shared key and the process was successful. But after validating the trust from AD side, it's asking for some username and password.I have gave below password combinations: IPA "admin" user and password IPA admin user and IPA directory password AD "Administrator" and password. but still it's not accepting that. So which username and password it is expecting? This is if i create one way trust. If i create two way trust, this password is not asking. and my AD admin will only allow one way trust. Thanks & Regards, Ben On Fri, May 27, 2016 at 11:04 AM, Ben .T.George wrote: > HI Alex, > > Thanks for the information > > i have removed old trust and recreating agan > > [image: Inline image 1] > [image: Inline image 2] > [image: Inline image 4] > > And with PA domain (idm.local) also same, it's not creating trust. > > Regards, > Ben > > > > On Fri, May 27, 2016 at 10:53 AM, Alexander Bokovoy > wrote: > >> On Fri, 27 May 2016, Ben .T.George wrote: >> >>> This is what i am getting >>> >>> [image: Inline image 1] >>> [image: Inline image 3] >>> [image: Inline image 4] >>> >>> And that wizand end with nothing. Please anyone share more info regarding >>> this >>> >> The wizard asks you to enter the name of the domain, forest, or realm >> for the trust. You are entering hostname of IPA master. This is never >> going to fly. >> >> In Active Directory terms: >> - forest is a set of AD domains >> - it is named after the first AD domain created in the forest >> - this domain is called 'forest root domain' >> >> In FreeIPA we have a single 'domain' from Active Directory perspective: >> - this is the domain corresponding to Kerberos realm name, (ipa.local >> in your case) >> - Forest name = forest root domain name = ipa.local >> >> The wizard will then use DNS SRV records to discover IPA masters (AD DCs >> for Active Directory view). >> >> >> >>> Regards, >>> Ben >>> >>> On Fri, May 27, 2016 at 10:24 AM, Ben .T.George >>> wrote: >>> >>> HI Alex. >>>> >>>> I Am using windows 2008 R2. >>>> >>>> when i am giving IPA's DNS name and click next, the trust wizard is not >>>> going through. But if i am selecting realm trust , atleast the wizard >>>> completes. >>>> >>>> So which AD version is recommended ? >>>> >>>> Regards, >>>> Ben >>>> >>>> On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy >>> > >>>> wrote: >>>> >>>> On Fri, 27 May 2016, Ben .T.George wrote: >>>>> >>>>> HI >>>>>> >>>>>> i ran some commands from AD side and the Trust status got >>>>>> changed.Below >>>>>> is >>>>>> the command i used on AD >>>>>> >>>>>> netdom trust /d: /verify >>>>>> >>>>>> >>>>>> Before it was : "waiting for confirmation by remote side" and not it >>>>>> got >>>>>> changed to "Trust type: Active Directory domain" >>>>>> >>>>>> But when i am trying to map AD group, it not going through >>>>>> >>>>>> >>>>>> root at zkwipamstr01 ~]# ipa group-add-member ad_admins_external >>>>>> --external >>>>>> 'MTC_TABS\Domain Users' >>>>>> [member user]: >>>>>> [member group]: >>>>>> Group name: ad_admins_external >>>>>> Description: ad_domain admins external map >>>>>> Failed members: >>>>>> member user: >>>>>> *member group: MTC_TABS\Domain Users: trusted domain object not >>>>>> found * >>>>>> ------------------------- >>>>>> Number of members added 0 >>>>>> ------------------------- >>>>>> >>>>>> This is what my trust properties from AD. Trust type is showing as >>>>>> realm >>>>>> >>>>>> It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos >>>>> realm trust which is *not* what IPA provides. >>>>> >>>>> [image: Inline image 1] >>>>> >>>>>> >>>>>> How can i fix this issue. >>>>>> >>>>>> Use correct type of trust when establishing trust on AD side. If your >>>>> Windows version does not allow to specify proper trust type, I'm >>>>> afraid, >>>>> there is nothing we can help with. >>>>> >>>>> -- >>>>> / Alexander Bokovoy >>>>> >>>>> >>>> >>>> >> >> >> >> >> -- >> / Alexander Bokovoy >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 21928 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 28160 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 55244 bytes Desc: not available URL: From gjn at gjn.priv.at Wed Jun 1 06:33:26 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Wed, 01 Jun 2016 08:33:26 +0200 Subject: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias In-Reply-To: <574DA861.9000702@redhat.com> References: <27123231.2vVFdNkPoa@techz> <574DA861.9000702@redhat.com> Message-ID: <4468326.xlZGrDGMFj@techz> Hello, Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: > G?nther J. Niederwimmer wrote: > > Hello > > I found any Help for the IPA Certificate but I found no way to import the > > IPA CA ? > > I like to create a webserver with a owncloud virtualhost and other.. > > > > But it is for me not possible to create the /etc/httpd/alias correct ? > > > > I found this in IPA DOCS > > > > certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt > > > > but with this command line I have a Error /etc/ipa/ca.crt have wrong > > format ? > > > > Have any a link with a working example > > Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled > clients so the documentation is written from that perspective. Yes. > You can grab a copy from any enrolled system, including an IPA Master. > Otherwise the command looks ok assuming you were sitting in > /etc/httpd/alias when the command was executed (-d .). Yes ;-). but certutil mean it is a wrong format from the Certificate Something is wrong on my system !! for me it is not possible to have on a enrolled ipa-client a working webserver (apache) with mod_NSS The last Tests apache mean it is the wrong "passwd" for the DB and don't start? So now I start again with a new clean /etc/httpd/alias :-(. -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From pspacek at redhat.com Wed Jun 1 07:40:02 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 1 Jun 2016 09:40:02 +0200 Subject: [Freeipa-users] dns location based discovery In-Reply-To: <031afa1e-e640-68c2-d198-ec2902577f13@dds.nl> References: <7ea56741-a81c-3db9-8988-36ae3ed05ddd@dds.nl> <20160530152233.GT6640@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160530155415.GC18297@hendrix> <330ebb09-ce59-77a0-65f6-6a1a917ff663@dds.nl> <745f6efb-e27a-ec4b-b7dd-b48a7b23b2ba@redhat.com> <031afa1e-e640-68c2-d198-ec2902577f13@dds.nl> Message-ID: <2c4c9407-76ce-6697-4bc0-7b55e55eec8a@redhat.com> On 31.5.2016 17:41, Winfried de Heiden wrote: > Hi all, > > I've been playing on this topic but one can implement services discovery. > Allthough it looks a bit dirty, you add _sites support to IPA by manually create > a DNS zone, something like: > > _tcp.locationX._sites.example.com > and > _tcp.locationY._sites.example.com > > and put two SRV records, _ldap en _kerberos, in it. > > Now, add "dns_discovery_domain = locationX._sites.example.com" or > "dns_discovery_domain = locationY._sites.example.com" > > dns location based discovery is there...? In principle yes, it should work just fine if you edit sssd.conf on all clients. FreeIPA 4.4.0 will make maintenance of it simpler and will remove the requirement to reconfigure SSSD on clients. Petr^2 Spacek > > Just curious....! > > Winny > > Op 30-05-16 om 18:39 schreef Martin Basti: >> >> >> >> >> On 30.05.2016 18:16, Winfried de Heiden wrote: >>> Hi all, >>> Thanks for the quick answer even though I send it to the wrong email address. >>> About "Please note that for AD users (which is IIRC the majority of your >>> environment), SSSD should >>> already choose the right site." I noticed that, but I was curious about the >>> IPA part as well.... >>> >>> Now, it looks like this is going to be an item for IPA 4.4 >>> (http://www.freeipa.org/page/V4/DNS_Location_Mechanism/) >>> Willl it be? >> Yes it will be there (unless something very very bad happen) >> >>> >>> IPA 4.4 is announced "the end of May". When can we expect Freeipa 4.4, I >>> curious to test.... >> >> Soon :) >> >> Martin >>> >>> Kind regards, >>> >>> Winny// >>> /// >>> >>> / >>> Op 30-05-16 om 17:54 schreef Jakub Hrozek: >>>> >>>> On Mon, May 30, 2016 at 05:22:33PM +0200, Sumit Bose wrote: >>>>> >>>>> On Mon, May 30, 2016 at 05:13:35PM +0200, Winfried de Heiden wrote: >>>>>> >>>>>> Hi all, The sssd-ipa man page will tell: ipa_enable_dns_sites >>>>>> (boolean) Enables DNS sites - location based service discovery. >>>>>> If true and service discovery (see Service Discovery paragraph >>>>>> at the bottom of the man page) is enabled, then the SSSD will first >>>>>> attempt location based discovery using a query that contains >>>>>> "_location.hostname.example.com" and then fall back to traditional SRV >>>>>> discovery. If the location based discovery succeeds, the IPA >>>>>> servers located with the location based discovery are treated as primary >>>>>> servers and the IPA servers located using the traditional SRV >>>>>> discovery are used as back up servers After enabling it in a EL 6.8 IPA >>>>>> client (together with some debugging) this will show up in the sssd >>>>>> logging: (Mon May 30 16:51:08 2016) [sssd[be[blabla.bla]]] >>>>>> [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service >>>>>> 'ldap'. Will use DNS discovery domain '_location.ipa-client-6.blabla.bla' >>>>>> (Mon May 30 16:51:08 2016) [sssd[be[blabla.bla]]] [resolv_getsrv_send] >>>>>> (0x0100): Trying to resolve SRV record of >>>>>> '_ldap._tcp._location.ipa-client-6.blabla.bla' Since this option is >>>>>> mentioned in the sssd-ipa man page, it sugests I could implement this >>>>>> location based service discovery. But how? Any documentation on this? How >>>>>> to implement on the server? How to implement a location on the client >>>>>> (while running ipa-client-install) Hope someone can help, it would be nice >>>>>> a client will choose the correct server based on it's location... >>>>> >>>>> In this case SSSD was a bit faster then the server side. Please monitor >>>>> https://fedorahosted.org/freeipa/ticket/2008 for the progress. There is a >>>>> link to a design page with more details as well. HTH bye, Sumit P.S. I >>>>> changed the mailing-list address to @redhat.com. >>>> >>>> btw Winfried, I saw today the case you filed. Please note that for AD users >>>> (which is IIRC the majority of your environment), SSSD should already choose >>>> the right site. The RFE Sumit linked is 'just' about the IPA side of the >>>> equation. From kay.y.zhou at ericsson.com Wed Jun 1 04:56:02 2016 From: kay.y.zhou at ericsson.com (Kay Zhou Y) Date: Wed, 1 Jun 2016 04:56:02 +0000 Subject: [Freeipa-users] IPA 2.2 Certificate Renewal issue In-Reply-To: <574E5CD4.1020108@redhat.com> References: <57486A9E.2050909@redhat.com> <574DA955.2030004@redhat.com> <574E5CD4.1020108@redhat.com> Message-ID: Hi Rob, 1. I have made snapshots for this system for test, so NSS databases has been backed up. 2. For the pki-cad service, I can't find it in my system, it shows there is no such service. but there is one service failed as below: root at ecnshlx3039-test2(SH):requests #systemctl status pki-cad at pki-ca.service pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca Loaded: loaded (/lib/systemd/system/pki-cad at .service; enabled) Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 +0200; 23min ago Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, status=1/FAILURE) Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, status=0/SUCCESS) Main PID: 2593 (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/pki-cad at .service/pki-ca Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: pam_unix(runuser-l:session): session closed for user pkiuser Jun 01 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: pam_unix(runuser-l:session): session closed for user pkiuser I can't start it normally, even the log just said: Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad at pki-ca.service: control process exited, code=exited status=1 Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit pki-cad at pki-ca.service entered failed state. I will google more to try to start it firstly. 3. About the source of the output for getcert list: root at ecnshlx3039-test2(SH):requests #ll total 64 -rw-------. 1 root root 5698 Jun 1 06:06 20120704140859 -rw-------. 1 root root 5695 Jun 1 06:06 20120704140922 -rw-------. 1 root root 5654 Jun 1 06:06 20120704141150 -rw-------. 1 root root 5107 Jun 1 06:39 20140605220249 -rw-------. 1 root root 4982 Jun 1 06:39 20160601043748 -rw-------. 1 root root 5144 Jun 1 06:39 20160601043749 -rw-------. 1 root root 5186 Jun 1 06:39 20160601043750 -rw-------. 1 root root 5126 Jun 1 06:39 20160601043751 root at ecnshlx3039-test2(SH):requests # root at ecnshlx3039-test2(SH):requests #grep post_certsave_command * 20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restart_dirsrv DRUTT-COM 20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restart_httpd root at ecnshlx3039-test2(SH):requests #grep pre_certsave_command * root at ecnshlx3039-test2(SH):requests # there are just two statements. And this is the detail info for ipaCert: root at ecnshlx3039-test2(SH):requests #cat 20140605220249 id=20140605220249 key_type=RSA key_gen_type=RSA key_size=2048 key_gen_size=2048 key_storage_type=NSSDB key_storage_location=/etc/httpd/alias key_token=NSS Certificate DB key_nickname=ipaCert key_pin_file=/etc/httpd/alias/pwdfile.txt key_pubkey=3082010A02820101009B12FED4488180E1141CCF9264B5718E8B6FE8F6B5B5001819D49F722342500142D1169B601CD427FB68B08AE8272C4FC50B1730B665A2DB1AF3D1A31C09B8DFBCCC183AD0E87AED4A0B66B5806A3FA6C0807C747C1BA0A2D6B5756F5FB55BC96FD3BFAD8EC61C48C987B1F6CC42418A1500DF309097C1B6BA73C116C2BFCA005A0EF879BC16773A9AD66B9A0EDD802AFF32023927C4B071B17FD5F9EA8D760B2FC1CBCDE2336A141F8D1EA861B182815B8690D6956AA7BC2F342D928C8768ECA9CF43482595494E138295D5C6EC0E13B70BD533091D2C5AAF09563E37C0F0907443BA3291B7F0A0E1ABB0443FE0DE319EBD86D4FB47F89E941C55D84026BB0D0203010001 cert_storage_type=NSSDB cert_storage_location=/etc/httpd/alias cert_token=NSS Certificate DB cert_nickname=ipaCert cert_issuer=CN=Certificate Authority,O=DRUTT.COM cert_serial=07 cert_subject=CN=IPA RA,O=DRUTT.COM cert_spki=30820122300d06092a864886f70d01010105000382010f003082010a02820101009b12fed4488180e1141ccf9264b5718e8b6fe8f6b5b5001819d49f722342500142d1169b601cd427fb68b08ae8272c4fc50b1730b665a2db1af3d1a31c09b8dfbccc183ad0e87aed4a0b66b5806a3fa6c0807c747c1ba0a2d6b5756f5fb55bc96fd3bfad8ec61c48c987b1f6cc42418a1500df309097c1b6ba73c116c2bfca005a0ef879bc16773a9ad66b9a0edd802aff32023927c4b071b17fd5f9ea8d760b2fc1cbcde2336a141f8d1ea861b182815b8690d6956aa7bc2f342d928c8768eca9cf43482595494e138295d5c6ec0e13b70bd533091d2c5aaf09563e37c0f0907443ba3291b7f0a0e1abb0443fe0de319ebd86d4fb47f89e941c55d84026bb0d0203010001 cert_not_before=20120704140850 cert_not_after=20140624140850 cert_ku=1111 cert_eku=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 last_need_notify_check=20160601044851 last_need_enroll_check=20160601044851 template_subject=CN=IPA RA,O=DRUTT.COM template_ku=1111 template_eku=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 csr=-----BEGIN NEW CERTIFICATE REQUEST----- MIICxTCCAa0CAQAwJTESMBAGA1UEChMJRFJVVFQuQ09NMQ8wDQYDVQQDEwZJUEEg UkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbEv7USIGA4RQcz5Jk tXGOi2/o9rW1ABgZ1J9yI0JQAULRFptgHNQn+2iwiugnLE/FCxcwtmWi2xrz0aMc CbjfvMwYOtDoeu1KC2a1gGo/psCAfHR8G6Ci1rV1b1+1W8lv07+tjsYcSMmHsfbM QkGKFQDfMJCXwba6c8EWwr/KAFoO+Hm8Fnc6mtZrmg7dgCr/MgI5J8SwcbF/1fnq jXYLL8HLzeIzahQfjR6oYbGCgVuGkNaVaqe8LzQtkoyHaOypz0NIJZVJThOCldXG 7A4TtwvVMwkdLFqvCVY+N8DwkHRDujKRt/Cg4auwRD/g3jGevYbU+0f4npQcVdhA JrsNAgMBAAGgWzAWBgkqhkiG9w0BCRQxCRMHaXBhQ2VydDBBBgkqhkiG9w0BCQ4x NDAyMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYB BQUHAwIwDQYJKoZIhvcNAQELBQADggEBAGJ4eO2RyDJoeH/Z4J/LYKN77wnyLSV5 Mkh95m3xdtweXIdymZvhsz7im3TxvPdAKj1Rs/j4Ux61vYbmGO66Y/b0TAbNJ5U9 px4Fj9UvfRXUYr/hyuA/Boo/hp2uvjBzhADSwrJare/cDcYGHsIcKVvXh1bbc0MO 1/c4ZqOSuMjYhR1dVKduCeY6CV3b+hK04lNjeMK+ENBxPNVD8v1ortYW6J9ihRXt ndJQmP6w6LVb8Qal9mRqMcGgJ076pQtmbeyiTR8JfnzkBUi4dHt1Wq0FlzeiyZ9R VVZ2KQYxA1X5Oo+WYbvWqQJM8hPx9HoHCo+qHrnDs08DeXwAGEC4FvU= -----END NEW CERTIFICATE REQUEST----- spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbEv7USIGA4RQcz5JktXGOi2/o9rW1ABgZ1J9yI0JQAULRFptgHNQn+2iwiugnLE/FCxcwtmWi2xrz0aMcCbjfvMwYOtDoeu1KC2a1gGo/psCAfHR8G6Ci1rV1b1+1W8lv07+tjsYcSMmHsfbMQkGKFQDfMJCXwba6c8EWwr/KAFoO+Hm8Fnc6mtZrmg7dgCr/MgI5J8SwcbF/1fnqjXYLL8HLzeIzahQfjR6oYbGCgVuGkNaVaqe8LzQtkoyHaOypz0NIJZVJThOCldXG7A4TtwvVMwkdLFqvCVY+N8DwkHRDujKRt/Cg4auwRD/g3jGevYbU+0f4npQcVdhAJrsNAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAf4U/QkjxcliN+yXQuBpwobq6hPBmm2chMRpbCcGS86LxkrHLQtrBhxSyPSge+L+JQJAmwljrZz8oBZtevKOaRg/o9NSHOD2EHMiPMvQBty9SpVYedLuIe1EHfHH1dulq4bGK9SVD6lwGZskzPkJrWGaLogA+O3OrP7vUXX0OTGje6B1nwiL76jol8vz30tae35JLIYjcq3rAxI2ChCRCl0elmfsaN+sUEPxCFyeODUouQ/YGOY+564k5kNLpjryCvRr3H/LBnZn7JOnC+DQTzHfbdXtA8EewfbYJeAfHFPDMnYbaQKBAEwQMTQVIpYrHoy/oELajczzt4qgLvzDJbA== state=MONITORING autorenew=1 monitor=1 ca_name=dogtag-ipa-renew-agent submitted=20160601044851 cert=-----BEGIN CERTIFICATE----- MIIDZjCCAk6gAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlEUlVU VC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjA3MDQx NDA4NTBaFw0xNDA2MjQxNDA4NTBaMCUxEjAQBgNVBAoTCURSVVRULkNPTTEPMA0G A1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxL+ 1EiBgOEUHM+SZLVxjotv6Pa1tQAYGdSfciNCUAFC0RabYBzUJ/tosIroJyxPxQsX MLZlotsa89GjHAm437zMGDrQ6HrtSgtmtYBqP6bAgHx0fBugota1dW9ftVvJb9O/ rY7GHEjJh7H2zEJBihUA3zCQl8G2unPBFsK/ygBaDvh5vBZ3OprWa5oO3YAq/zIC OSfEsHGxf9X56o12Cy/By83iM2oUH40eqGGxgoFbhpDWlWqnvC80LZKMh2jsqc9D SCWVSU4TgpXVxuwOE7cL1TMJHSxarwlWPjfA8JB0Q7oykbfwoOGrsEQ/4N4xnr2G 1PtH+J6UHFXYQCa7DQIDAQABo4GRMIGOMB8GA1UdIwQYMBaAFDvMAkWhLf4hHZUr O2IVSc64Y+C4MDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL2lw YTEuZHJ1dHQuY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAYoxpty9C P4utdPQ4gGpQA/kLZquiGIWh7ELxEH43x42eu6wgubM7IBJ/nFyWsOYCnx3Znlv+ 8aJduxQHq3zavhFpONqm+XRQ5aSofwgVru9fyR6AGBFaJ/2D3O1q1IAClzhMPLeM 4fbC48Gv9C2cohtmS6UNOuttBDPelowPaq7IfayEYg0fEpSFCn1fYOd0JcnvzRBP EAboP231OWs/71CAqM4OimsSiDWtTITUadR7ZMe4ZyZ3kLesXbmJtteGklCpZbFc TB27ZyiUAebxerGwcH7YgyOk5vQccQYC/nDg7NQMAQsqv4cJ2aeAmhyAWdmB3ctR 8NlRKYsmFG3nZw== -----END CERTIFICATE----- ========================================================================================================== 4. "getcert list" result: root at ecnshlx3039-test2(SH):requests #getcert list Number of certificates and requests being tracked: 8. Request ID '20120704140859': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DRUTT-COM track: yes auto-renew: yes Request ID '20120704140922': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://ipa1.drutt.com:443/ca/agent/ca/displayBySerial': [Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20120704141150': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20140605220249': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=IPA RA,O=DRUTT.COM expires: 2014-06-24 14:08:50 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160601043748': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=CA Audit,O=DRUTT.COM expires: 2014-06-24 14:08:42 UTC pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160601043749': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=OCSP Subsystem,O=DRUTT.COM expires: 2014-06-24 14:08:41 UTC eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160601043750': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=CA Subsystem,O=DRUTT.COM expires: 2014-06-24 14:08:41 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160601043751': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2014-06-24 14:08:41 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes thanks, BR//Kay -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, June 01, 2016 11:56 AM To: Kay Zhou Y; freeipa-users at redhat.com Cc: Doris Hongmei; Xionglin Gu Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue Kay Zhou Y wrote: > Hi Rob, > > The status for ipaCert is MONITORING no matter before or after resubmit this request ID, as below: > > Request ID '20140605220249': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=DRUTT.COM > subject: CN=IPA RA,O=DRUTT.COM > expires: 2014-06-24 14:08:50 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > I have restarted ipa service before renewal since there is no pki-cad service in our env. Oh. So unfortunately the version of certmonger you have has a bug where the pre/post commands weren't displayed (it was only a display issue). If you look in /var/lib/certmonger/requests/ you can find the source for this output. See what the pre/post save command is for any of the CA subsystem certs and I guess perhaps ipaCert. I need to see how they are configured to do the renewal. Maybe my memory is failing but I'd have sworn the CA process name was pki-cad. ipactl restart will restart the world. Given that the certs are expired you need to restart things when you go back in time. I saw that you are tracking the subsystem certs on this master so the CA must be installed. > I have tried so many times for this processes, and I even want to recreate the ipaCert, but it failed. Before you go poking too manually into things I'd strongly recommend backing up the NSS databases first. You could easily break something. > The references I used as below, but both of them are not available for > my issue:( http://www.freeipa.org/page/Howto/CA_Certificate_Renewal > http://www.freeipa.org/page/PKI > > and if it's feasible we modify the expiration date for these certs manually or recreate it directly ? You can't change any attributes of a certificate without re-issuing it. You can't issue a new cert without the CA up and I suspect it isn't up. The cert may be in MONITORING when you go back in time because really, it's fine as long as it isn't expired, so MONITORING is a-ok. rob > > Thanks, > BR//Kay > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Tuesday, May 31, 2016 11:10 PM > To: Kay Zhou Y; freeipa-users at redhat.com > Cc: Doris Hongmei; Xionglin Gu > Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue > > Kay Zhou Y wrote: >> Hi Rob, >> >> Thanks for your reply. >> >> And about your suggestion, actually I have done it. but it just renew the two 389-ds certs and Apache certs. >> Since the ipaCert and subsystem certs are expired at 20140624, so I must roll back time before it. then begin to renew, but after I done this: >> >> "Let's force renewal on all of the certificates: >> # for line in `getcert list | grep Request | cut -d "'" -f2`; do >> getcert resubmit -i $line; done ..." >> >> According to the wiki, >> (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ). The CA >> subsystem c ertificates will be renewed. But it did not. > > Ok, what state are the certificates in? When you go back in time are you restarting the pki-cad service before attempting to do the renewal? > >> Finally after I finish all action mentioned in the wiki page, I still can't renew ipaCert and other four CA subsystem certificates. >> And the two 389-ds and apache certs will still expired after the date 20160623 ( expire date of ipaCert 20140624 + two years). >> >> If there is any other guide or doc about the ipaCert and CA subsystem certificates? > > Not really for IPA 2.x > > rob > > >> Thanks a lot for your support! > > >> >> Thanks, >> BR//Kay >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Friday, May 27, 2016 11:41 PM >> To: Kay Zhou Y; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue >> >> Kay Zhou Y wrote: >>> Hi, >>> >>> This is Kay. >>> >>> I am not sure if the email address is correct, and I am really >>> appreciate if there is any help for my issue. it's baffling for few >>> days, and the expire date is coming soon.. L >>> >>> There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds >>> and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC. >>> >>> Two years ago, these certs were renewed by other guys according to >>> this >>> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal >>> >>> and it was successful then the certificates has been renewed until 20160605. >>> >>> But recently I want to renew it again since the expire date is coming. >>> Then I follow the above guide, however things not go well. >> >> The problem looks to be because the IPA RA cert (ipaCert) isn't >> matching what dogtag expects. See the wiki page starting at >> >> "For ipaCert, stored in /etc/httpd/alias you have another job to do..." >> >> You'll want to be sure that description correctly matches the certificate in the Apache database and confirm that the usercertificate value in LDAP matches the cert being presented. >> >> rob >> >>> >>> As below, it's the 8 certs which certmonger are tracking: >>> >>> root at ecnshlx3039-test2(SH):~ #getcert list >>> >>> Number of certificates and requests being tracked: 8. >>> >>> Request ID '20120704140859': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC >>> failed at server. Certificate operation cannot be completed: >>> EXCEPTION (Invalid Credential.)). >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-C >>> e >>> r >>> t',token='NSS >>> Certificate DB',pinfile=' >>> /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt' >>> >>> certificate: >>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-C >>> e >>> r >>> t',token='NSS >>> Certificate DB' >>> >>> CA: IPA >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=ipa1.drutt.com,O=DRUTT.COM >>> >>> expires: 2016-06-05 22:03:17 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> /usr/lib64/ipa/certmonger/restart_dirsrv >>> DRUTT-COM >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20120704140922': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC >>> failed at server. Certificate operation cannot be completed: >>> EXCEPTION (Invalid Credential.)). >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' >>> ,token='NSS >>> Certificate DB',pinfile='/e >>> tc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >>> >>> certificate: >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' >>> ,token='NSS >>> Certificate DB' >>> >>> CA: IPA >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=ipa1.drutt.com,O=DRUTT.COM >>> >>> expires: 2016-06-05 22:03:17 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20120704141150': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC >>> failed at server. Certificate operation cannot be completed: >>> EXCEPTION (Invalid Credential.)). >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=' >>> N >>> SS >>> Certificate >>> DB',pinfile='/etc/httpd/ >>> alias/pwdfile.txt' >>> >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=' >>> N >>> SS >>> Certificate DB' >>> >>> CA: IPA >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=ipa1.drutt.com,O=DRUTT.COM >>> >>> expires: 2016-06-05 22:03:17 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> /usr/lib64/ipa/certmonger/restart_httpd >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20140605220249': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate >>> DB',pinfile='/etc/httpd/alia >>> s/pwdfile.txt' >>> >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=IPA RA,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:50 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20160527075219': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCe >>> r >>> t >>> cert-pki-ca',token='NSS Certificate >>> DB ',pin='565569846212' >>> >>> certificate: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCe >>> r t cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=CA Audit,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:42 UTC >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20160527075220': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCer >>> t >>> cert-pki-ca',token='NSS Certificate >>> DB' ,pin='565569846212' >>> >>> certificate: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCer >>> t cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=OCSP Subsystem,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:41 UTC >>> >>> eku: id-kp-OCSPSigning >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20160527075221': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate >>> DB',p in='565569846212' >>> >>> certificate: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=CA Subsystem,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:41 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20160527075222': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate >>> DB',pin ='565569846212' >>> >>> certificate: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=ipa1.drutt.com,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:41 UTC >>> >>> eku: id-kp-serverAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Follow all the steps in the guide, the result is just first three >>> certificates are renewed to 20160622 if I set system time to >>> 20140623(which the four CA subsystem certs and CA cert are valid). >>> >>> But other five are not renewed at all (the four CA subsystem certs >>> and CA cert). there is no error information during these steps. >>> >>> I google a lot but still found nothing could resolve it. and then I >>> found there was a similar thread: >>> https://www.redhat.com/archives/freeipa-users/2015-October/msg00174. >>> h >>> t >>> ml >>> >>> But unfortunately the solution is not available for my issue either. >>> >>> Since I am not familiar with Freeipa, so it bothers me so much. >>> >>> Any help will be really appreciate. Thansks in advance! >>> >>> Thanks, >>> >>> BR//Kay >>> >>> >>> >> > From rcritten at redhat.com Wed Jun 1 13:54:58 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 1 Jun 2016 09:54:58 -0400 Subject: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias In-Reply-To: <4468326.xlZGrDGMFj@techz> References: <27123231.2vVFdNkPoa@techz> <574DA861.9000702@redhat.com> <4468326.xlZGrDGMFj@techz> Message-ID: <574EE932.1040501@redhat.com> G?nther J. Niederwimmer wrote: > Hello, > > Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: >> G?nther J. Niederwimmer wrote: >>> Hello >>> I found any Help for the IPA Certificate but I found no way to import the >>> IPA CA ? >>> I like to create a webserver with a owncloud virtualhost and other.. >>> >>> But it is for me not possible to create the /etc/httpd/alias correct ? >>> >>> I found this in IPA DOCS >>> >>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt >>> >>> but with this command line I have a Error /etc/ipa/ca.crt have wrong >>> format ? >>> >>> Have any a link with a working example >> >> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled >> clients so the documentation is written from that perspective. > Yes. > >> You can grab a copy from any enrolled system, including an IPA Master. >> Otherwise the command looks ok assuming you were sitting in >> /etc/httpd/alias when the command was executed (-d .). > > Yes ;-). > but certutil mean it is a wrong format from the Certificate $ mkdir /tmp/testdb && cd /tmp/testdb $ certutil -N -d . $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt $ certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI EXAMPLE.COM IPA CA CT,, I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You can use openssl for that: $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt > Something is wrong on my system !! > > for me it is not possible to have on a enrolled ipa-client a working webserver > (apache) with mod_NSS > > The last Tests apache mean it is the wrong "passwd" for the DB and don't > start? > > So now I start again with a new clean /etc/httpd/alias Not knowing how you created the database or what your nss.conf looks like it's hard to say what is going on. If you set a NSS database password then you need to tell mod_nss about it. Typically you'd set this in nss.conf: NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf" and create /etc/httpd/conf/password.conf with contents like: internal:SecretPassword123 Ensure that the file is owned by apache:apache and mode 0400. rob From rcritten at redhat.com Wed Jun 1 14:36:55 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 1 Jun 2016 10:36:55 -0400 Subject: [Freeipa-users] IPA 2.2 Certificate Renewal issue In-Reply-To: References: <57486A9E.2050909@redhat.com> <574DA955.2030004@redhat.com> <574E5CD4.1020108@redhat.com> Message-ID: <574EF307.3090301@redhat.com> Kay Zhou Y wrote: > Hi Rob, > > 1. I have made snapshots for this system for test, so NSS databases has been backed up. > > 2. For the pki-cad service, I can't find it in my system, it shows there is no such service. > but there is one service failed as below: > > root at ecnshlx3039-test2(SH):requests #systemctl status pki-cad at pki-ca.service > pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca > Loaded: loaded (/lib/systemd/system/pki-cad at .service; enabled) > Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 +0200; 23min ago > Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, status=1/FAILURE) > Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, status=0/SUCCESS) > Main PID: 2593 (code=exited, status=0/SUCCESS) > CGroup: name=systemd:/system/pki-cad at .service/pki-ca > > Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: pam_unix(runuser-l:session): session opened for user pkius...d=0) > Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: pam_unix(runuser-l:session): session closed for user pkiuser > Jun 01 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: pam_unix(runuser-l:session): session opened for user pkius...d=0) > Jun 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: pam_unix(runuser-l:session): session closed for user pkiuser > > I can't start it normally, even the log just said: > Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad at pki-ca.service: control process exited, code=exited status=1 > Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit pki-cad at pki-ca.service entered failed state. > > I will google more to try to start it firstly. Ok, this is very confusing to me. What distribution are you running? I have the feeling you are running an extremely outdated version of Fedora. Yes, you need the CA up in order to get the certificates renewed. Look at catalina.out, the log "debug" and the selftests log for clues on why it won't start. You also need the PKI-IPA 389-ds instance running. And I guess you were just showing me the service name and such, but of course it won't start today with expired certs. > > 3. About the source of the output for getcert list: > > root at ecnshlx3039-test2(SH):requests #ll > total 64 > -rw-------. 1 root root 5698 Jun 1 06:06 20120704140859 > -rw-------. 1 root root 5695 Jun 1 06:06 20120704140922 > -rw-------. 1 root root 5654 Jun 1 06:06 20120704141150 > -rw-------. 1 root root 5107 Jun 1 06:39 20140605220249 > -rw-------. 1 root root 4982 Jun 1 06:39 20160601043748 > -rw-------. 1 root root 5144 Jun 1 06:39 20160601043749 > -rw-------. 1 root root 5186 Jun 1 06:39 20160601043750 > -rw-------. 1 root root 5126 Jun 1 06:39 20160601043751 > root at ecnshlx3039-test2(SH):requests # > root at ecnshlx3039-test2(SH):requests #grep post_certsave_command * > 20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restart_dirsrv DRUTT-COM > 20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restart_httpd > root at ecnshlx3039-test2(SH):requests #grep pre_certsave_command * > root at ecnshlx3039-test2(SH):requests # > > there are just two statements. Ok, that is fine then I think. rob From guillermo.fuentes at modernizingmedicine.com Wed Jun 1 16:37:10 2016 From: guillermo.fuentes at modernizingmedicine.com (Guillermo Fuentes) Date: Wed, 1 Jun 2016 12:37:10 -0400 Subject: [Freeipa-users] ns-slapd hangs for 2-3 minutes, then resumes. Message-ID: Hi all, We are experiencing a similar issue like the one discussed in the following thread but we are running FreeIPA 4.2 on CentOS 7.2: https://www.redhat.com/archives/freeipa-users/2015-February/msg00205.html LDAP service stops responding to queries (hangs). LDAP connections on the server climb sometimes up to 10 times the normal amount and load goes to 0. Then, the connections start to drop until they get to a normal level and the LDAP service starts to respond to queries again. This happens in between 3-5 minutes: Time,LDAP conn, Opened files(ns-slapd), File Desc(ns-slapd),Threads(ns-slapd),Load1,Load5,Load15 8:54:03,101,353,216,142,0.43,0.20,0.16 8:55:02,108,359,221,142,0.19,0.18,0.15 8:56:03,110,361,224,142,0.07,0.15,0.14 8:57:14,117,383,246,142,0.15,0.16,0.15 8:58:04,276,371,234,142,0.05,0.13,0.14 8:59:05,469,371,234,142,0.02,0.11,0.13 9:00:08,719,371,234,142,0.01,0.09,0.12 9:01:18,1060,371,234,142,0.00,0.07,0.12 9:02:10,742,371,233,142,0.10,0.09,0.12 9:03:06,365,372,235,142,0.13,0.10,0.13 9:04:04,262,379,242,142,0.87,0.29,0.19 9:05:02,129,371,233,142,0.51,0.31,0.20 9:06:03,126,377,240,142,0.42,0.33,0.22 9:07:03,125,377,238,142,0.17,0.27,0.21 Nothing is logged in the errors log file of the server having the problem (ipa1 as an example). In the replicas this is logged: 8:59:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" (ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. 9:01:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" (ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Timed out). Will retry later. Nothing is logged in the access log file until after ns-slapd starts responding again: ... 8:57:00 -0400] conn=12384 fd=234 slot=234 connection from 172.20.0.1 to 172.20.2.45 8:57:00 -0400] conn=12385 fd=235 slot=235 connection from 172.20.0.1 to 172.20.2.45 8:57:00 -0400] conn=12386 fd=236 slot=236 connection from 172.20.0.1 to 172.20.2.45 8:57:00 -0400] conn=12387 fd=237 slot=237 connection from 172.20.0.1 to 172.20.2.45 8:57:00 -0400] conn=10384 op=1227 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" 8:57:00 -0400] conn=12324 op=8 RESULT err=0 tag=101 nentries=1 etime=0 8:57:00 -0400] conn=8838 op=2545 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" 8:57:00 -0400] conn=8838 op=2545 RESULT err=0 tag=120 nentries=0 etime=0 8:57:00 -0400] conn=10384 op=1227 RESULT err=0 tag=120 nentries=0 etime=0 8:57:00 -0400] conn=12382 op=-1 fd=170 closed - B1 8:57:00 -0400] conn=12383 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedSASLMechanisms defaultnamingcontext namingContexts schemanamingcontext saslrealm" 8:57:00 -0400] conn=12384 op=-1 fd=234 closed - B1 8:57:00 -0400] conn=12385 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedSASLMechanisms defaultnamingcontext namingContexts schemanamingcontext saslrealm" 8:57:00 -0400] conn=12383 op=0 RESULT err=0 tag=101 nentries=1 etime=0 8:57:00 -0400] conn=12386 op=-1 fd=236 closed - B1 8:57:00 -0400] conn=12385 op=0 RESULT err=0 tag=101 nentries=1 etime=0 8:57:00 -0400] conn=12387 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedSASLMechanisms defaultnamingcontext namingContexts schemanamingcontext saslrealm" 8:57:00 -0400] conn=12387 op=0 RESULT err=0 tag=101 nentries=1 etime=0 8:57:00 -0400] conn=12385 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI 8:57:00 -0400] conn=12387 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI 8:57:00 -0400] conn=12385 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress 8:57:00 -0400] conn=12383 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI 8:57:00 -0400] conn=10384 op=1228 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" 8:57:00 -0400] conn=10384 op=1228 RESULT err=0 tag=120 nentries=0 etime=0 8:57:00 -0400] conn=12383 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress 9:02:00 -0400] conn=12388 fd=170 slot=170 connection from 172.20.0.1 to 172.20.2.45 9:02:00 -0400] conn=12389 fd=234 slot=234 SSL connection from 172.20.0.24 to 172.20.2.45 9:02:00 -0400] conn=12390 fd=236 slot=236 connection from local to /var/run/slapd-EXAMPLE-COM.socket 9:02:00 -0400] conn=12391 fd=238 slot=238 connection from 172.20.0.1 to 172.20.2.45 9:02:00 -0400] conn=12392 fd=239 slot=239 SSL connection from 172.20.0.24 to 172.20.2.45 9:02:00 -0400] conn=12393 fd=240 slot=240 connection from local to /var/run/slapd-EXAMPLE-COM.socket 9:02:00 -0400] conn=12394 fd=241 slot=241 connection from 172.20.0.1 to 172.20.2.45 9:02:00 -0400] conn=12395 fd=242 slot=242 SSL connection from 172.20.0.24 to 172.20.2.45 9:02:00 -0400] conn=12396 fd=243 slot=243 connection from 172.20.0.1 to 172.20.2.45 9:02:00 -0400] conn=12397 fd=244 slot=244 SSL connection from 172.20.0.24 to 172.20.2.45 9:02:00 -0400] conn=12398 fd=245 slot=245 connection from 172.20.0.1 to 172.20.2.45 9:02:00 -0400] conn=12400 fd=247 slot=247 connection from 172.20.0.1 to 172.20.2.45 9:02:00 -0400] conn=12401 fd=248 slot=248 connection from 172.20.0.1 to 172.20.2.45 ... 9:02:00 -0400] conn=12390 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI 9:02:00 -0400] conn=12388 op=-1 fd=170 closed - B1 9:02:00 -0400] conn=12393 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI 9:02:00 -0400] conn=12391 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedSASLMechanisms defaultnamingcontext namingContexts schemanamingcontext saslrealm" 9:02:00 -0400] conn=12394 op=-1 fd=241 closed - B1 9:02:00 -0400] conn=12391 op=0 RESULT err=0 tag=101 nentries=1 etime=0 9:02:00 -0400] conn=12396 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedSASLMechanisms defaultnamingcontext namingContexts schemanamingcontext saslrealm" 9:02:00 -0400] conn=12396 op=0 RESULT err=0 tag=101 nentries=1 etime=0 9:02:00 -0400] conn=12398 op=-1 fd=245 closed - B1 9:02:00 -0400] conn=12400 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedSASLMechanisms defaultnamingcontext namingContexts schemanamingcontext saslrealm" 9:02:00 -0400] conn=12400 op=0 RESULT err=0 tag=101 nentries=1 etime=0 9:02:00 -0400] conn=12401 op=-1 fd=248 closed - B1 9:02:00 -0400] conn=12391 op=1 ABANDON targetop=NOTFOUND msgid=1 9:02:00 -0400] conn=12396 op=1 ABANDON targetop=NOTFOUND msgid=1 9:02:00 -0400] conn=12400 op=1 ABANDON targetop=NOTFOUND msgid=1 9:02:00 -0400] conn=12391 op=2 UNBIND 9:02:00 -0400] conn=12396 op=2 UNBIND 9:02:00 -0400] conn=12391 op=2 fd=238 closed - U1 9:02:00 -0400] conn=12396 op=2 fd=243 closed - U1 9:02:00 -0400] conn=12400 op=2 UNBIND 9:02:00 -0400] conn=12400 op=2 fd=247 closed - U1 ... Environment: # cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) # rpm -qa ipa* ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 # rpm -qa 389* 389-ds-base-libs-1.3.4.0-30.el7_2.x86_64 389-ds-base-1.3.4.0-30.el7_2.x86_64 We have 4 FreeIPA servers with replication working fine between them. ipa1 is handling LDAP authentication for +400 clients and has been tunned as recommended per https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html Is this a known issue? Any idea what can be causing ns-slapd to hang? Thanks in advance! Guillermo From Dan.Finkelstein at high5games.com Wed Jun 1 16:45:10 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Wed, 1 Jun 2016 16:45:10 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master Message-ID: Hi folks, As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6 to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA replicas in CentOS 7 and then hope to promote one of them to the CA master. I'm running into two problems: The first is that when we create a replica in FreeIPA 4.2.0 with the ?setup-ca option, that portion fails. Here's a snippet of the output: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/23]: creating certificate server user [2/23]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpqPeYOW'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Second, I've tried a "trick" where I run an ipa-backup on the 4.2.0 replica and then restore it, hoping to convince the server that it's now a master. When I try to run ipa-replica-prepare, it quickly exits with the mysterious "no such entry" error: [root at ipa ~]# ipa-replica-prepare ipa4test.example.local --ip-address 10.55.10.36 Directory Manager (existing master) password: Preparing replica for ipa4test.example.local from ipa.example.local no such entry Ideas, suggestions, and help are very welcome! Best regards, Dan [cid:image001.jpg at 01D1BC03.6DD03360] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4331 bytes Desc: image001.jpg URL: From anthonyclarka2 at gmail.com Wed Jun 1 17:48:34 2016 From: anthonyclarka2 at gmail.com (Anthony Clark) Date: Wed, 1 Jun 2016 13:48:34 -0400 Subject: [Freeipa-users] sessions failing when using different hostname Message-ID: Hello All, I've been asked to allow access to our FreeIPA web UI from a more user friendly url than I'm currently using. So I've set up a CNAME password.example.com for ns01.example.com At the moment, if I go to the real hostname of the FreeIPA server ( ns01.example.com), everything works. If I go to the new "friendly" url (password.example.com) then upon login I get a "your session has expired please re-login" message. Setting debug to true in /etc/ipa/server.conf shows me that the server keeps using new session IDs. (Host and user names changed to protect the innocent) ----- /var/log/httpd/error_log ----- [Wed Jun 01 17:11:06.237363 2016] [:error] [pid 31491] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Jun 01 17:11:06.237533 2016] [:error] [pid 31491] ipa: DEBUG: WSGI jsonserver_session.__call__: [Wed Jun 01 17:11:06.237944 2016] [:error] [pid 31491] ipa: DEBUG: no session cookie found [Wed Jun 01 17:11:06.239009 2016] [:error] [pid 31491] ipa: DEBUG: no session id in request, generating empty session data with id=d5bc1c4cab8d3bfaee63b84805147995 [Wed Jun 01 17:11:06.239466 2016] [:error] [pid 31491] ipa: DEBUG: store session: session_id=d5bc1c4cab8d3bfaee63b84805147995 start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 expiration_timestamp=1970-01-01T00:00:00 [Wed Jun 01 17:11:06.241052 2016] [:error] [pid 31491] ipa: DEBUG: jsonserver_session.__call__: session_id=d5bc1c4cab8d3bfaee63b84805147995 start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 expiration_timestamp=1970-01-01T00:00:00 [Wed Jun 01 17:11:06.241186 2016] [:error] [pid 31491] ipa: DEBUG: no ccache, need login [Wed Jun 01 17:11:06.241294 2016] [:error] [pid 31491] ipa: DEBUG: jsonserver_session: 401 Unauthorized need login [Wed Jun 01 17:11:24.956791 2016] [:error] [pid 31492] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Jun 01 17:11:24.956992 2016] [:error] [pid 31492] ipa: DEBUG: WSGI login_password.__call__: [Wed Jun 01 17:11:24.957381 2016] [:error] [pid 31492] ipa: DEBUG: Obtaining armor ccache: principal=HTTP/ns01.example.com at EXAMPLE.COM keytab=/etc/httpd/conf/ipa.keytab ccache=/var/run/ipa_memcached/krbcc_A_aclark [Wed Jun 01 17:11:24.957519 2016] [:error] [pid 31492] ipa: DEBUG: Initializing principal HTTP/ns01.example.com at EXAMPLE.COM using keytab /etc/httpd/conf/ipa.keytab [Wed Jun 01 17:11:24.957633 2016] [:error] [pid 31492] ipa: DEBUG: using ccache /var/run/ipa_memcached/krbcc_A_aclark [Wed Jun 01 17:11:24.998328 2016] [:error] [pid 31492] ipa: DEBUG: Attempt 1/1: success [Wed Jun 01 17:11:24.998531 2016] [:error] [pid 31492] ipa: DEBUG: Initializing principal aclark at EXAMPLE.COM using password [Wed Jun 01 17:11:24.998684 2016] [:error] [pid 31492] ipa: DEBUG: Using armor ccache /var/run/ipa_memcached/krbcc_A_aclark for FAST webauth [Wed Jun 01 17:11:24.998865 2016] [:error] [pid 31492] ipa: DEBUG: Starting external process [Wed Jun 01 17:11:24.998984 2016] [:error] [pid 31492] ipa: DEBUG: args='/usr/bin/kinit' 'aclark at EXAMPLE.COM' '-c' 'FILE:/var/run/ipa_memcached/krbcc_31492' '-T' '/var/run/ipa_memcached/krbcc_A_aclark' [Wed Jun 01 17:11:26.079200 2016] [:error] [pid 31492] ipa: DEBUG: Process finished, return code=0 [Wed Jun 01 17:11:26.079384 2016] [:error] [pid 31492] ipa: DEBUG: stdout=Password for aclark at EXAMPLE.COM: [Wed Jun 01 17:11:26.079399 2016] [:error] [pid 31492] [Wed Jun 01 17:11:26.079483 2016] [:error] [pid 31492] ipa: DEBUG: stderr= [Wed Jun 01 17:11:26.079680 2016] [:error] [pid 31492] ipa: DEBUG: Cleanup the armor ccache [Wed Jun 01 17:11:26.079871 2016] [:error] [pid 31492] ipa: DEBUG: Starting external process [Wed Jun 01 17:11:26.079983 2016] [:error] [pid 31492] ipa: DEBUG: args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_aclark' [Wed Jun 01 17:11:26.093954 2016] [:error] [pid 31492] ipa: DEBUG: Process finished, return code=0 [Wed Jun 01 17:11:26.094113 2016] [:error] [pid 31492] ipa: DEBUG: stdout= [Wed Jun 01 17:11:26.094210 2016] [:error] [pid 31492] ipa: DEBUG: stderr= [Wed Jun 01 17:11:26.094809 2016] [:error] [pid 31492] ipa: DEBUG: no session cookie found [Wed Jun 01 17:11:26.095877 2016] [:error] [pid 31492] ipa: DEBUG: no session id in request, generating empty session data with id=7ab08ba17d30883cff480af9e923cf82 [Wed Jun 01 17:11:26.096132 2016] [:error] [pid 31492] ipa: DEBUG: store session: session_id=7ab08ba17d30883cff480af9e923cf82 start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 expiration_timestamp=1970-01-01T00:00:00 [Wed Jun 01 17:11:26.096596 2016] [:error] [pid 31492] ipa: DEBUG: finalize_kerberos_acquisition: login_password ccache_name="FILE:/var/run/ipa_memcached/krbcc_31492" session_id="7ab08ba17d30883cff480af9e923cf82" [Wed Jun 01 17:11:26.096774 2016] [:error] [pid 31492] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_31492" [Wed Jun 01 17:11:26.097937 2016] [:error] [pid 31492] ipa: DEBUG: get_credential_times: principal=krbtgt/EXAMPLE.COM at EXAMPLE.COM, authtime=06/01/16 17:11:26, starttime=06/01/16 17:11:26, endtime=06/02/16 17:11:26, renew_till=01/01/70 00:00:00 [Wed Jun 01 17:11:26.098111 2016] [:error] [pid 31492] ipa: DEBUG: KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_31492 endtime=1464887486 (06/02/16 17:11:26) [Wed Jun 01 17:11:26.098361 2016] [:error] [pid 31492] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=3600 max_age=1464887186 expiration=1464804686.1 (2016-06-01T18:11:26) [Wed Jun 01 17:11:26.098526 2016] [:error] [pid 31492] ipa: DEBUG: store session: session_id=7ab08ba17d30883cff480af9e923cf82 start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 expiration_timestamp=2016-06-01T18:11:26 [Wed Jun 01 17:11:26.099871 2016] [:error] [pid 31492] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_31492) != KRB5CCNAME environment variable (/var/run/httpd/ipa/krbcache/krb5ccache) [Wed Jun 01 17:11:26.163524 2016] [:error] [pid 31491] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Jun 01 17:11:26.163708 2016] [:error] [pid 31491] ipa: DEBUG: WSGI jsonserver_session.__call__: [Wed Jun 01 17:11:26.163974 2016] [:error] [pid 31491] ipa: DEBUG: no session cookie found [Wed Jun 01 17:11:26.164464 2016] [:error] [pid 31491] ipa: DEBUG: no session id in request, generating empty session data with id=433125db49c7ca9eb286c3ecf605d55d [Wed Jun 01 17:11:26.164713 2016] [:error] [pid 31491] ipa: DEBUG: store session: session_id=433125db49c7ca9eb286c3ecf605d55d start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 expiration_timestamp=1970-01-01T00:00:00 [Wed Jun 01 17:11:26.165181 2016] [:error] [pid 31491] ipa: DEBUG: jsonserver_session.__call__: session_id=433125db49c7ca9eb286c3ecf605d55d start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 expiration_timestamp=1970-01-01T00:00:00 [Wed Jun 01 17:11:26.165301 2016] [:error] [pid 31491] ipa: DEBUG: no ccache, need login [Wed Jun 01 17:11:26.165401 2016] [:error] [pid 31491] ipa: DEBUG: jsonserver_session: 401 Unauthorized need login ----- /var/log/httpd/error_log ----- I'm somewhat at a loss to debug this further. I was wondering if the session storage is somehow bound to the original host name. Is there a way to check and/or configure this? Alternatively is there a guide out there for enabling additional host names for the web UI in FreeIPA? Thanks, Anthony Clark -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jun 1 18:03:40 2016 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 1 Jun 2016 12:03:40 -0600 Subject: [Freeipa-users] ns-slapd hangs for 2-3 minutes, then resumes. In-Reply-To: References: Message-ID: <8b452beb-09fe-8183-319a-02f51a2153de@redhat.com> On 06/01/2016 10:37 AM, Guillermo Fuentes wrote: > Hi all, > > We are experiencing a similar issue like the one discussed in the > following thread but we are running FreeIPA 4.2 on CentOS 7.2: > https://www.redhat.com/archives/freeipa-users/2015-February/msg00205.html Are your stack traces similar? > > LDAP service stops responding to queries (hangs). LDAP connections on > the server climb sometimes up to 10 times the normal amount and load > goes to 0. Then, the connections start to drop until they get to a > normal level and the LDAP service starts to respond to queries again. > This happens in between 3-5 minutes: > > Time,LDAP conn, Opened files(ns-slapd), File > Desc(ns-slapd),Threads(ns-slapd),Load1,Load5,Load15 > 8:54:03,101,353,216,142,0.43,0.20,0.16 > 8:55:02,108,359,221,142,0.19,0.18,0.15 > 8:56:03,110,361,224,142,0.07,0.15,0.14 > 8:57:14,117,383,246,142,0.15,0.16,0.15 > 8:58:04,276,371,234,142,0.05,0.13,0.14 > 8:59:05,469,371,234,142,0.02,0.11,0.13 > 9:00:08,719,371,234,142,0.01,0.09,0.12 > 9:01:18,1060,371,234,142,0.00,0.07,0.12 > 9:02:10,742,371,233,142,0.10,0.09,0.12 > 9:03:06,365,372,235,142,0.13,0.10,0.13 > 9:04:04,262,379,242,142,0.87,0.29,0.19 > 9:05:02,129,371,233,142,0.51,0.31,0.20 > 9:06:03,126,377,240,142,0.42,0.33,0.22 > 9:07:03,125,377,238,142,0.17,0.27,0.21 > > Nothing is logged in the errors log file of the server having the > problem (ipa1 as an example). > In the replicas this is logged: > 8:59:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" > (ipa1:389): Unable to receive the response for a startReplication > extended operation to consumer (Timed out). Will retry later. > 9:01:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" > (ipa1:389): Unable to receive the response for a startReplication > extended operation to consumer (Timed out). Will retry later. > > Nothing is logged in the access log file until after ns-slapd starts > responding again: > ... > 8:57:00 -0400] conn=12384 fd=234 slot=234 connection from 172.20.0.1 > to 172.20.2.45 > 8:57:00 -0400] conn=12385 fd=235 slot=235 connection from 172.20.0.1 > to 172.20.2.45 > 8:57:00 -0400] conn=12386 fd=236 slot=236 connection from 172.20.0.1 > to 172.20.2.45 > 8:57:00 -0400] conn=12387 fd=237 slot=237 connection from 172.20.0.1 > to 172.20.2.45 > 8:57:00 -0400] conn=10384 op=1227 EXT oid="2.16.840.1.113730.3.5.12" > name="replication-multimaster-extop" > 8:57:00 -0400] conn=12324 op=8 RESULT err=0 tag=101 nentries=1 etime=0 > 8:57:00 -0400] conn=8838 op=2545 EXT oid="2.16.840.1.113730.3.5.12" > name="replication-multimaster-extop" > 8:57:00 -0400] conn=8838 op=2545 RESULT err=0 tag=120 nentries=0 etime=0 > 8:57:00 -0400] conn=10384 op=1227 RESULT err=0 tag=120 nentries=0 etime=0 > 8:57:00 -0400] conn=12382 op=-1 fd=170 closed - B1 > 8:57:00 -0400] conn=12383 op=0 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedSASLMechanisms > defaultnamingcontext namingContexts schemanamingcontext saslrealm" > 8:57:00 -0400] conn=12384 op=-1 fd=234 closed - B1 > 8:57:00 -0400] conn=12385 op=0 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedSASLMechanisms > defaultnamingcontext namingContexts schemanamingcontext saslrealm" > 8:57:00 -0400] conn=12383 op=0 RESULT err=0 tag=101 nentries=1 etime=0 > 8:57:00 -0400] conn=12386 op=-1 fd=236 closed - B1 > 8:57:00 -0400] conn=12385 op=0 RESULT err=0 tag=101 nentries=1 etime=0 > 8:57:00 -0400] conn=12387 op=0 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedSASLMechanisms > defaultnamingcontext namingContexts schemanamingcontext saslrealm" > 8:57:00 -0400] conn=12387 op=0 RESULT err=0 tag=101 nentries=1 etime=0 > 8:57:00 -0400] conn=12385 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI > 8:57:00 -0400] conn=12387 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI > 8:57:00 -0400] conn=12385 op=1 RESULT err=14 tag=97 nentries=0 > etime=0, SASL bind in progress > 8:57:00 -0400] conn=12383 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI > 8:57:00 -0400] conn=10384 op=1228 EXT oid="2.16.840.1.113730.3.5.5" > name="Netscape Replication End Session" > 8:57:00 -0400] conn=10384 op=1228 RESULT err=0 tag=120 nentries=0 etime=0 > 8:57:00 -0400] conn=12383 op=1 RESULT err=14 tag=97 nentries=0 > etime=0, SASL bind in progress > 9:02:00 -0400] conn=12388 fd=170 slot=170 connection from 172.20.0.1 > to 172.20.2.45 > 9:02:00 -0400] conn=12389 fd=234 slot=234 SSL connection from > 172.20.0.24 to 172.20.2.45 > 9:02:00 -0400] conn=12390 fd=236 slot=236 connection from local to > /var/run/slapd-EXAMPLE-COM.socket > 9:02:00 -0400] conn=12391 fd=238 slot=238 connection from 172.20.0.1 > to 172.20.2.45 > 9:02:00 -0400] conn=12392 fd=239 slot=239 SSL connection from > 172.20.0.24 to 172.20.2.45 > 9:02:00 -0400] conn=12393 fd=240 slot=240 connection from local to > /var/run/slapd-EXAMPLE-COM.socket > 9:02:00 -0400] conn=12394 fd=241 slot=241 connection from 172.20.0.1 > to 172.20.2.45 > 9:02:00 -0400] conn=12395 fd=242 slot=242 SSL connection from > 172.20.0.24 to 172.20.2.45 > 9:02:00 -0400] conn=12396 fd=243 slot=243 connection from 172.20.0.1 > to 172.20.2.45 > 9:02:00 -0400] conn=12397 fd=244 slot=244 SSL connection from > 172.20.0.24 to 172.20.2.45 > 9:02:00 -0400] conn=12398 fd=245 slot=245 connection from 172.20.0.1 > to 172.20.2.45 > 9:02:00 -0400] conn=12400 fd=247 slot=247 connection from 172.20.0.1 > to 172.20.2.45 > 9:02:00 -0400] conn=12401 fd=248 slot=248 connection from 172.20.0.1 > to 172.20.2.45 > ... > 9:02:00 -0400] conn=12390 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI > 9:02:00 -0400] conn=12388 op=-1 fd=170 closed - B1 > 9:02:00 -0400] conn=12393 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI > 9:02:00 -0400] conn=12391 op=0 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedSASLMechanisms > defaultnamingcontext namingContexts schemanamingcontext saslrealm" > 9:02:00 -0400] conn=12394 op=-1 fd=241 closed - B1 > 9:02:00 -0400] conn=12391 op=0 RESULT err=0 tag=101 nentries=1 etime=0 > 9:02:00 -0400] conn=12396 op=0 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedSASLMechanisms > defaultnamingcontext namingContexts schemanamingcontext saslrealm" > 9:02:00 -0400] conn=12396 op=0 RESULT err=0 tag=101 nentries=1 etime=0 > 9:02:00 -0400] conn=12398 op=-1 fd=245 closed - B1 > 9:02:00 -0400] conn=12400 op=0 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedSASLMechanisms > defaultnamingcontext namingContexts schemanamingcontext saslrealm" > 9:02:00 -0400] conn=12400 op=0 RESULT err=0 tag=101 nentries=1 etime=0 > 9:02:00 -0400] conn=12401 op=-1 fd=248 closed - B1 > 9:02:00 -0400] conn=12391 op=1 ABANDON targetop=NOTFOUND msgid=1 > 9:02:00 -0400] conn=12396 op=1 ABANDON targetop=NOTFOUND msgid=1 > 9:02:00 -0400] conn=12400 op=1 ABANDON targetop=NOTFOUND msgid=1 > 9:02:00 -0400] conn=12391 op=2 UNBIND > 9:02:00 -0400] conn=12396 op=2 UNBIND > 9:02:00 -0400] conn=12391 op=2 fd=238 closed - U1 > 9:02:00 -0400] conn=12396 op=2 fd=243 closed - U1 > 9:02:00 -0400] conn=12400 op=2 UNBIND > 9:02:00 -0400] conn=12400 op=2 fd=247 closed - U1 > ... > > > Environment: > # cat /etc/redhat-release > CentOS Linux release 7.2.1511 (Core) > > # rpm -qa ipa* > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > # rpm -qa 389* > 389-ds-base-libs-1.3.4.0-30.el7_2.x86_64 > 389-ds-base-1.3.4.0-30.el7_2.x86_64 > > We have 4 FreeIPA servers with replication working fine between them. > ipa1 is handling LDAP authentication for +400 clients and has been > tunned as recommended per > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html > > Is this a known issue? > Any idea what can be causing ns-slapd to hang? > > Thanks in advance! > > Guillermo > From michael.rainey.ctr at nrlssc.navy.mil Wed Jun 1 18:34:48 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Wed, 1 Jun 2016 13:34:48 -0500 Subject: [Freeipa-users] FreeIPA4.2: Recovering from an IPA master server failure In-Reply-To: <8d3233db-e7ac-cc2f-13bb-ce29f09cf0ad@redhat.com> References: <8d3233db-e7ac-cc2f-13bb-ce29f09cf0ad@redhat.com> Message-ID: My apologies for the duplicate thread, but from my vantage point I did not see any signs of my message making it to the mailing list. My original message was not posted back to me, nor was your reply posted to me. Now back to your reply. I did try the command you suggested and it does appear to have removed the last remnants of my first server. Are there any additional steps I should perform to verify things are as they once were? I did notice some of the systems on the network will not carry my kerberos credentials over to another machine when using SSH. The working systems log me in with no problems when using ssh . While other systems will prompt me for a password. Has anyone had similar problems and what did they do to fix the problem? *Michael Rainey* On 05/31/2016 11:10 PM, Martin Basti wrote: > > > > On 31.05.2016 17:36, Michael Rainey (Contractor) wrote: >> >> Greetings community, >> >> I've run into an interesting problem which may be old hat to all of >> you. I was working to bring down my IPA master server and did it >> improperly. It was a rookie mistake, but I'm willing to view it as >> an exercise in recovering from a massive system failure. >> >> The original master server is gone with no way of recovering and I >> have managed to replace the server by promoting one of my replicas, >> but I find myself in a situation where I cannot remove the original >> master server from the LDAP directory. It is still seen as a master >> server and the webUI will not let me delete the system from directory >> server. Is there a process somewhere that will walk me through >> demoting the old server so I can delete it from the directory and >> officially promote its replacement? >> >> For reference, I followed the steps located at this link. >> >> Centos 7.2 / freeIPA 4.2 >> >> Your help is greatly appreciated. >> >> -- >> *Michael Rainey* >> >> > > Hello, > > can you next time please continue with just one thread please? > > You haven't replied if this works for you > https://www.redhat.com/archives/freeipa-users/2016-May/msg00521.html > > regards, > Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From geordie.grindle at gmail.com Wed Jun 1 19:57:14 2016 From: geordie.grindle at gmail.com (Geordie Grindle) Date: Wed, 1 Jun 2016 15:57:14 -0400 Subject: [Freeipa-users] Is the krb5.conf no longer used? Message-ID: <873C9718-AB8C-4D1D-8BD4-1E8385EA3185@gmail.com> Does IPA only use ?sssd.conf? for kerberos authentication? Is there another file used to configure kerberos? I?ve built a host using Foreman and our puppet configuration usually pushes a krb5.conf file. However, if I delete it, everything still works fine. What if any function does /etc/krb5.conf have now? [root at ipa_client ggrindle]# cat /etc/krb5.conf cat: /etc/krb5.conf: No such file or directory [root at ipa_client ggrindle]# rpm -qa |grep ipa-client ipa-client-3.0.0-37.el6.x86_64 [root at ipa_client ggrindle]# kdestroy [root at ipa_client ggrindle]# kinit ggrindle Password for ggrindle at DEV.EXAMPLE.COM: [root at ipa_client ggrindle]# klist Ticket cache: FILE:/tmp/krb5cc_0.1 Default principal: ggrindle at DEV.EXAMPLE.COM Valid starting Expires Service principal 06/01/16 19:40:19 06/02/16 19:40:14 krbtgt/DEV.EXAMPLE.COM at DEV.EXAMPLE.COM [root at ipa_client ggrindle]# tcpdump port 88 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:40:53.765163 IP ipa_client.test.dev.example.com.49228 > ipa_server.dev.example.com.kerberos: v5 19:40:53.788043 IP ipa_server.dev.example.com.kerberos > ipa_client.test.dev.example.com.49228: 19:41:06.601826 IP ipa_client.test.dev.example.com.52896 > ipa_server.dev.example.com.kerberos: v5 19:41:06.630012 IP ipa_server.dev.example.com.kerberos > ipa_client.test.dev.example.com.52896: v5 ^C 4 packets captured 6 packets received by filter 0 packets dropped by kernel.kerberos: v5 From guillermo.fuentes at modernizingmedicine.com Wed Jun 1 22:52:14 2016 From: guillermo.fuentes at modernizingmedicine.com (Guillermo Fuentes) Date: Wed, 1 Jun 2016 18:52:14 -0400 Subject: [Freeipa-users] ns-slapd hangs for 2-3 minutes, then resumes. In-Reply-To: <8b452beb-09fe-8183-319a-02f51a2153de@redhat.com> References: <8b452beb-09fe-8183-319a-02f51a2153de@redhat.com> Message-ID: I'm now taking stack traces every minute and waiting for it to hang again to check it. It happens usually under load but it's unpredictable. Must likely tomorrow. GUILLERMO FUENTES SR. SYSTEMS ADMINISTRATOR 561-880-2998 x1337 guillermo.fuentes at modmed.com On Wed, Jun 1, 2016 at 2:03 PM, Rich Megginson wrote: > On 06/01/2016 10:37 AM, Guillermo Fuentes wrote: >> >> Hi all, >> >> We are experiencing a similar issue like the one discussed in the >> following thread but we are running FreeIPA 4.2 on CentOS 7.2: >> https://www.redhat.com/archives/freeipa-users/2015-February/msg00205.html > > > Are your stack traces similar? > > >> >> LDAP service stops responding to queries (hangs). LDAP connections on >> the server climb sometimes up to 10 times the normal amount and load >> goes to 0. Then, the connections start to drop until they get to a >> normal level and the LDAP service starts to respond to queries again. >> This happens in between 3-5 minutes: >> >> Time,LDAP conn, Opened files(ns-slapd), File >> Desc(ns-slapd),Threads(ns-slapd),Load1,Load5,Load15 >> 8:54:03,101,353,216,142,0.43,0.20,0.16 >> 8:55:02,108,359,221,142,0.19,0.18,0.15 >> 8:56:03,110,361,224,142,0.07,0.15,0.14 >> 8:57:14,117,383,246,142,0.15,0.16,0.15 >> 8:58:04,276,371,234,142,0.05,0.13,0.14 >> 8:59:05,469,371,234,142,0.02,0.11,0.13 >> 9:00:08,719,371,234,142,0.01,0.09,0.12 >> 9:01:18,1060,371,234,142,0.00,0.07,0.12 >> 9:02:10,742,371,233,142,0.10,0.09,0.12 >> 9:03:06,365,372,235,142,0.13,0.10,0.13 >> 9:04:04,262,379,242,142,0.87,0.29,0.19 >> 9:05:02,129,371,233,142,0.51,0.31,0.20 >> 9:06:03,126,377,240,142,0.42,0.33,0.22 >> 9:07:03,125,377,238,142,0.17,0.27,0.21 >> >> Nothing is logged in the errors log file of the server having the >> problem (ipa1 as an example). >> In the replicas this is logged: >> 8:59:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" >> (ipa1:389): Unable to receive the response for a startReplication >> extended operation to consumer (Timed out). Will retry later. >> 9:01:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" >> (ipa1:389): Unable to receive the response for a startReplication >> extended operation to consumer (Timed out). Will retry later. >> >> Nothing is logged in the access log file until after ns-slapd starts >> responding again: >> ... >> 8:57:00 -0400] conn=12384 fd=234 slot=234 connection from 172.20.0.1 >> to 172.20.2.45 >> 8:57:00 -0400] conn=12385 fd=235 slot=235 connection from 172.20.0.1 >> to 172.20.2.45 >> 8:57:00 -0400] conn=12386 fd=236 slot=236 connection from 172.20.0.1 >> to 172.20.2.45 >> 8:57:00 -0400] conn=12387 fd=237 slot=237 connection from 172.20.0.1 >> to 172.20.2.45 >> 8:57:00 -0400] conn=10384 op=1227 EXT oid="2.16.840.1.113730.3.5.12" >> name="replication-multimaster-extop" >> 8:57:00 -0400] conn=12324 op=8 RESULT err=0 tag=101 nentries=1 etime=0 >> 8:57:00 -0400] conn=8838 op=2545 EXT oid="2.16.840.1.113730.3.5.12" >> name="replication-multimaster-extop" >> 8:57:00 -0400] conn=8838 op=2545 RESULT err=0 tag=120 nentries=0 etime=0 >> 8:57:00 -0400] conn=10384 op=1227 RESULT err=0 tag=120 nentries=0 etime=0 >> 8:57:00 -0400] conn=12382 op=-1 fd=170 closed - B1 >> 8:57:00 -0400] conn=12383 op=0 SRCH base="" scope=0 >> filter="(objectClass=*)" attrs="supportedSASLMechanisms >> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >> 8:57:00 -0400] conn=12384 op=-1 fd=234 closed - B1 >> 8:57:00 -0400] conn=12385 op=0 SRCH base="" scope=0 >> filter="(objectClass=*)" attrs="supportedSASLMechanisms >> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >> 8:57:00 -0400] conn=12383 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >> 8:57:00 -0400] conn=12386 op=-1 fd=236 closed - B1 >> 8:57:00 -0400] conn=12385 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >> 8:57:00 -0400] conn=12387 op=0 SRCH base="" scope=0 >> filter="(objectClass=*)" attrs="supportedSASLMechanisms >> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >> 8:57:00 -0400] conn=12387 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >> 8:57:00 -0400] conn=12385 op=1 BIND dn="" method=sasl version=3 >> mech=GSSAPI >> 8:57:00 -0400] conn=12387 op=1 BIND dn="" method=sasl version=3 >> mech=GSSAPI >> 8:57:00 -0400] conn=12385 op=1 RESULT err=14 tag=97 nentries=0 >> etime=0, SASL bind in progress >> 8:57:00 -0400] conn=12383 op=1 BIND dn="" method=sasl version=3 >> mech=GSSAPI >> 8:57:00 -0400] conn=10384 op=1228 EXT oid="2.16.840.1.113730.3.5.5" >> name="Netscape Replication End Session" >> 8:57:00 -0400] conn=10384 op=1228 RESULT err=0 tag=120 nentries=0 etime=0 >> 8:57:00 -0400] conn=12383 op=1 RESULT err=14 tag=97 nentries=0 >> etime=0, SASL bind in progress >> 9:02:00 -0400] conn=12388 fd=170 slot=170 connection from 172.20.0.1 >> to 172.20.2.45 >> 9:02:00 -0400] conn=12389 fd=234 slot=234 SSL connection from >> 172.20.0.24 to 172.20.2.45 >> 9:02:00 -0400] conn=12390 fd=236 slot=236 connection from local to >> /var/run/slapd-EXAMPLE-COM.socket >> 9:02:00 -0400] conn=12391 fd=238 slot=238 connection from 172.20.0.1 >> to 172.20.2.45 >> 9:02:00 -0400] conn=12392 fd=239 slot=239 SSL connection from >> 172.20.0.24 to 172.20.2.45 >> 9:02:00 -0400] conn=12393 fd=240 slot=240 connection from local to >> /var/run/slapd-EXAMPLE-COM.socket >> 9:02:00 -0400] conn=12394 fd=241 slot=241 connection from 172.20.0.1 >> to 172.20.2.45 >> 9:02:00 -0400] conn=12395 fd=242 slot=242 SSL connection from >> 172.20.0.24 to 172.20.2.45 >> 9:02:00 -0400] conn=12396 fd=243 slot=243 connection from 172.20.0.1 >> to 172.20.2.45 >> 9:02:00 -0400] conn=12397 fd=244 slot=244 SSL connection from >> 172.20.0.24 to 172.20.2.45 >> 9:02:00 -0400] conn=12398 fd=245 slot=245 connection from 172.20.0.1 >> to 172.20.2.45 >> 9:02:00 -0400] conn=12400 fd=247 slot=247 connection from 172.20.0.1 >> to 172.20.2.45 >> 9:02:00 -0400] conn=12401 fd=248 slot=248 connection from 172.20.0.1 >> to 172.20.2.45 >> ... >> 9:02:00 -0400] conn=12390 op=0 BIND dn="" method=sasl version=3 >> mech=GSSAPI >> 9:02:00 -0400] conn=12388 op=-1 fd=170 closed - B1 >> 9:02:00 -0400] conn=12393 op=0 BIND dn="" method=sasl version=3 >> mech=GSSAPI >> 9:02:00 -0400] conn=12391 op=0 SRCH base="" scope=0 >> filter="(objectClass=*)" attrs="supportedSASLMechanisms >> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >> 9:02:00 -0400] conn=12394 op=-1 fd=241 closed - B1 >> 9:02:00 -0400] conn=12391 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >> 9:02:00 -0400] conn=12396 op=0 SRCH base="" scope=0 >> filter="(objectClass=*)" attrs="supportedSASLMechanisms >> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >> 9:02:00 -0400] conn=12396 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >> 9:02:00 -0400] conn=12398 op=-1 fd=245 closed - B1 >> 9:02:00 -0400] conn=12400 op=0 SRCH base="" scope=0 >> filter="(objectClass=*)" attrs="supportedSASLMechanisms >> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >> 9:02:00 -0400] conn=12400 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >> 9:02:00 -0400] conn=12401 op=-1 fd=248 closed - B1 >> 9:02:00 -0400] conn=12391 op=1 ABANDON targetop=NOTFOUND msgid=1 >> 9:02:00 -0400] conn=12396 op=1 ABANDON targetop=NOTFOUND msgid=1 >> 9:02:00 -0400] conn=12400 op=1 ABANDON targetop=NOTFOUND msgid=1 >> 9:02:00 -0400] conn=12391 op=2 UNBIND >> 9:02:00 -0400] conn=12396 op=2 UNBIND >> 9:02:00 -0400] conn=12391 op=2 fd=238 closed - U1 >> 9:02:00 -0400] conn=12396 op=2 fd=243 closed - U1 >> 9:02:00 -0400] conn=12400 op=2 UNBIND >> 9:02:00 -0400] conn=12400 op=2 fd=247 closed - U1 >> ... >> >> >> Environment: >> # cat /etc/redhat-release >> CentOS Linux release 7.2.1511 (Core) >> >> # rpm -qa ipa* >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> >> # rpm -qa 389* >> 389-ds-base-libs-1.3.4.0-30.el7_2.x86_64 >> 389-ds-base-1.3.4.0-30.el7_2.x86_64 >> >> We have 4 FreeIPA servers with replication working fine between them. >> ipa1 is handling LDAP authentication for +400 clients and has been >> tunned as recommended per >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html >> >> Is this a known issue? >> Any idea what can be causing ns-slapd to hang? >> >> Thanks in advance! >> >> Guillermo >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From matrix.zj at qq.com Thu Jun 2 04:42:14 2016 From: matrix.zj at qq.com (=?gb18030?B?TWF0cml4?=) Date: Thu, 2 Jun 2016 12:42:14 +0800 Subject: [Freeipa-users] Is the krb5.conf no longer used? In-Reply-To: <873C9718-AB8C-4D1D-8BD4-1E8385EA3185@gmail.com> References: <873C9718-AB8C-4D1D-8BD4-1E8385EA3185@gmail.com> Message-ID: Hi, Geordie I think it should be optional. here is one of my IPA client's krb5.conf # cat /etc/krb5.conf #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = EXAMPLE.NET dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] EXAMPLE.NET = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .dev.example.net = EXAMPLE.NET dev.example.net = EXAMPLE.NET Matrix ------------------ Original ------------------ From: "Geordie Grindle";; Date: Thu, Jun 2, 2016 03:57 AM To: "freeipa-users"; Subject: [Freeipa-users] Is the krb5.conf no longer used? Does IPA only use ?sssd.conf? for kerberos authentication? Is there another file used to configure kerberos? I?ve built a host using Foreman and our puppet configuration usually pushes a krb5.conf file. However, if I delete it, everything still works fine. What if any function does /etc/krb5.conf have now? [root at ipa_client ggrindle]# cat /etc/krb5.conf cat: /etc/krb5.conf: No such file or directory [root at ipa_client ggrindle]# rpm -qa |grep ipa-client ipa-client-3.0.0-37.el6.x86_64 [root at ipa_client ggrindle]# kdestroy [root at ipa_client ggrindle]# kinit ggrindle Password for ggrindle at DEV.EXAMPLE.COM: [root at ipa_client ggrindle]# klist Ticket cache: FILE:/tmp/krb5cc_0.1 Default principal: ggrindle at DEV.EXAMPLE.COM Valid starting Expires Service principal 06/01/16 19:40:19 06/02/16 19:40:14 krbtgt/DEV.EXAMPLE.COM at DEV.EXAMPLE.COM [root at ipa_client ggrindle]# tcpdump port 88 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:40:53.765163 IP ipa_client.test.dev.example.com.49228 > ipa_server.dev.example.com.kerberos: v5 19:40:53.788043 IP ipa_server.dev.example.com.kerberos > ipa_client.test.dev.example.com.49228: 19:41:06.601826 IP ipa_client.test.dev.example.com.52896 > ipa_server.dev.example.com.kerberos: v5 19:41:06.630012 IP ipa_server.dev.example.com.kerberos > ipa_client.test.dev.example.com.52896: v5 ^C 4 packets captured 6 packets received by filter 0 packets dropped by kernel.kerberos: v5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Jun 2 05:29:15 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 2 Jun 2016 08:29:15 +0300 Subject: [Freeipa-users] Is the krb5.conf no longer used? In-Reply-To: <873C9718-AB8C-4D1D-8BD4-1E8385EA3185@gmail.com> References: <873C9718-AB8C-4D1D-8BD4-1E8385EA3185@gmail.com> Message-ID: <20160602052915.73gldiv3igmwurnh@redhat.com> On Wed, 01 Jun 2016, Geordie Grindle wrote: >Does IPA only use ?sssd.conf? for kerberos authentication? Is there another file used to configure kerberos? > >I?ve built a host using Foreman and our puppet configuration usually >pushes a krb5.conf file. However, if I delete it, everything still >works fine. > >What if any function does /etc/krb5.conf have now? libkrb5 has some default options compiled in. If your environment is fine with these defaults, that's OK. However, it does not mean defaults are always OK for everyone. In particular, when you have integration with Active Directory, SSSD generates a number of config snippets which get included via an include statement in /etc/krb5.conf. These snippets define Kerberos-level relationship between realms, load mapping plugins for AD Kerberos principals and so on. This might not be important to you on the older systems (you are using RHEL 6 where libkrb5 doesn't have some of the interfaces SSSD is utilizing) but it is very important on RHEL 7, for example. Also, on RHEL 7 and in Fedora we use /etc/krb5.conf to redefine a place where libkrb5 looks for default credentials cache (ccache) to utilize kernel keyring storage to enhance security. But if your setup is very simple topology wise, libkrb5 defaults are just fine. -- / Alexander Bokovoy From mbasti at redhat.com Thu Jun 2 06:51:41 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 08:51:41 +0200 Subject: [Freeipa-users] FreeIPA4.2: Recovering from an IPA master server failure In-Reply-To: References: <8d3233db-e7ac-cc2f-13bb-ce29f09cf0ad@redhat.com> Message-ID: Hello, comments inline On 01.06.2016 20:34, Michael Rainey (Contractor) wrote: > > My apologies for the duplicate thread, but from my vantage point I did > not see any signs of my message making it to the mailing list. My > original message was not posted back to me, nor was your reply posted > to me. > Ok, no problem > Now back to your reply. I did try the command you suggested and it > does appear to have removed the last remnants of my first server. Are > there any additional steps I should perform to verify things are as > they once were? > You can try ipa-replica-manage list, ipa-csreplica-manage list, list-ruv, and ipa-replica-manage list -v to see if there are some leftovers Martin > > I did notice some of the systems on the network will not carry my > kerberos credentials over to another machine when using SSH. The > working systems log me in with no problems when using ssh . > While other systems will prompt me for a password. Has anyone had > similar problems and what did they do to fix the problem? > > *Michael Rainey* > > On 05/31/2016 11:10 PM, Martin Basti wrote: >> >> >> >> On 31.05.2016 17:36, Michael Rainey (Contractor) wrote: >>> >>> Greetings community, >>> >>> I've run into an interesting problem which may be old hat to all of >>> you. I was working to bring down my IPA master server and did it >>> improperly. It was a rookie mistake, but I'm willing to view it as >>> an exercise in recovering from a massive system failure. >>> >>> The original master server is gone with no way of recovering and I >>> have managed to replace the server by promoting one of my replicas, >>> but I find myself in a situation where I cannot remove the original >>> master server from the LDAP directory. It is still seen as a master >>> server and the webUI will not let me delete the system from >>> directory server. Is there a process somewhere that will walk me >>> through demoting the old server so I can delete it from the >>> directory and officially promote its replacement? >>> >>> For reference, I followed the steps located at this link. >>> >>> Centos 7.2 / freeIPA 4.2 >>> >>> Your help is greatly appreciated. >>> >>> -- >>> *Michael Rainey* >>> >>> >> >> Hello, >> >> can you next time please continue with just one thread please? >> >> You haven't replied if this works for you >> https://www.redhat.com/archives/freeipa-users/2016-May/msg00521.html >> >> regards, >> Martin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sebastian.schaefer at dlr.de Thu Jun 2 06:59:21 2016 From: sebastian.schaefer at dlr.de (=?UTF-8?Q?Sebastian_Sch=c3=a4fer?=) Date: Thu, 2 Jun 2016 08:59:21 +0200 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: References: Message-ID: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> Hi Dan, I had a similar problem when updating my FreeIPA. In my case it turned out that the certificates that get bundled with the replica preparation file were expired. This is due to the /root/cacert.p12 file not being updated during the preparation process until FreeIPA 3.2.2 The file can be recreated with the commands from step 2 of http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password If that does not solve the problem, it would be good to see (part of) the actual logfiles of your replica installation attempt. Best regards -- Sebastian Sch?fer, M. A. ------------------------------- Deutsches Zentrum f?r Luft- und Raumfahrt e.V. (DLR) Institute of Space Operations and Astronaut Training Microgravity User Support Center (MUSC) Linder H?he | 51147 K?ln Telefon 02203 601-30 01 | Telefax: 02203 61471 | sebastian.schaefer at dlr.de www.DLR.de On 06/01/2016 06:45 PM, Dan.Finkelstein at high5games.com wrote: > Hi folks, > > As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6 > to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA > replicas in CentOS 7 and then hope to promote one of them to the CA > master. I'm running into two problems: > > > > The first is that when we create a replica in FreeIPA 4.2.0 with the > ?setup-ca option, that portion fails. Here's a snippet of the output: > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > 30 seconds > > [1/23]: creating certificate server user > > [2/23]: configuring certificate server instance > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpqPeYOW'' returned non-zero exit status 1 > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the > installation logs and the following files/directories for more information: > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki-ca-install.log > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki/pki-tomcat > > [error] RuntimeError: CA configuration failed. > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. From sbose at redhat.com Thu Jun 2 07:37:28 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 2 Jun 2016 09:37:28 +0200 Subject: [Freeipa-users] Is the krb5.conf no longer used? In-Reply-To: <20160602052915.73gldiv3igmwurnh@redhat.com> References: <873C9718-AB8C-4D1D-8BD4-1E8385EA3185@gmail.com> <20160602052915.73gldiv3igmwurnh@redhat.com> Message-ID: <20160602073728.GE25486@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, Jun 02, 2016 at 08:29:15AM +0300, Alexander Bokovoy wrote: > On Wed, 01 Jun 2016, Geordie Grindle wrote: > > Does IPA only use ?sssd.conf? for kerberos authentication? Is there another file used to configure kerberos? > > > > I?ve built a host using Foreman and our puppet configuration usually > > pushes a krb5.conf file. However, if I delete it, everything still > > works fine. > > > > What if any function does /etc/krb5.conf have now? > libkrb5 has some default options compiled in. If your environment is > fine with these defaults, that's OK. However, it does not mean defaults > are always OK for everyone. SSSD uses libkrb5 and hence use the library defaults and values from /etc/krb5.conf. Nevertheless SSSD will override some of those values with either data from its on configuration file or with data discovered at run-time, e.g. via DNS or by evaluation some LDAP attributes. With this we try to make sure that SSSD is able to work even if /etc/krb5.conf is broken or is missing some options. But this only holds for SSSD, all other users of libkrb5 like e.g. kinit, ldapsearch, sshd ... Still rely on the data in krb5.conf. As Alexander noted below SSSD tries to make the auto-discovered data available to those applications but still they need to parse /etc/krb5.conf first. HTH bye, Sumit > > In particular, when you have integration with Active Directory, SSSD > generates a number of config snippets which get included via an include > statement in /etc/krb5.conf. These snippets define Kerberos-level > relationship between realms, load mapping plugins for AD Kerberos > principals and so on. This might not be important to you on the older > systems (you are using RHEL 6 where libkrb5 doesn't have some of the > interfaces SSSD is utilizing) but it is very important on RHEL 7, for > example. > > Also, on RHEL 7 and in Fedora we use /etc/krb5.conf to redefine a place > where libkrb5 looks for default credentials cache (ccache) to utilize > kernel keyring storage to enhance security. > > But if your setup is very simple topology wise, libkrb5 defaults are > just fine. > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From Dan.Finkelstein at high5games.com Thu Jun 2 10:52:24 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Thu, 2 Jun 2016 10:52:24 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> Message-ID: <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> Hi Sebastian, Unfortunately, that doesn't seem to be it and reinstalling the replica with ?setup-ca failed again with the same errors. I've included relevant sections of the logs. /var/log/ipareplica-install.log: 016-06-02T10:43:16Z DEBUG Starting external process 2016-06-02T10:43:16Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM' 2016-06-02T10:43:16Z DEBUG Process finished, return code=1 2016-06-02T10:43:16Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160602064316.log Loading deployment configuration from /tmp/tmpl8RqSM. 2016-06-02T10:43:16Z DEBUG stderr=Traceback (most recent call last): File "/usr/sbin/pkispawn", line 717, in main(sys.argv) File "/usr/sbin/pkispawn", line 523, in main parser.compose_pki_master_dictionary() File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", line 573, in compose_pki_master_dictionary instance.load() File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 454, in load subsystem.load() File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 118, in load lines = open(self.cs_conf).read().splitlines() IOError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/ca/conf/CS.cfg' 2016-06-02T10:43:16Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM'' returned non-zero exit status 1 2016-06-02T10:43:16Z CRITICAL See the installation logs and the following files/directories for more information: 2016-06-02T10:43:16Z CRITICAL /var/log/pki-ca-install.log 2016-06-02T10:43:16Z CRITICAL /var/log/pki/pki-tomcat 2016-06-02T10:43:16Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-06-02T10:43:16Z DEBUG [error] RuntimeError: CA configuration failed. 2016-06-02T10:43:16Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, in _configure executor.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 879, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 295, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 584, in install ca.install(False, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, in install_step_0 ra_p12=getattr(options, 'ra_p12', None)) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1543, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 486, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2016-06-02T10:43:16Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed. 2016-06-02T10:43:16Z ERROR CA configuration failed. Of note, there is no /var/log/pki-ca-install.log file nor (as the error above shows) is there /var/lib/pki/pki-tomcat/ca/conf/CS.cfg. Best regards, Dan [cid:image001.jpg at 01D1BC9A.CBB33580] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Sebastian Sch?fer Date: Thursday, June 2, 2016 at 02:59 To: "freeipa-users at redhat.com" , Daniel Finkestein Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master Hi Dan, I had a similar problem when updating my FreeIPA. In my case it turned out that the certificates that get bundled with the replica preparation file were expired. This is due to the /root/cacert.p12 file not being updated during the preparation process until FreeIPA 3.2.2 The file can be recreated with the commands from step 2 of http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password If that does not solve the problem, it would be good to see (part of) the actual logfiles of your replica installation attempt. Best regards -- Sebastian Sch?fer, M. A. ------------------------------- Deutsches Zentrum f?r Luft- und Raumfahrt e.V. (DLR) Institute of Space Operations and Astronaut Training Microgravity User Support Center (MUSC) Linder H?he | 51147 K?ln Telefon 02203 601-30 01 | Telefax: 02203 61471 | sebastian.schaefer at dlr.de www.DLR.de On 06/01/2016 06:45 PM, Dan.Finkelstein at high5games.com wrote: Hi folks, As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6 to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA replicas in CentOS 7 and then hope to promote one of them to the CA master. I'm running into two problems: The first is that when we create a replica in FreeIPA 4.2.0 with the ?setup-ca option, that portion fails. Here's a snippet of the output: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/23]: creating certificate server user [2/23]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpqPeYOW'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4332 bytes Desc: image001.jpg URL: From tba at statsbiblioteket.dk Thu Jun 2 12:11:38 2016 From: tba at statsbiblioteket.dk (Tony Brian Albers) Date: Thu, 2 Jun 2016 12:11:38 +0000 Subject: [Freeipa-users] Apache Knox and FreeIPA Message-ID: <1464869497.17841.5.camel@statsbiblioteket.dk> Hi guys, Do any of you have this setup working? And if so, how did you do it? Thanks, Tony -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 From karl.forner at gmail.com Thu Jun 2 13:00:36 2016 From: karl.forner at gmail.com (Karl Forner) Date: Thu, 2 Jun 2016 15:00:36 +0200 Subject: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI Message-ID: Hi, My problem is: I have an ipa.example.com server on the internal network, with self-signed certificates. I'd like to be able to connect to the UI from the internet, using https with other certificates (e.g. let's encrypt certificates). So I tried to setup an SNI apache reverse proxy, but I could not make it work. I saw this blog [https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy] but I can not use the same FQDN name for the LAN and the WAN. I tried many many things, I could have the login form, but never could not connect. What is the correct way of doing this ? Thanks, Karl From kay.y.zhou at ericsson.com Thu Jun 2 03:11:28 2016 From: kay.y.zhou at ericsson.com (Kay Zhou Y) Date: Thu, 2 Jun 2016 03:11:28 +0000 Subject: [Freeipa-users] IPA 2.2 Certificate Renewal issue In-Reply-To: <574EF307.3090301@redhat.com> References: <57486A9E.2050909@redhat.com> <574DA955.2030004@redhat.com> <574E5CD4.1020108@redhat.com> <574EF307.3090301@redhat.com> Message-ID: Hi Rob, We are using fedora 17. And as you said, when I roll back time to when the CA subsystem and ipaCert are valid. Then restart ipatcl, "pki-cad at pki-ca.service" is active as normal. But these five certs could not renewed as before. (actually I always restart ipa world after I roll back time, this "pki-cad at pki-ca.service" should be active but I just ignore it before... ) Thanks, BR//Kay -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, June 01, 2016 10:37 PM To: Kay Zhou Y; freeipa-users at redhat.com Cc: Doris Hongmei; Xionglin Gu Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue Kay Zhou Y wrote: > Hi Rob, > > 1. I have made snapshots for this system for test, so NSS databases has been backed up. > > 2. For the pki-cad service, I can't find it in my system, it shows there is no such service. > but there is one service failed as below: > > root at ecnshlx3039-test2(SH):requests #systemctl status > pki-cad at pki-ca.service pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca > Loaded: loaded (/lib/systemd/system/pki-cad at .service; enabled) > Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 +0200; 23min ago > Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, status=1/FAILURE) > Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, status=0/SUCCESS) > Main PID: 2593 (code=exited, status=0/SUCCESS) > CGroup: name=systemd:/system/pki-cad at .service/pki-ca > > Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: > pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun > 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: > pam_unix(runuser-l:session): session closed for user pkiuser Jun 01 > 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: > pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun > 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: > pam_unix(runuser-l:session): session closed for user pkiuser > > I can't start it normally, even the log just said: > Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad at pki-ca.service: > control process exited, code=exited status=1 Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit pki-cad at pki-ca.service entered failed state. > > I will google more to try to start it firstly. Ok, this is very confusing to me. What distribution are you running? I have the feeling you are running an extremely outdated version of Fedora. Yes, you need the CA up in order to get the certificates renewed. Look at catalina.out, the log "debug" and the selftests log for clues on why it won't start. You also need the PKI-IPA 389-ds instance running. And I guess you were just showing me the service name and such, but of course it won't start today with expired certs. > > 3. About the source of the output for getcert list: > > root at ecnshlx3039-test2(SH):requests #ll total 64 -rw-------. 1 root > root 5698 Jun 1 06:06 20120704140859 -rw-------. 1 root root 5695 Jun > 1 06:06 20120704140922 -rw-------. 1 root root 5654 Jun 1 06:06 > 20120704141150 -rw-------. 1 root root 5107 Jun 1 06:39 > 20140605220249 -rw-------. 1 root root 4982 Jun 1 06:39 > 20160601043748 -rw-------. 1 root root 5144 Jun 1 06:39 > 20160601043749 -rw-------. 1 root root 5186 Jun 1 06:39 > 20160601043750 -rw-------. 1 root root 5126 Jun 1 06:39 > 20160601043751 root at ecnshlx3039-test2(SH):requests # > root at ecnshlx3039-test2(SH):requests #grep post_certsave_command * > 20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restart > _dirsrv DRUTT-COM > 20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restart > _httpd root at ecnshlx3039-test2(SH):requests #grep pre_certsave_command > * root at ecnshlx3039-test2(SH):requests # > > there are just two statements. Ok, that is fine then I think. rob From cal-s at blue-bolt.com Thu Jun 2 14:19:20 2016 From: cal-s at blue-bolt.com (Cal Sawyer) Date: Thu, 2 Jun 2016 15:19:20 +0100 Subject: [Freeipa-users] Replica without CA: implications? In-Reply-To: <1457540024.8257.279.camel@redhat.com> References: <56E0484B.4080006@blue-bolt.com> <1457540024.8257.279.camel@redhat.com> Message-ID: <57504068.5010003@blue-bolt.com> Apologies for the lengthy pause in getting back onto this. I ended up destroying the replica and reprovisioning frmm scratch, but the replica still lists as being CA-less. Is what i'm seeing normal? Would this 2-node setup in this state survive failure of the master? ----------------- ON MASTER ipa.localdomain.local # ipa-replica-manage list ipa2.localdomain.local: master ipa.localdomain.local: master # ipa-csreplica-manage list >> ipa2.localdomain.local: CA not configured ipa.localdomain.local: master ------------------ ON REPLICA ipa2.localdomain.local # ipa-ca-install Directory Manager (existing master) password: >> CA is already installed. ok .... # ipa-ca-install -d ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_73731152 ipa.ipalib.plugins.config.config_show: DEBUG raw: config_show(version=u'2.156') ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False, all=False, raw=False, version=u'2.156') ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket conn= ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG raw: ca_is_enabled(version=u'2.156') ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG ca_is_enabled(version=u'2.156') ipa : DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 732, in run_script return_value = main_function() File "/usr/sbin/ipa-ca-install", line 204, in main install_master(safe_options, options) File "/usr/sbin/ipa-ca-install", line 191, in install_master ca.install_check(True, None, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 49, in install_check sys.exit("CA is already installed.\n") ipa : DEBUG The ipa-ca-install command failed, exception: SystemExit: CA is already installed. >> CA is already installed. thanks - cal sawyer On 09/03/16 16:13, Simo Sorce wrote: > On Wed, 2016-03-09 at 15:59 +0000, Cal Sawyer wrote: >> Hi >> >> Somehow i picked the wrong cookbook when i provisioned my first (and >> only) replica and it lacks CA aso, as pointed out in a recent thread, >> creates a single point of failure. Not ready to set up more 2 replicas >> yet and am still in testing. Is it possible to replicate the master's >> CA to the replica without destroying and reprovisioning with --setup-ca >> this time? > Use ipa-ca-install on the replica. > > Simo. > From bret.wortman at damascusgrp.com Thu Jun 2 14:23:42 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 2 Jun 2016 10:23:42 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates Message-ID: <5750416E.3070408@damascusgrp.com> Is it possible to use our freeipa CA as a trusted CA to sign our internal SSL certificates? Our system runs on a private network and so using the usual trusted sources isn't an option. We've been using self-signed, but that adds some additional complications and we thought this might be a good solution. Is it possible, and, since most online guides defer to "submit the CSR to Verisign" or whomever, how would you go about producing one in this way? -- *Bret Wortman* http://wrapbuddies.co/ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 12800223_1942627449296454_4945275759784420735_n.png Type: image/png Size: 112446 bytes Desc: not available URL: From florent.bello at ville-kourou.fr Thu Jun 2 14:45:45 2016 From: florent.bello at ville-kourou.fr (Bello Florent) Date: Thu, 02 Jun 2016 11:45:45 -0300 Subject: [Freeipa-users] samba kerberized with autofs Message-ID: <9135101baa1e2f086a863261e31f1a77@ville-kourou.fr> Hi, I configured a samba with freeipa in kerberized mode. It work fine for normaly mounting but with autofs it work only if root has a kerberos ticket (example : kinit admin). When root haven't ticket, other users can't go in automount folder, but when root has ticket, it works fine for every users. There is a workaround for this ? this my mount information in freeipa automount map : -fstype=cifs,sec=krb5,username=$USER ://smb.example.com Cordialement, Florent BELLO -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Thu Jun 2 16:24:39 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Thu, 2 Jun 2016 09:24:39 -0700 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Message-ID: <20160602162455.7149ABE039@b03ledav005.gho.boulder.ibm.com> Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not sure on this yet) that they changed ntp.. ntp used to point at my ipas.. but they look like they are now pointing elsewhere. Everything was stable at 6.7 3.0.47 pointing to IPA for NTP. However.. they all seem to have the same date. My master first IPA is acting up. Replication is off, kerberos seems to be off, DNS is off and I think IPA in general on it is toast. We do have 8 IPAs.. only FirstMaster is acting up it seems right now and all either running on KVM or ESXI. [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# kinit admin kinit: Generic error (see e-text) while getting initial credential slapd-DOMAIN-LOCAL [01/Jun/2016:18:25:43 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'DOMAIN.LOCAL')) errno 115 (Operation now in progress) [01/Jun/2016:18:25:43 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv2.domain.local" (ipaserv2:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv3.domain.local" (ipaserv3:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv4.domain.local" (ipaserv4:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv5.domain.local" (ipaserv5:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:28:04 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [01/Jun/2016:18:28:04 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2016:18:28:13 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [01/Jun/2016:18:28:13 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:33:03 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [01/Jun/2016:18:33:03 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2016:18:33:18 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [01/Jun/2016:18:33:18 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:38:03 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipa-replica-manage -v list --------------> just hangs and never returns [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipactl start ------------->Just hangs here as well.. never gets to the KDC. Starting Directory Service Starting dirsrv: PKI-IPA... already running [ OK ] DOMAIN-LOCAL... already running [ OK ] If I run nslookup it fails over to a Replica for the DNS resolution instead of resolving ips itself. PKI log shows a bunch of this: [02/Jun/2016:11:15:25 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" (ipaserver2:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:11:15:34 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" (ipaserver2:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:11:16:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:16:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:21:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:22:06 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:26:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:26:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:31:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:31:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:36:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:36:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:41:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:41:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:45:16 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:45:16 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:11:45:25 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:11:46:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:46:56 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:51:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:51:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:56:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:56:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:01:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:01:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:05:33 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:05:33 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:12:06:01 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:06:06 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:12:06:31 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:06:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) NTP seems OK [God at FirstMasterIPA slapd-PKI-IPA]# date Thu Jun 2 12:23:00 EDT 2016 [God at ipaserver3 ~]# date Thu Jun 2 12:23:02 EDT 2016 Sean Hogan -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Thu Jun 2 16:30:56 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Thu, 2 Jun 2016 17:30:56 +0100 Subject: [Freeipa-users] IPA's own ptr record - unresolvable ? Message-ID: <7975dacd-f378-98d5-e770-df595e672996@yahoo.co.uk> hi users, I do (all on IPA server) $ host 10.5.6.100 Host 100.6.5.10.in-addr.arpa. not found: 3(NXDOMAIN) I do: $ host 10.5.6.17 17.6.5.10.in-addr.arpa domain name pointer ...... I do: $ ipa dnsrecord-find 5.10.in-addr.arpa Record name: @ NS record: rider.private.dom., swir.private.dom., work5.private.dom. Record name: 19.10 PTR record: work1.private.dom. Record name: 23.10 PTR record: work5.private.dom. Record name: 100.6 PTR record: rider.private.dom. Record name: 17.6 PTR record: dzien.private.dom. Record name: 32.6 PTR record: swir.private.dom. ---------------------------- Number of entries returned 6 dig also find these records. this is probably why replica fails with: ipa.ipapython.install.cli.install_tool(Replica): ERROR Unable to resolve the IP address 10.5.6.100 to a host name, check /etc/hosts and DNS name resolution must be something trivial? many thanks, L. From michael.luich at actifio.com Thu Jun 2 19:11:29 2016 From: michael.luich at actifio.com (Michael Luich) Date: Thu, 2 Jun 2016 15:11:29 -0400 Subject: [Freeipa-users] Pyhton Web API access Message-ID: He folks, I was looking for information on accessing the web API from python. Between other info in this list the https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ blog post and a little trial and error I got it working. The following python script logs in with a username and password then retrieves all the users in the development group and prints the uid. I hope this helps some folks out, and saves some time. *#! /usr/bin/env python *__author__ = *'michaelluich' *author_email = *'michael.luich at actifio.com '*, *import *requests*import *json baseurl = *'https://identity1.corp.actifio.com/ipa/session/ ' * *# Fill in your details here to be posted to the login form. *payload = { *'user'*: *'USERNAME'*, *'password'*: *'PASSWORD' *} *# Use 'with' to ensure the session context is closed after use. **with *requests.Session() *as *s: *#Login to the server * headers = {*'referer'*: *'https://identity1.corp.actifio.com/ipa/ '*, *"Content-Type" *: *"application/x-www-form-urlencoded"*, *"Accept" *:*"text/plain"*, } p = s.post(baseurl+*"login_password"*, verify=False, data=payload, headers=headers) *# print the html returned or something more intelligent to see if it's a successful login page. * *if *p.status_code != 200: *print **"Login Problem" * exit(77) *# Get the user list. ** # The payload information can be found by running ipa -vv user-find. * payload = { *"id"*: 0, *"method"*: *"user_find"*, *"params"*: [ [ *#null * ], { *"all"*: *"false"*, *"in_group"*: [ *"development" * ], *"no_members"*: *"false"*, *"pkey_only"*: *"false"*, *"raw"*: *"false"*, *"version"*: *"2.156"*, *"whoami"*: *"false" * } ] } headers = {*'referer'*: *'https://identity1.corp.actifio.com/ipa/ '*, *'Content-Type'*: *'application/json'*, *'Accept'*: *'applicaton/json'*, } r = s.post(baseurl+*"json"*, verify=False, data=json.dumps(payload), headers=headers) userJson=json.loads(r.text) *for *object *in *userJson[*'result'*][*'result'*]: *print *object[*'uid'*] -- *Michael Luich* *Senior DevOps **Engineer* *e* michael.luich at actifio.com 333 Wyman Street, Waltham, MA 02451 *Manage, access, and protect your data with a single platform that saves you time, money, and complexity.* -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 2 21:27:58 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 2 Jun 2016 17:27:58 -0400 Subject: [Freeipa-users] Replica without CA: implications? In-Reply-To: <57504068.5010003@blue-bolt.com> References: <56E0484B.4080006@blue-bolt.com> <1457540024.8257.279.camel@redhat.com> <57504068.5010003@blue-bolt.com> Message-ID: <5750A4DE.1090206@redhat.com> Cal Sawyer wrote: > Apologies for the lengthy pause in getting back onto this. I ended up > destroying the replica and reprovisioning frmm scratch, but the replica > still lists as being CA-less. > > Is what i'm seeing normal? Would this 2-node setup in this state > survive failure of the master? It will until the certificates start expiring. You want at least 2 CA's to avoid a single point of failure situation. > > ----------------- > > ON MASTER ipa.localdomain.local > > # ipa-replica-manage list > > ipa2.localdomain.local: master > ipa.localdomain.local: master > > # ipa-csreplica-manage list > > >> ipa2.localdomain.local: CA not configured > ipa.localdomain.local: master > > > ------------------ > > ON REPLICA ipa2.localdomain.local > > # ipa-ca-install > Directory Manager (existing master) password: > > >> CA is already installed. > > ok .... > > # ipa-ca-install -d > > > > ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection > context.ldap2_73731152 > ipa.ipalib.plugins.config.config_show: DEBUG raw: > config_show(version=u'2.156') > ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False, > all=False, raw=False, version=u'2.156') > ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for > SchemaCache url=ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket > conn= > ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG raw: > ca_is_enabled(version=u'2.156') > ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG > ca_is_enabled(version=u'2.156') > ipa : DEBUG File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 732, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-ca-install", line 204, in main > install_master(safe_options, options) > > File "/usr/sbin/ipa-ca-install", line 191, in install_master > ca.install_check(True, None, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > 49, in install_check > sys.exit("CA is already installed.\n") > > ipa : DEBUG The ipa-ca-install command failed, exception: > SystemExit: CA is already installed. > > >> CA is already installed. It detects whether a CA is installed by the existence of something like /var/lib/pki-tomcat/ca. You can use pkidestroy to remove any remnants that might be left over from some previous failed install. Or it could be that something wasn't updated properly in LDAP and there actually is a working CA. You might try manually starting the CA to see if it comes up, and/or run ipa-csreplica-manage to see if there are any working agreements. rob > > > > > thanks > > - cal sawyer > > > > On 09/03/16 16:13, Simo Sorce wrote: >> On Wed, 2016-03-09 at 15:59 +0000, Cal Sawyer wrote: >>> Hi >>> >>> Somehow i picked the wrong cookbook when i provisioned my first (and >>> only) replica and it lacks CA aso, as pointed out in a recent thread, >>> creates a single point of failure. Not ready to set up more 2 replicas >>> yet and am still in testing. Is it possible to replicate the master's >>> CA to the replica without destroying and reprovisioning with --setup-ca >>> this time? >> Use ipa-ca-install on the replica. >> >> Simo. >> > From rcritten at redhat.com Thu Jun 2 21:29:35 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 2 Jun 2016 17:29:35 -0400 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> Message-ID: <5750A53F.2040908@redhat.com> Dan.Finkelstein at high5games.com wrote: > Hi Sebastian, > > Unfortunately, that doesn't seem to be it and reinstalling the replica > with ?setup-ca failed again with the same errors. I've included relevant > sections of the logs. > > /var/log/ipareplica-install.log: > > 016-06-02T10:43:16Z DEBUG Starting external process > > 2016-06-02T10:43:16Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpl8RqSM' > > 2016-06-02T10:43:16Z DEBUG Process finished, return code=1 > > 2016-06-02T10:43:16Z DEBUG stdout=Log file: > /var/log/pki/pki-ca-spawn.20160602064316.log > > Loading deployment configuration from /tmp/tmpl8RqSM. > > 2016-06-02T10:43:16Z DEBUG stderr=Traceback (most recent call last): > > File "/usr/sbin/pkispawn", line 717, in > > main(sys.argv) > > File "/usr/sbin/pkispawn", line 523, in main > > parser.compose_pki_master_dictionary() > > File > "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", > line 573, in compose_pki_master_dictionary > > instance.load() > > File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line > 454, in load > > subsystem.load() > > File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line > 118, in load > > lines = open(self.cs_conf).read().splitlines() > > IOError: [Errno 2] No such file or directory: > '/var/lib/pki/pki-tomcat/ca/conf/CS.cfg' > > 2016-06-02T10:43:16Z CRITICAL Failed to configure CA instance: Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM'' returned non-zero > exit status 1 > > 2016-06-02T10:43:16Z CRITICAL See the installation logs and the > following files/directories for more information: > > 2016-06-02T10:43:16Z CRITICAL /var/log/pki-ca-install.log > > 2016-06-02T10:43:16Z CRITICAL /var/log/pki/pki-tomcat > > 2016-06-02T10:43:16Z DEBUG Traceback (most recent call last): > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 620, in __spawn_instance > > DogtagInstance.spawn_instance(self, cfg_file) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 201, in spawn_instance > > self.handle_setup_error(e) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 465, in handle_setup_error > > raise RuntimeError("%s configuration failed." % self.subsystem) > > RuntimeError: CA configuration failed. > > 2016-06-02T10:43:16Z DEBUG [error] RuntimeError: CA configuration failed. > > 2016-06-02T10:43:16Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > > return_value = self.run() > > File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", > line 311, in run > > cfgr.run() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 281, in run > > self.execute() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 303, in execute > > for nothing in self._executor(): > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 343, in __runner > > self._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 333, in __runner > > step() > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 87, in run_generator_with_yield_from > > raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 65, in run_generator_with_yield_from > > value = gen.send(prev_value) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 524, in _configure > > executor.next() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 343, in __runner > > self._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 421, in _handle_exception > > self.__parent._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 418, in _handle_exception > > super(ComponentBase, self)._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > line 333, in __runner > > step() > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 87, in run_generator_with_yield_from > > raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > line 65, in run_generator_with_yield_from > > value = gen.send(prev_value) > > File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", > line 63, in _install > > for nothing in self._installer(self.parent): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 879, in main > > install(self) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 295, in decorated > > func(installer) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > line 584, in install > > ca.install(False, config, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > 106, in install > > install_step_0(standalone, replica_config, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > 130, in install_step_0 > > ra_p12=getattr(options, 'ra_p12', None)) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 1543, in install_replica_ca > > subject_base=config.subject_base) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 486, in configure_instance > > self.start_creation(runtime=210) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 620, in __spawn_instance > > DogtagInstance.spawn_instance(self, cfg_file) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 201, in spawn_instance > > self.handle_setup_error(e) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 465, in handle_setup_error > > raise RuntimeError("%s configuration failed." % self.subsystem) > > 2016-06-02T10:43:16Z DEBUG The ipa-replica-install command failed, > exception: RuntimeError: CA configuration failed. > > 2016-06-02T10:43:16Z ERROR CA configuration failed. > > Of note, there is no /var/log/pki-ca-install.log file nor (as the error > above shows) is there /var/lib/pki/pki-tomcat/ca/conf/CS.cfg. > > Best regards, > > Dan > > cid:image001.jpg at 01D1BC9A.CBB33580 > > *Daniel Alex Finkelstein*| Senior Dev Ops Engineer > > Dan.Finkelstein at h5g.com | 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: *Sebastian Sch?fer > *Date: *Thursday, June 2, 2016 at 02:59 > *To: *"freeipa-users at redhat.com" , Daniel > Finkestein > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of > FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, > cannot promote to master > > Hi Dan, > > I had a similar problem when updating my FreeIPA. In my case it turned > > out that the certificates that get bundled with the replica preparation > > file were expired. This is due to the /root/cacert.p12 file not being > > updated during the preparation process until FreeIPA 3.2.2 > > The file can be recreated with the commands from step 2 of > > http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password > > If that does not solve the problem, it would be good to see (part of) > > the actual logfiles of your replica installation attempt. > > Best regards > > -- > > Sebastian Sch?fer, M. A. > > ------------------------------- > > Deutsches Zentrum f?r Luft- und Raumfahrt e.V. (DLR) > > Institute of Space Operations and Astronaut Training > > Microgravity User Support Center (MUSC) > > Linder H?he | 51147 K?ln > > Telefon 02203 601-30 01 | Telefax: 02203 61471 | > sebastian.schaefer at dlr.de > > www.DLR.de > > On 06/01/2016 06:45 PM, Dan.Finkelstein at high5games.com > wrote: > > Hi folks, > > As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6 > > to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA > > replicas in CentOS 7 and then hope to promote one of them to the CA > > master. I'm running into two problems: > > The first is that when we create a replica in FreeIPA 4.2.0 with the > > ?setup-ca option, that portion fails. Here's a snippet of the output: > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes > > 30 seconds > > [1/23]: creating certificate server user > > [2/23]: configuring certificate server instance > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > > configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' > > '/tmp/tmpqPeYOW'' returned non-zero exit status 1 > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the > > installation logs and the following files/directories for more > information: > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > > /var/log/pki-ca-install.log > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > > /var/log/pki/pki-tomcat > > [error] RuntimeError: CA configuration failed. > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > You need to find the CA logs. All IPA gets is "the install failed" and no details why. Lok in /var/log/pki/pki-tomcat for the relevant logs. rob From rcritten at redhat.com Thu Jun 2 21:31:05 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 2 Jun 2016 17:31:05 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: <5750416E.3070408@damascusgrp.com> References: <5750416E.3070408@damascusgrp.com> Message-ID: <5750A599.6020305@redhat.com> Bret Wortman wrote: > Is it possible to use our freeipa CA as a trusted CA to sign our > internal SSL certificates? Our system runs on a private network and so > using the usual trusted sources isn't an option. We've been using > self-signed, but that adds some additional complications and we thought > this might be a good solution. > > Is it possible, and, since most online guides defer to "submit the CSR > to Verisign" or whomever, how would you go about producing one in this way? Not sure I understand the question. The IPA CA is also self-signed. For enrolled systems though at least the CA is pre-distributed so maybe that will help. rob From rcritten at redhat.com Thu Jun 2 21:34:05 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 2 Jun 2016 17:34:05 -0400 Subject: [Freeipa-users] IPA 2.2 Certificate Renewal issue In-Reply-To: References: <57486A9E.2050909@redhat.com> <574DA955.2030004@redhat.com> <574E5CD4.1020108@redhat.com> <574EF307.3090301@redhat.com> Message-ID: <5750A64D.7090807@redhat.com> Kay Zhou Y wrote: > Hi Rob, > > We are using fedora 17. > And as you said, when I roll back time to when the CA subsystem and ipaCert are valid. Then restart ipatcl, "pki-cad at pki-ca.service" is active as normal. > But these five certs could not renewed as before. (actually I always restart ipa world after I roll back time, this "pki-cad at pki-ca.service" should be active but I just ignore it before... ) With the time rolled back what I'd do is restart certmonger then run in a loop with a 1 second sleep ipa-getcert list and ensure that the statuses are changing to SUBMITTING, etc., and see what the final state is. certmonger logs to syslog so that might give some clues what is happening, and you can watch the dogtag logs to ensure the requests are being received, etc. rob > > Thanks, > BR//Kay > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Wednesday, June 01, 2016 10:37 PM > To: Kay Zhou Y; freeipa-users at redhat.com > Cc: Doris Hongmei; Xionglin Gu > Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue > > Kay Zhou Y wrote: >> Hi Rob, >> >> 1. I have made snapshots for this system for test, so NSS databases has been backed up. >> >> 2. For the pki-cad service, I can't find it in my system, it shows there is no such service. >> but there is one service failed as below: >> >> root at ecnshlx3039-test2(SH):requests #systemctl status >> pki-cad at pki-ca.service pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca >> Loaded: loaded (/lib/systemd/system/pki-cad at .service; enabled) >> Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 +0200; 23min ago >> Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, status=1/FAILURE) >> Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, status=0/SUCCESS) >> Main PID: 2593 (code=exited, status=0/SUCCESS) >> CGroup: name=systemd:/system/pki-cad at .service/pki-ca >> >> Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: >> pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun >> 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: >> pam_unix(runuser-l:session): session closed for user pkiuser Jun 01 >> 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: >> pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun >> 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: >> pam_unix(runuser-l:session): session closed for user pkiuser >> >> I can't start it normally, even the log just said: >> Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad at pki-ca.service: >> control process exited, code=exited status=1 Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit pki-cad at pki-ca.service entered failed state. >> >> I will google more to try to start it firstly. > > Ok, this is very confusing to me. What distribution are you running? I have the feeling you are running an extremely outdated version of Fedora. > > Yes, you need the CA up in order to get the certificates renewed. Look at catalina.out, the log "debug" and the selftests log for clues on why it won't start. You also need the PKI-IPA 389-ds instance running. > > And I guess you were just showing me the service name and such, but of course it won't start today with expired certs. > >> >> 3. About the source of the output for getcert list: >> >> root at ecnshlx3039-test2(SH):requests #ll total 64 -rw-------. 1 root >> root 5698 Jun 1 06:06 20120704140859 -rw-------. 1 root root 5695 Jun >> 1 06:06 20120704140922 -rw-------. 1 root root 5654 Jun 1 06:06 >> 20120704141150 -rw-------. 1 root root 5107 Jun 1 06:39 >> 20140605220249 -rw-------. 1 root root 4982 Jun 1 06:39 >> 20160601043748 -rw-------. 1 root root 5144 Jun 1 06:39 >> 20160601043749 -rw-------. 1 root root 5186 Jun 1 06:39 >> 20160601043750 -rw-------. 1 root root 5126 Jun 1 06:39 >> 20160601043751 root at ecnshlx3039-test2(SH):requests # >> root at ecnshlx3039-test2(SH):requests #grep post_certsave_command * >> 20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restart >> _dirsrv DRUTT-COM >> 20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restart >> _httpd root at ecnshlx3039-test2(SH):requests #grep pre_certsave_command >> * root at ecnshlx3039-test2(SH):requests # >> >> there are just two statements. > > Ok, that is fine then I think. > > rob > From bret.wortman at damascusgrp.com Thu Jun 2 21:35:01 2016 From: bret.wortman at damascusgrp.com (bret.wortman at damascusgrp.com) Date: Thu, 2 Jun 2016 17:35:01 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: <5750A599.6020305@redhat.com> References: <5750416E.3070408@damascusgrp.com> <5750A599.6020305@redhat.com> Message-ID: <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> Sorry, let me back up a step. We need to implement hype everywhere. All our web services. And clients need to get keys&certs automatically whether through IPA or Puppet. These systems use IPA for everything but authentication (to keep most users off). I'm trying to wuss out the easiest way to make this happen smoothly. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: > Bret Wortman wrote: > > Is it possible to use our freeipa CA as a trusted CA to sign our > > internal SSL certificates? Our system runs on a private network and so > > using the usual trusted sources isn't an option. We've been using > > self-signed, but that adds some additional complications and we thought > > this might be a good solution. > > > > Is it possible, and, since most online guides defer to "submit the CSR > > to Verisign" or whomever, how would you go about producing one in this way? > > Not sure I understand the question. The IPA CA is also self-signed. For > enrolled systems though at least the CA is pre-distributed so maybe that > will help. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 2 21:42:07 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 2 Jun 2016 17:42:07 -0400 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: <20160602162455.7149ABE039@b03ledav005.gho.boulder.ibm.com> References: <20160602162455.7149ABE039@b03ledav005.gho.boulder.ibm.com> Message-ID: <5750A82F.3000406@redhat.com> Sean Hogan wrote: > Hello All, > > Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think > (not sure on this yet) that they changed ntp.. ntp used to point at my > ipas.. but they look like they are now pointing elsewhere. Everything > was stable at 6.7 3.0.47 pointing to IPA for NTP. However.. they all > seem to have the same date. > > > My master first IPA is acting up. Replication is off, kerberos seems to > be off, DNS is off and I think IPA in general on it is toast. > We do have 8 IPAs.. only FirstMaster is acting up it seems right now and > all either running on KVM or ESXI. > > > [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# kinit admin > kinit: Generic error (see e-text) while getting initial credential ipactl status should show what services are running. It looks like the KDC is responding but can't talk to the LDAP backend. > > > slapd-DOMAIN-LOCAL > [01/Jun/2016:18:25:43 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Cannot contact any > KDC for realm 'DOMAIN.LOCAL')) errno 115 (Operation now in progress) > [01/Jun/2016:18:25:43 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv2.domain.local" (ipaserv2:389): Replication bind > with GSSAPI auth resumed > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv3.domain.local" (ipaserv3:389): Replication bind > with GSSAPI auth resumed > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv4.domain.local" (ipaserv4:389): Replication bind > with GSSAPI auth resumed > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv5.domain.local" (ipaserv5:389): Replication bind > with GSSAPI auth resumed > [01/Jun/2016:18:28:04 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI > Failure: gss_accept_sec_context) errno 0 (Success) > [01/Jun/2016:18:28:04 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [01/Jun/2016:18:28:13 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No credentials > cache found)) errno 2 (No such file or directory) > [01/Jun/2016:18:28:13 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [01/Jun/2016:18:33:03 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI > Failure: gss_accept_sec_context) errno 0 (Success) > [01/Jun/2016:18:33:03 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [01/Jun/2016:18:33:18 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No credentials > cache found)) errno 2 (No such file or directory) > [01/Jun/2016:18:33:18 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [01/Jun/2016:18:38:03 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI > Failure: gss_accept_sec_context) errno 0 (Success) And this makes it look like it can't talk to the KDC. I'd check for SELinux errors, ausearch -m AVC -ts recent I think the rest is just indication that something is wrong with either the LDAP servers, the KDC or both. You may also want to look at /var/log/ipaupgrade.log to ensure that the upgrade was successful. rob > > [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipa-replica-manage -v list > --------------> just hangs and never returns > > > [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipactl start ------------->Just > hangs here as well.. never gets to the KDC. > > Starting Directory Service > Starting dirsrv: > PKI-IPA... already running [ OK ] > DOMAIN-LOCAL... already running [ OK ] > > > If I run nslookup it fails over to a Replica for the DNS resolution > instead of resolving ips itself. > > > > PKI log shows a bunch of this: > [02/Jun/2016:11:15:25 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" > (ipaserver2:7389): Replication bind with SIMPLE auth failed: LDAP error > -1 (Can't contact LDAP server) ((null)) > [02/Jun/2016:11:15:34 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" > (ipaserver2:7389): Replication bind with SIMPLE auth resumed > [02/Jun/2016:11:16:36 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:16:51 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:21:51 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:22:06 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:26:36 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:26:41 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:31:36 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:31:41 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:36:36 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:36:41 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:41:46 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:41:51 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:45:16 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:45:16 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" > (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error > -1 (Can't contact LDAP server) ((null)) > [02/Jun/2016:11:45:25 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" > (ipaserver3:7389): Replication bind with SIMPLE auth resumed > [02/Jun/2016:11:46:51 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:46:56 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:51:36 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:51:41 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:56:46 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:56:51 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:12:01:36 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:12:01:41 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:12:05:33 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:12:05:33 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" > (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error > -1 (Can't contact LDAP server) ((null)) > [02/Jun/2016:12:06:01 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:12:06:06 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" > (ipaserver3:7389): Replication bind with SIMPLE auth resumed > [02/Jun/2016:12:06:31 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:12:06:41 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > > > > > NTP seems OK > [God at FirstMasterIPA slapd-PKI-IPA]# date > Thu Jun 2 12:23:00 EDT 2016 > > [God at ipaserver3 ~]# date > Thu Jun 2 12:23:02 EDT 2016 > > > > Sean Hogan > > > > > From Dan.Finkelstein at high5games.com Thu Jun 2 21:42:51 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Thu, 2 Jun 2016 21:42:51 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: <5750A53F.2040908@redhat.com> References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> Message-ID: Hi Rob, There's a few logs in there, I'm not sure which is most informative. Here are some sections from what I think are relevant logs: /var/log/pki/pki-tomcat/localhost.log: Jun 01, 2016 12:16:34 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception org.jboss.resteasy.spi.UnhandledException: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) ...skipping... at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:67) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:153) ... 52 more /var/log/pki/pki-tomcat/catalina.out: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. /var/log/pki/pki-tomcat/ca/system: 0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value 0.http-bio-8443-exec-3 - [01/Jun/2016:12:15:55 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.Thread-14 - [01/Jun/2016:12:16:17 EDT] [8] [3] Publishing: Could not publish certificate serial number 0x7. Error Failed to publish using rule: No rules enabled 0.Thread-13 - [01/Jun/2016:12:16:45 EDT] [8] [3] Publishing: Could not publish certificate serial number 0x8. Error Failed to publish using rule: No rules enabled 0.Thread-13 - [01/Jun/2016:12:20:22 EDT] [8] [3] Publishing: Could not publish certificate serial number 0x9. Error Failed to publish using rule: No rules enabled 0.Thread-14 - [01/Jun/2016:12:20:23 EDT] [8] [3] Publishing: Could not publish certificate serial number 0xa. Error Failed to publish using rule: No rules enabled 0.profileChangeMonitor - [01/Jun/2016:12:20:28 EDT] [8] [3] In Ldap (bound) connection pool to host ipa.example.com port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) (repeats) 0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap (bound) connection pool to host ipa.h5c.local port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) 0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [5] [3] Failed to get a connection to the LDAP server. Error Could not connect to LDAP server host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) 0.profileChangeMonitor - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap (bound) connection pool to host ipa.example.com port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) Thanks, Dan [cid:image001.jpg at 01D1BCF6.2E41DCA0] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden Date: Thursday, June 2, 2016 at 17:29 To: Daniel Finkestein , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master Dan.Finkelstein at high5games.com wrote: Hi Sebastian, Unfortunately, that doesn't seem to be it and reinstalling the replica with ?setup-ca failed again with the same errors. I've included relevant sections of the logs. /var/log/ipareplica-install.log: 016-06-02T10:43:16Z DEBUG Starting external process 2016-06-02T10:43:16Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM' 2016-06-02T10:43:16Z DEBUG Process finished, return code=1 2016-06-02T10:43:16Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160602064316.log Loading deployment configuration from /tmp/tmpl8RqSM. 2016-06-02T10:43:16Z DEBUG stderr=Traceback (most recent call last): File "/usr/sbin/pkispawn", line 717, in main(sys.argv) File "/usr/sbin/pkispawn", line 523, in main parser.compose_pki_master_dictionary() File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", line 573, in compose_pki_master_dictionary instance.load() File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 454, in load subsystem.load() File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 118, in load lines = open(self.cs_conf).read().splitlines() IOError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/ca/conf/CS.cfg' 2016-06-02T10:43:16Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM'' returned non-zero exit status 1 2016-06-02T10:43:16Z CRITICAL See the installation logs and the following files/directories for more information: 2016-06-02T10:43:16Z CRITICAL /var/log/pki-ca-install.log 2016-06-02T10:43:16Z CRITICAL /var/log/pki/pki-tomcat 2016-06-02T10:43:16Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-06-02T10:43:16Z DEBUG [error] RuntimeError: CA configuration failed. 2016-06-02T10:43:16Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, in _configure executor.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 879, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 295, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 584, in install ca.install(False, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, in install_step_0 ra_p12=getattr(options, 'ra_p12', None)) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1543, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 486, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2016-06-02T10:43:16Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed. 2016-06-02T10:43:16Z ERROR CA configuration failed. Of note, there is no /var/log/pki-ca-install.log file nor (as the error above shows) is there /var/lib/pki/pki-tomcat/ca/conf/CS.cfg. Best regards, Dan cid:image001.jpg at 01D1BC9A.CBB33580 *Daniel Alex Finkelstein*| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook , Twitter , YouTube , Linkedin // /This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful./ *From: *Sebastian Sch?fer > *Date: *Thursday, June 2, 2016 at 02:59 *To: *"freeipa-users at redhat.com" >, Daniel Finkestein > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master Hi Dan, I had a similar problem when updating my FreeIPA. In my case it turned out that the certificates that get bundled with the replica preparation file were expired. This is due to the /root/cacert.p12 file not being updated during the preparation process until FreeIPA 3.2.2 The file can be recreated with the commands from step 2 of http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password If that does not solve the problem, it would be good to see (part of) the actual logfiles of your replica installation attempt. Best regards -- Sebastian Sch?fer, M. A. ------------------------------- Deutsches Zentrum f?r Luft- und Raumfahrt e.V. (DLR) Institute of Space Operations and Astronaut Training Microgravity User Support Center (MUSC) Linder H?he | 51147 K?ln Telefon 02203 601-30 01 | Telefax: 02203 61471 | sebastian.schaefer at dlr.de www.DLR.de On 06/01/2016 06:45 PM, Dan.Finkelstein at high5games.com wrote: Hi folks, As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6 to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA replicas in CentOS 7 and then hope to promote one of them to the CA master. I'm running into two problems: The first is that when we create a replica in FreeIPA 4.2.0 with the ?setup-ca option, that portion fails. Here's a snippet of the output: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/23]: creating certificate server user [2/23]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpqPeYOW'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. You need to find the CA logs. All IPA gets is "the install failed" and no details why. Lok in /var/log/pki/pki-tomcat for the relevant logs. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4331 bytes Desc: image001.jpg URL: From ftweedal at redhat.com Thu Jun 2 22:24:19 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 3 Jun 2016 08:24:19 +1000 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> References: <5750416E.3070408@damascusgrp.com> <5750A599.6020305@redhat.com> <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> Message-ID: <20160602222419.GH4744@dhcp-40-8.bne.redhat.com> On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wortman at damascusgrp.com wrote: > Sorry, let me back up a step. We need to implement hype > everywhere. All our web services. And clients need to get > keys&certs automatically whether through IPA or Puppet. These > systems use IPA for everything but authentication (to keep most > users off). I'm trying to wuss out the easiest way to make this > happen smoothly. > Hi Bret, You can use the IPA CA to sign service certificates. See http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. IPA-enrolled machines already have the IPA certificate in their trust store. If the clients are IPA-enrolled, everything should Just Work, otherwise you can distribute the IPA CA certificate to clients via Puppet** or whatever means you prefer. ** you will have to work out how, because I do not know Puppet :) Cheers, Fraser > > > On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: > > Bret Wortman wrote: > > > Is it possible to use our freeipa CA as a trusted CA to sign our > > > internal SSL certificates? Our system runs on a private network and so > > > using the usual trusted sources isn't an option. We've been using > > > self-signed, but that adds some additional complications and we thought > > > this might be a good solution. > > > > > > Is it possible, and, since most online guides defer to "submit the CSR > > > to Verisign" or whomever, how would you go about producing one in this way? > > > > Not sure I understand the question. The IPA CA is also self-signed. For > > enrolled systems though at least the CA is pre-distributed so maybe that > > will help. > > > > rob > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From bret.wortman at damascusgrp.com Thu Jun 2 23:25:53 2016 From: bret.wortman at damascusgrp.com (bret.wortman at damascusgrp.com) Date: Thu, 2 Jun 2016 19:25:53 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: <20160602222419.GH4744@dhcp-40-8.bne.redhat.com> References: <5750416E.3070408@damascusgrp.com> <5750A599.6020305@redhat.com> <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> <20160602222419.GH4744@dhcp-40-8.bne.redhat.com> Message-ID: Cool. I'll give this a go in the morning. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale, wrote: > On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wortman at damascusgrp.com wrote: > > Sorry, let me back up a step. We need to implement hype > > everywhere. All our web services. And clients need to get > > keys&certs automatically whether through IPA or Puppet. These > > systems use IPA for everything but authentication (to keep most > > users off). I'm trying to wuss out the easiest way to make this > > happen smoothly. > > > Hi Bret, > > You can use the IPA CA to sign service certificates. See > http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. > > IPA-enrolled machines already have the IPA certificate in their > trust store. If the clients are IPA-enrolled, everything should > Just Work, otherwise you can distribute the IPA CA certificate to > clients via Puppet** or whatever means you prefer. > > ** you will have to work out how, because I do not know Puppet :) > > Cheers, > Fraser > > > > > > > On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, wrote: > > > Bret Wortman wrote: > > > > Is it possible to use our freeipa CA as a trusted CA to sign our > > > > internal SSL certificates? Our system runs on a private network and so > > > > using the usual trusted sources isn't an option. We've been using > > > > self-signed, but that adds some additional complications and we thought > > > > this might be a good solution. > > > > > > > > Is it possible, and, since most online guides defer to "submit the CSR > > > > to Verisign" or whomever, how would you go about producing one in this way? > > > > > > Not sure I understand the question. The IPA CA is also self-signed. For > > > enrolled systems though at least the CA is pre-distributed so maybe that > > > will help. > > > > > > rob > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Fri Jun 3 07:06:12 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 3 Jun 2016 09:06:12 +0200 Subject: [Freeipa-users] IPA's own ptr record - unresolvable ? In-Reply-To: <7975dacd-f378-98d5-e770-df595e672996@yahoo.co.uk> References: <7975dacd-f378-98d5-e770-df595e672996@yahoo.co.uk> Message-ID: <2edfd726-e26a-6878-b968-bfef0bb14e39@redhat.com> On 2.6.2016 18:30, lejeczek wrote: > hi users, > > I do (all on IPA server) > > $ host 10.5.6.100 > Host 100.6.5.10.in-addr.arpa. not found: 3(NXDOMAIN) > > I do: > > $ host 10.5.6.17 > 17.6.5.10.in-addr.arpa domain name pointer ...... > > I do: > > $ ipa dnsrecord-find 5.10.in-addr.arpa > Record name: @ > NS record: rider.private.dom., swir.private.dom., > work5.private.dom. > > Record name: 19.10 > PTR record: work1.private.dom. > > Record name: 23.10 > PTR record: work5.private.dom. > > Record name: 100.6 > PTR record: rider.private.dom. > > Record name: 17.6 > PTR record: dzien.private.dom. > > Record name: 32.6 > PTR record: swir.private.dom. > ---------------------------- > Number of entries returned 6 > > > dig also find these records. > > this is probably why replica fails with: > > ipa.ipapython.install.cli.install_tool(Replica): ERROR Unable to resolve > the IP address 10.5.6.100 to a host name, check /etc/hosts and DNS name > resolution > > must be something trivial? Likely :-) It could have multiple reasons. E.g. DNS delegation from parent domain could be broken which could cause this etc. Please try commands $ dig -x PTR and $ dig -x SOA and post their output, preferably without redacting it because the attempt to hind real names often hide the root cause. I will have a look. -- Petr^2 Spacek From peljasz at yahoo.co.uk Fri Jun 3 08:29:10 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 3 Jun 2016 09:29:10 +0100 Subject: [Freeipa-users] IPA's own ptr record - unresolvable ? In-Reply-To: <2edfd726-e26a-6878-b968-bfef0bb14e39@redhat.com> References: <7975dacd-f378-98d5-e770-df595e672996@yahoo.co.uk> <2edfd726-e26a-6878-b968-bfef0bb14e39@redhat.com> Message-ID: <7c778008-eeb0-a607-6b2b-e8de240659c8@yahoo.co.uk> On 03/06/16 08:06, Petr Spacek wrote: > On 2.6.2016 18:30, lejeczek wrote: >> hi users, >> >> I do (all on IPA server) >> >> $ host 10.5.6.100 >> Host 100.6.5.10.in-addr.arpa. not found: 3(NXDOMAIN) >> >> I do: >> >> $ host 10.5.6.17 >> 17.6.5.10.in-addr.arpa domain name pointer ...... >> >> I do: >> >> $ ipa dnsrecord-find 5.10.in-addr.arpa >> Record name: @ >> NS record: rider.private.dom., swir.private.dom., >> work5.private.dom. >> >> Record name: 19.10 >> PTR record: work1.private.dom. >> >> Record name: 23.10 >> PTR record: work5.private.dom. >> >> Record name: 100.6 >> PTR record: rider.private.dom. >> >> Record name: 17.6 >> PTR record: dzien.private.dom. >> >> Record name: 32.6 >> PTR record: swir.private.dom. >> ---------------------------- >> Number of entries returned 6 >> >> >> dig also find these records. >> >> this is probably why replica fails with: >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR Unable to resolve >> the IP address 10.5.6.100 to a host name, check /etc/hosts and DNS name >> resolution >> >> must be something trivial? > Likely :-) It could have multiple reasons. > E.g. DNS delegation from parent domain could be broken which could cause this etc. > > Please try commands > $ dig -x PTR > > and > > $ dig -x SOA > > and post their output, preferably without redacting it because the attempt to > hind real names often hide the root cause. I will have a look. > hi Petr I have to redact, but I do it programmaticaly. I think it happened after addition of second(last) replica, I initially installed server with 5.10.in-addr.arpa. Now I do: $ ipa dnszone-find Zone name: 5.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: rider.private.dom. Administrator e-mail address: hostmaster.private.dom. SOA serial: 1464884896 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Zone name: 10.5.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: work5.private.dom. Administrator e-mail address: hostmaster.private.dom. SOA serial: 1464489313 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Zone name: 6.5.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: swir.private.dom. Administrator e-mail address: hostmaster.private.dom. SOA serial: 1464880660 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Zone name: private.dom. Active zone: TRUE Authoritative nameserver: rider.private.dom. Administrator e-mail address: hostmaster.private.dom. SOA serial: 1464884764 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; ---------------------------- Number of entries returned 4 ---------------------------- and I dag "any" type of record and misread it, there is no ptr record returned, I could not get how delegation can be involved here. It's IPA(rider is the first server) own 5.10.in-addr.arpa. And rider sees 10.5.6.32 10.5.6.17 etc. but not it's own record, which according to: $ ipa dnsrecord-find 5.10.in-addr.arpa exists: Record name: 100.6 PTR record: rider.private.dom. $ dig -x 10.5.6.100 +qr soa ;; QUESTION SECTION: ;100.6.5.10.in-addr.arpa. IN SOA ;; AUTHORITY SECTION: 6.5.10.in-addr.arpa. 0 IN SOA rider.private.dom. hostmaster.private.dom. 1464880660 3600 900 1209600 3600 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ dig -x 10.5.6.100 +qr ptr ;; QUESTION SECTION: ;100.6.5.10.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 6.5.10.in-addr.arpa. 3600 IN SOA rider.private.dom. hostmaster.private.dom. 1464880660 3600 900 1209600 3600 ;; Query time: 1 msec From peljasz at yahoo.co.uk Fri Jun 3 08:33:54 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 3 Jun 2016 09:33:54 +0100 Subject: [Freeipa-users] IPA's own ptr record - unresolvable ? In-Reply-To: <2edfd726-e26a-6878-b968-bfef0bb14e39@redhat.com> References: <7975dacd-f378-98d5-e770-df595e672996@yahoo.co.uk> <2edfd726-e26a-6878-b968-bfef0bb14e39@redhat.com> Message-ID: <56dbad4a-4d6a-ef35-fd23-9eaaddda2885@yahoo.co.uk> On 03/06/16 08:06, Petr Spacek wrote: > On 2.6.2016 18:30, lejeczek wrote: >> hi users, >> >> I do (all on IPA server) >> >> $ host 10.5.6.100 >> Host 100.6.5.10.in-addr.arpa. not found: 3(NXDOMAIN) >> >> I do: >> >> $ host 10.5.6.17 >> 17.6.5.10.in-addr.arpa domain name pointer ...... >> >> I do: >> >> $ ipa dnsrecord-find 5.10.in-addr.arpa >> Record name: @ >> NS record: rider.private.dom., swir.private.dom., >> work5.private.dom. >> >> Record name: 19.10 >> PTR record: work1.private.dom. >> >> Record name: 23.10 >> PTR record: work5.private.dom. >> >> Record name: 100.6 >> PTR record: rider.private.dom. >> >> Record name: 17.6 >> PTR record: dzien.private.dom. >> >> Record name: 32.6 >> PTR record: swir.private.dom. >> ---------------------------- >> Number of entries returned 6 >> >> >> dig also find these records. >> >> this is probably why replica fails with: >> >> ipa.ipapython.install.cli.install_tool(Replica): ERROR Unable to resolve >> the IP address 10.5.6.100 to a host name, check /etc/hosts and DNS name >> resolution >> >> must be something trivial? > Likely :-) It could have multiple reasons. > E.g. DNS delegation from parent domain could be broken which could cause this etc. > > Please try commands > $ dig -x PTR > > and > > $ dig -x SOA > > and post their output, preferably without redacting it because the attempt to > hind real names often hide the root cause. I will have a look. I see, later after first server installation IPA (itself) created: 6.5.10.in-addr.arpa. and that was where PTR record was missing. Is this one of test cases where it brakes? If one uses 5.10.in-addr.arpa class for reverse zone? Is this against any standard? many thanks Petr From pspacek at redhat.com Fri Jun 3 09:09:32 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 3 Jun 2016 11:09:32 +0200 Subject: [Freeipa-users] IPA's own ptr record - unresolvable ? In-Reply-To: <56dbad4a-4d6a-ef35-fd23-9eaaddda2885@yahoo.co.uk> References: <7975dacd-f378-98d5-e770-df595e672996@yahoo.co.uk> <2edfd726-e26a-6878-b968-bfef0bb14e39@redhat.com> <56dbad4a-4d6a-ef35-fd23-9eaaddda2885@yahoo.co.uk> Message-ID: On 3.6.2016 10:33, lejeczek wrote: > > > On 03/06/16 08:06, Petr Spacek wrote: >> On 2.6.2016 18:30, lejeczek wrote: >>> hi users, >>> >>> I do (all on IPA server) >>> >>> $ host 10.5.6.100 >>> Host 100.6.5.10.in-addr.arpa. not found: 3(NXDOMAIN) >>> >>> I do: >>> >>> $ host 10.5.6.17 >>> 17.6.5.10.in-addr.arpa domain name pointer ...... >>> >>> I do: >>> >>> $ ipa dnsrecord-find 5.10.in-addr.arpa >>> Record name: @ >>> NS record: rider.private.dom., swir.private.dom., >>> work5.private.dom. >>> >>> Record name: 19.10 >>> PTR record: work1.private.dom. >>> >>> Record name: 23.10 >>> PTR record: work5.private.dom. >>> >>> Record name: 100.6 >>> PTR record: rider.private.dom. >>> >>> Record name: 17.6 >>> PTR record: dzien.private.dom. >>> >>> Record name: 32.6 >>> PTR record: swir.private.dom. >>> ---------------------------- >>> Number of entries returned 6 >>> >>> >>> dig also find these records. >>> >>> this is probably why replica fails with: >>> >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Unable to resolve >>> the IP address 10.5.6.100 to a host name, check /etc/hosts and DNS name >>> resolution >>> >>> must be something trivial? >> Likely :-) It could have multiple reasons. >> E.g. DNS delegation from parent domain could be broken which could cause >> this etc. >> >> Please try commands >> $ dig -x PTR >> >> and >> >> $ dig -x SOA >> >> and post their output, preferably without redacting it because the attempt to >> hind real names often hide the root cause. I will have a look. > I see, later after first server installation IPA (itself) created: > 6.5.10.in-addr.arpa. and that was where PTR record was missing. > Is this one of test cases where it brakes? If one uses 5.10.in-addr.arpa class > for reverse zone? Is this against any standard? Feel free to delete IPA-created zone 6.5.10.in-addr.arpa. and put PTR record into your own zone 5.10.in-addr.arpa. FreeIPA installer is buggy in this aspect. It should be fixed in one of next releases as part of External DNS integration. Please be so kind and open a ticket https://fedorahosted.org/freeipa/newticket and describe your problem in there so we do not forget to cover this case. Thank you for your time! -- Petr^2 Spacek From seli.irithyl at gmail.com Fri Jun 3 09:11:30 2016 From: seli.irithyl at gmail.com (seli irithyl) Date: Fri, 3 Jun 2016 11:11:30 +0200 Subject: [Freeipa-users] Unable to access to web ui In-Reply-To: References: <025e4e9e-c387-697a-0cae-94c957d3187e@redhat.com> <576cb80c-a91b-f6e4-f534-ce659afe1df6@redhat.com> Message-ID: Sorry Martin, I rebooted the IdM server: [root at lead sssd]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful I checked DNS and it is ok I can login from any host. Unfortunately when trying to run any ipa command: [root at lead ~]# ipa service-find lead.bioinf.local ipa: ERROR: cert validation failed for "E=root at lead.bioinf.local,CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--" ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.) ipa: ERROR: cannot connect to 'https://lead.bioinf.local/ipa/json': (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid. Is anybody has an idea on where and what to check next ? Thx, Seli On Tue, May 31, 2016 at 8:33 AM, Martin Kosek wrote: > Hello Seli, > > Please reply to mailing list directly so that others can benefit from the > thread as well. > > Thanks, > Martin > > On 05/30/2016 06:17 PM, seli irithyl wrote: > > Freeipa version : 4.2.0-15.0.1.el7.centos.6.1 > > FF: 45.1.1 > > Could this problem be related to mod_ssl and mod_nss for httpd ? > > Looking the logs, it seems there are lots of problems, here are some > parts that > > look strange to me (and are probably unrelated) : > > 1 sssd: > > 1.1 krb5_child.log > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > [unpack_buffer] > > (0x0100): cmd [249] uid [1713400053] gid [1713400053] validate [true] > enterprise > > principal [false] offline [false] UPN [koto at BIOINF.LOCAL] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > [k5c_setup_fast] > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > [host/lead.bioinf.local at BIOINF.LOCAL] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [check_fast_ccache] (0x0200): FAST TGT is still valid. > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > [become_user] > > (0x0200): Trying to become user [1713400053][1713400053]. > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [set_lifetime_options] (0x0100): SSSD_KRB5_RENEWABLE_LIFETIME is set to > [7d] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [set_lifetime_options] (0x0100): SSSD_KRB5_LIFETIME is set to [1d] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to > [true] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [sss_krb5_prompter] (0x0020): Cannot handle password prompts. > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > [k5c_send_data] > > (0x0200): Received error code 0 > > 1.2 sssd_bioinf.local.log > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_ccache_files] (0x0200): Failed to check ccache file > > [KEYRING:persistent:1713400031]. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_ccache_files] (0x0200): Failed to check ccache file > > [KEYRING:persistent:1713400053]. > > ... > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_and_export_options] (0x0100): No KDC explicitly configured, using > defaults. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_and_export_options] (0x0100): No kpasswd server explicitly > configured, > > using the KDC or defaults. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty! > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [load_backend_module] (0x0200): no module name found in confdb, using > [ipa]. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [common_parse_search_base] (0x0100): Search base added: > > [SUDO][ou=SUDOers,dc=bioinf,dc=local][SUBTREE][] > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > [check_ipv4_addr] > > (0x0200): Loopback IPv4 address 127.0.0.1 > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > [check_ipv6_addr] > > (0x0200): Loopback IPv6 address ::1 > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [load_backend_module] (0x0200): no module name found in confdb, using > [ipa]. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [common_parse_search_base] (0x0100): Search base added: > > [AUTOFS][cn=default,cn=automount,dc=bioinf,dc=local][SUBTREE][] > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [load_backend_module] (0x0200): no module name found in confdb, using > [ipa]. > > ... > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID > > from [(null)] > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID > > from [(null)] > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID > > from [(null)] > > ... > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_process_group_send] (0x0040): No Members. Done! > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_process_group_send] (0x0040): No Members. Done! > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_process_group_send] (0x0040): No Members. Done! > > ... > > 1.3 sssd_nss.log > > (Mon May 30 17:18:07 2016) [sssd[nss]] [calc_flat_name] > (0x0080): Flat > > name requested but domain has noflat name set, falling back to domain > name > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version] > (0x0200): > > Received client version [1]. > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version] > (0x0200): > > Offered version [1]. > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version] > (0x0200): > > Received client version [1]. > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version] > (0x0200): > > Offered version [1]. > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [sss_parse_name_for_domains] > > (0x0200): name 'root' matched without domain, user is root > > (Mon May 30 17:20:01 2016) [sssd[nss]] [nss_cmd_getbynam] > (0x0100): > > Requesting info for [root] from [] > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [nss_cmd_initgroups_search] > > (0x0080): No matching domain found for [root], fail! > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [sss_parse_name_for_domains] > > (0x0200): name 'root' matched without domain, user is root > > (Mon May 30 17:20:01 2016) [sssd[nss]] [nss_cmd_getbynam] > (0x0100): > > Requesting info for [root] from [] > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [nss_cmd_initgroups_search] > > (0x0080): No matching domain found for [root], fail! > > (Mon May 30 17:20:01 2016) [sssd[nss]] [client_recv] (0x0200): > Client > > disconnected! > > (Mon May 30 17:20:01 2016) [sssd[nss]] [client_recv] (0x0200): > Client > > disconnected! > > > > 2 pki : catalina.2016-05-30.log > > May 30, 2016 2:18:10 PM org.apache.coyote.AbstractProtocol init > > SEVERE: Failed to initialize end point associated with > ProtocolHandler > > ["http-bio-8443"] > > java.net.BindException: Could not bind to address: (-5982) Local > Network > > address is in use. :8443 > > at > org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411) > > at > > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) > > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) > > at > > > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:978) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at > > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at > > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:638) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:663) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) > > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) > > Caused by: java.net.BindException: Could not bind to address: > (-5982) Local > > Network address is in use. > > at org.mozilla.jss.ssl.SocketBase.socketBind(Native Method) > > at > org.mozilla.jss.ssl.SSLServerSocket.(SSLServerSocket.java:159) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:937) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:929) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:924) > > at > org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398) > > ... 17 more > > May 30, 2016 2:18:10 PM org.apache.catalina.core.StandardService > initInternal > > SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] > > org.apache.catalina.LifecycleException: Failed to initialize > component > > [Connector[HTTP/1.1-8443]] > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) > > at > > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at > > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:638) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:663) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) > > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) > > Caused by: org.apache.catalina.LifecycleException: Protocol handler > > initialization failed > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:980) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > ... 12 more > > Caused by: java.net.BindException: Could not bind to address: > (-5982) Local > > Network address is in use. :8443 > > at > org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411) > > at > > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) > > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) > > at > > > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:978) > > ... 13 more > > Caused by: java.net.BindException: Could not bind to address: > (-5982) Local > > Network address is in use. > > at org.mozilla.jss.ssl.SocketBase.socketBind(Native Method) > > at > org.mozilla.jss.ssl.SSLServerSocket.(SSLServerSocket.java:159) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:937) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:929) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:924) > > at > org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398) > > ... 17 more > > > > 3. dirsrv > > [26/May/2016:12:14:10 +0200] - WARNING: userRoot: entry cache size > 512000B > > is less than db size 1163264B; We recommend to increase the entry cache > size > > nsslapd-cachememsize. > > [26/May/2016:12:14:10 +0200] - WARNING: ipaca: entry cache size > 512000B is > > less than db size 1015808B; We recommend to increase the entry cache size > > nsslapd-cachememsize. > > [26/May/2016:12:14:10 +0200] - WARNING: changelog: entry cache size > 512000B > > is less than db size 10100736B; We recommend to increase the entry cache > size > > nsslapd-cachememsize. > > [26/May/2016:12:14:10 +0200] schema-compat-plugin - scheduled > > schema-compat-plugin tree scan in about 5 seconds after the server > startup! > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=keys,cn=sec,cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=groups,cn=compat,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=computers,cn=compat,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=ng,cn=compat,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > ou=sudoers,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=users,cn=compat,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=ad,cn=etc,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > cn=casigningcert > > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > cn=casigningcert > > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > cn=automember > > rebuild membership,cn=tasks,cn=config does not exist > > [26/May/2016:12:14:10 +0200] - Skipping CoS Definition cn=Password > > Policy,cn=accounts,dc=bioinf,dc=local--no CoS Templates found, which > should be > > added before the CoS Definition. > > [26/May/2016:12:14:10 +0200] schema-compat-plugin - > schema-compat-plugin > > tree scan will start in about 5 seconds! > > [26/May/2016:12:14:10 +0200] - slapd started. Listening on All > Interfaces > > port 389 for LDAP requests > > [26/May/2016:12:14:10 +0200] - Listening on All Interfaces port 636 > for > > LDAPS requests > > [26/May/2016:12:14:10 +0200] - Listening on > > /var/run/slapd-BIOINF-LOCAL.socket for LDAPI requests > > [26/May/2016:12:14:15 +0200] schema-compat-plugin - warning: no > entries set > > up under ou=sudoers,dc=bioinf,dc=local > > [26/May/2016:12:14:15 +0200] schema-compat-plugin - warning: no > entries set > > up under cn=ng, cn=compat,dc=bioinf,dc=local > > [26/May/2016:12:14:15 +0200] schema-compat-plugin - Finished plugin > > initialization. > > > > > > On Mon, May 30, 2016 at 4:46 PM, Martin Kosek > > wrote: > > > > On 05/30/2016 04:36 PM, Martin Basti wrote: > > > > > > > > > On 30.05.2016 14:20, seli irithyl wrote: > > >> Hi, > > >> > > >> Since last update, I'am unable to log in to web ui with FF (e.g. > blank page) > > >> Any idea where too look for ? > > >> > > >> Best regards, > > >> > > >> Seli > > >> > > >> > > >> > > >> > > >> > > > Hello, > > > > > > can you provide version of the freeIPA, firefox. Does it work from > different > > > browser? does it work from private mode? > > > > + does [CTRL]+F5 helps? Do advise in > > http://www.freeipa.org/page/Troubleshooting#Web_UI > > help? > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Fri Jun 3 09:38:30 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 3 Jun 2016 10:38:30 +0100 Subject: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain In-Reply-To: <5745A648.8020704@redhat.com> References: <9c909796-257c-0caa-0c76-5c2c8cf31d80@yahoo.co.uk> <5745A648.8020704@redhat.com> Message-ID: On 25/05/16 14:19, Rob Crittenden wrote: > lejeczek wrote: >> hi there, >> >> I'm trying to set up a replica with: --setup-dns >> --no-forwarders --setup-ca >> >> installer fails at: >> >> [10/23]: importing CA chain to RA certificate database >> [error] RuntimeError: Unable to retrieve CA chain: >> [Errno 111] >> Connection refused >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> more from log: >> >> 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain >> to RA >> certificate database >> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call >> last): >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> >> line 418, in start_creation >> run_step(full_msg, method) >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> >> line 408, in run_step >> method() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line >> 1015, in __import_ca_chain >> chain = self.__get_ca_chain() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line >> 997, in __get_ca_chain >> raise RuntimeError("Unable to retrieve CA chain: %s" >> % str(e)) >> RuntimeError: Unable to retrieve CA chain: [Errno 111] >> Connection refused >> >> 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable >> to retrieve CA >> chain: [Errno 111] Connection refused >> 2016-05-25T12:38:31Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", >> line 171, in >> execute >> >> what might be the problem? > > It is failing getting the CA chain from dogtag. It uses > port 8080 by default. I'd check your firewall and that the > remote CA is up. > is 8080 needed only @installation time or all the time? many thanks, L > I'm surprised the port checker didn't discover this if it > is a firewall issue and that would be a bug (either the > port not being checked or not using the proxy). > > rob From kay.y.zhou at ericsson.com Fri Jun 3 10:02:38 2016 From: kay.y.zhou at ericsson.com (Kay Zhou Y) Date: Fri, 3 Jun 2016 10:02:38 +0000 Subject: [Freeipa-users] IPA 2.2 Certificate Renewal issue In-Reply-To: <5750A64D.7090807@redhat.com> References: <57486A9E.2050909@redhat.com> <574DA955.2030004@redhat.com> <574E5CD4.1020108@redhat.com> <574EF307.3090301@redhat.com> <5750A64D.7090807@redhat.com> Message-ID: Hi Rob, Actually certmonger service is failed after restart it, but without its active the two 389-ds and apache certs could be renewed as well.. it's weird.. root at ecnshlx3039-test2(SH):~ #systemctl status certmonger certmonger.service - Certificate monitoring and PKI enrollment Loaded: loaded (/usr/lib/systemd/system/certmonger.service; disabled) Active: failed (Result: exit-code) since Mon, 23 Jun 2014 00:31:11 +0200; 5s ago Process: 2198 ExecStart=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n $OPTS (code=exited, status=1/FAILURE) CGroup: name=systemd:/system/certmonger.service Jun 23 00:31:11 ecnshlx3039-test2.sh.cn.ao.ericsson.se certmonger[2198]: 2014-06-23 00:31:11 [2198] Unable to set well-known bus name "org.fedorahosted.certmonger": (2). Jun 23 00:31:11 ecnshlx3039-test2.sh.cn.ao.ericsson.se certmonger[2198]: Error connecting to D-Bus. I have already renewed two 389-ds and apache certs to 20160622, however , since there is no enough time for us before expiration. So we try to seek other workarounds, and one solution for us is disable expired certificate according to https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/troubleshooting-servers-and-replicas.html#expired-certs After test, it could work, but IPA command could not be used. But seems we can still get data from LDAP. If there is any other way we could use to disable such expired certs without impact from your side? Thanks for your great support again :) BR//Kay -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Friday, June 03, 2016 5:34 AM To: Kay Zhou Y; freeipa-users at redhat.com Cc: Doris Hongmei; Xionglin Gu Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue Kay Zhou Y wrote: > Hi Rob, > > We are using fedora 17. > And as you said, when I roll back time to when the CA subsystem and ipaCert are valid. Then restart ipatcl, "pki-cad at pki-ca.service" is active as normal. > But these five certs could not renewed as before. (actually I always > restart ipa world after I roll back time, this > "pki-cad at pki-ca.service" should be active but I just ignore it > before... ) With the time rolled back what I'd do is restart certmonger then run in a loop with a 1 second sleep ipa-getcert list and ensure that the statuses are changing to SUBMITTING, etc., and see what the final state is. certmonger logs to syslog so that might give some clues what is happening, and you can watch the dogtag logs to ensure the requests are being received, etc. rob > > Thanks, > BR//Kay > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Wednesday, June 01, 2016 10:37 PM > To: Kay Zhou Y; freeipa-users at redhat.com > Cc: Doris Hongmei; Xionglin Gu > Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue > > Kay Zhou Y wrote: >> Hi Rob, >> >> 1. I have made snapshots for this system for test, so NSS databases has been backed up. >> >> 2. For the pki-cad service, I can't find it in my system, it shows there is no such service. >> but there is one service failed as below: >> >> root at ecnshlx3039-test2(SH):requests #systemctl status >> pki-cad at pki-ca.service pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca >> Loaded: loaded (/lib/systemd/system/pki-cad at .service; enabled) >> Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 +0200; 23min ago >> Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, status=1/FAILURE) >> Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, status=0/SUCCESS) >> Main PID: 2593 (code=exited, status=0/SUCCESS) >> CGroup: name=systemd:/system/pki-cad at .service/pki-ca >> >> Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: >> pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun >> 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: >> pam_unix(runuser-l:session): session closed for user pkiuser Jun 01 >> 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: >> pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun >> 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: >> pam_unix(runuser-l:session): session closed for user pkiuser >> >> I can't start it normally, even the log just said: >> Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad at pki-ca.service: >> control process exited, code=exited status=1 Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit pki-cad at pki-ca.service entered failed state. >> >> I will google more to try to start it firstly. > > Ok, this is very confusing to me. What distribution are you running? I have the feeling you are running an extremely outdated version of Fedora. > > Yes, you need the CA up in order to get the certificates renewed. Look at catalina.out, the log "debug" and the selftests log for clues on why it won't start. You also need the PKI-IPA 389-ds instance running. > > And I guess you were just showing me the service name and such, but of course it won't start today with expired certs. > >> >> 3. About the source of the output for getcert list: >> >> root at ecnshlx3039-test2(SH):requests #ll total 64 -rw-------. 1 root >> root 5698 Jun 1 06:06 20120704140859 -rw-------. 1 root root 5695 >> Jun >> 1 06:06 20120704140922 -rw-------. 1 root root 5654 Jun 1 06:06 >> 20120704141150 -rw-------. 1 root root 5107 Jun 1 06:39 >> 20140605220249 -rw-------. 1 root root 4982 Jun 1 06:39 >> 20160601043748 -rw-------. 1 root root 5144 Jun 1 06:39 >> 20160601043749 -rw-------. 1 root root 5186 Jun 1 06:39 >> 20160601043750 -rw-------. 1 root root 5126 Jun 1 06:39 >> 20160601043751 root at ecnshlx3039-test2(SH):requests # >> root at ecnshlx3039-test2(SH):requests #grep post_certsave_command * >> 20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restar >> t >> _dirsrv DRUTT-COM >> 20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restar >> t _httpd root at ecnshlx3039-test2(SH):requests #grep >> pre_certsave_command >> * root at ecnshlx3039-test2(SH):requests # >> >> there are just two statements. > > Ok, that is fine then I think. > > rob > From pvoborni at redhat.com Fri Jun 3 11:15:30 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 3 Jun 2016 13:15:30 +0200 Subject: [Freeipa-users] Unable to access to web ui In-Reply-To: References: <025e4e9e-c387-697a-0cae-94c957d3187e@redhat.com> <576cb80c-a91b-f6e4-f534-ce659afe1df6@redhat.com> Message-ID: <92dac203-1494-463b-de50-16d3e15ea3de@redhat.com> On 06/03/2016 11:11 AM, seli irithyl wrote: > Sorry Martin, > I rebooted the IdM server: > [root at lead sssd]# ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa: INFO: The ipactl command was successful > > I checked DNS and it is ok > > I can login from any host. > > Unfortunately when trying to run any ipa command: > [root at lead ~]# ipa service-find lead.bioinf.local > ipa: ERROR: cert validation failed for > "E=root at lead.bioinf.local,CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--" > ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.) > ipa: ERROR: cannot connect to 'https://lead.bioinf.local/ipa/json': > (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid. > > Is anybody has an idea on where and what to check next ? > Thx, > > Seli > does # getcert list show any expired certificate? Do you use IPA with externally signed CA cert? Are they valid? > > > On Tue, May 31, 2016 at 8:33 AM, Martin Kosek > wrote: > > Hello Seli, > > Please reply to mailing list directly so that others can benefit from the > thread as well. > > Thanks, > Martin > > On 05/30/2016 06:17 PM, seli irithyl wrote: > > Freeipa version : 4.2.0-15.0.1.el7.centos.6.1 > > FF: 45.1.1 > > Could this problem be related to mod_ssl and mod_nss for httpd ? > > Looking the logs, it seems there are lots of problems, here are some > parts that > > look strange to me (and are probably unrelated) : > > 1 sssd: > > 1.1 krb5_child.log > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > [unpack_buffer] > > (0x0100): cmd [249] uid [1713400053] gid [1713400053] validate [true] > enterprise > > principal [false] offline [false] UPN [koto at BIOINF.LOCAL] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > [k5c_setup_fast] > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > [host/lead.bioinf.local at BIOINF.LOCAL] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [check_fast_ccache] (0x0200): FAST TGT is still valid. > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] [become_user] > > (0x0200): Trying to become user [1713400053][1713400053]. > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [set_lifetime_options] (0x0100): SSSD_KRB5_RENEWABLE_LIFETIME is set to [7d] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [set_lifetime_options] (0x0100): SSSD_KRB5_LIFETIME is set to [1d] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [sss_krb5_prompter] (0x0020): Cannot handle password prompts. > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > [k5c_send_data] > > (0x0200): Received error code 0 > > 1.2 sssd_bioinf.local.log > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_ccache_files] (0x0200): Failed to check ccache file > > [KEYRING:persistent:1713400031]. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_ccache_files] (0x0200): Failed to check ccache file > > [KEYRING:persistent:1713400053]. > > ... > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_and_export_options] (0x0100): No KDC explicitly configured, using > defaults. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_and_export_options] (0x0100): No kpasswd server explicitly configured, > > using the KDC or defaults. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty! > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [common_parse_search_base] (0x0100): Search base added: > > [SUDO][ou=SUDOers,dc=bioinf,dc=local][SUBTREE][] > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > [check_ipv4_addr] > > (0x0200): Loopback IPv4 address 127.0.0.1 > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > [check_ipv6_addr] > > (0x0200): Loopback IPv6 address ::1 > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [common_parse_search_base] (0x0100): Search base added: > > [AUTOFS][cn=default,cn=automount,dc=bioinf,dc=local][SUBTREE][] > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. > > ... > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID > > from [(null)] > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID > > from [(null)] > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID > > from [(null)] > > ... > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_process_group_send] (0x0040): No Members. Done! > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_process_group_send] (0x0040): No Members. Done! > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > [sdap_process_group_send] (0x0040): No Members. Done! > > ... > > 1.3 sssd_nss.log > > (Mon May 30 17:18:07 2016) [sssd[nss]] [calc_flat_name] > (0x0080): Flat > > name requested but domain has noflat name set, falling back to domain name > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version] > (0x0200): > > Received client version [1]. > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version] > (0x0200): > > Offered version [1]. > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version] > (0x0200): > > Received client version [1]. > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_cmd_get_version] > (0x0200): > > Offered version [1]. > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_parse_name_for_domains] > > (0x0200): name 'root' matched without domain, user is root > > (Mon May 30 17:20:01 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > > Requesting info for [root] from [] > > (Mon May 30 17:20:01 2016) [sssd[nss]] [nss_cmd_initgroups_search] > > (0x0080): No matching domain found for [root], fail! > > (Mon May 30 17:20:01 2016) [sssd[nss]] [sss_parse_name_for_domains] > > (0x0200): name 'root' matched without domain, user is root > > (Mon May 30 17:20:01 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > > Requesting info for [root] from [] > > (Mon May 30 17:20:01 2016) [sssd[nss]] [nss_cmd_initgroups_search] > > (0x0080): No matching domain found for [root], fail! > > (Mon May 30 17:20:01 2016) [sssd[nss]] [client_recv] (0x0200): > Client > > disconnected! > > (Mon May 30 17:20:01 2016) [sssd[nss]] [client_recv] (0x0200): > Client > > disconnected! > > > > 2 pki : catalina.2016-05-30.log > > May 30, 2016 2:18:10 PM org.apache.coyote.AbstractProtocol init > > SEVERE: Failed to initialize end point associated with ProtocolHandler > > ["http-bio-8443"] > > java.net.BindException: Could not bind to address: (-5982) Local Network > > address is in use. :8443 > > at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411) > > at > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) > > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) > > at > > > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:978) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at > > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:638) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:663) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) > > Caused by: java.net.BindException: Could not bind to address: > (-5982) Local > > Network address is in use. > > at org.mozilla.jss.ssl.SocketBase.socketBind(Native Method) > > at > org.mozilla.jss.ssl.SSLServerSocket.(SSLServerSocket.java:159) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:937) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:929) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:924) > > at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398) > > ... 17 more > > May 30, 2016 2:18:10 PM org.apache.catalina.core.StandardService > initInternal > > SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] > > org.apache.catalina.LifecycleException: Failed to initialize component > > [Connector[HTTP/1.1-8443]] > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) > > at > > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:638) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:663) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) > > Caused by: org.apache.catalina.LifecycleException: Protocol handler > > initialization failed > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:980) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > ... 12 more > > Caused by: java.net.BindException: Could not bind to address: > (-5982) Local > > Network address is in use. :8443 > > at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411) > > at > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) > > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) > > at > > > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:978) > > ... 13 more > > Caused by: java.net.BindException: Could not bind to address: > (-5982) Local > > Network address is in use. > > at org.mozilla.jss.ssl.SocketBase.socketBind(Native Method) > > at > org.mozilla.jss.ssl.SSLServerSocket.(SSLServerSocket.java:159) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:937) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:929) > > at > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:924) > > at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398) > > ... 17 more > > > > 3. dirsrv > > [26/May/2016:12:14:10 +0200] - WARNING: userRoot: entry cache size > 512000B > > is less than db size 1163264B; We recommend to increase the entry cache size > > nsslapd-cachememsize. > > [26/May/2016:12:14:10 +0200] - WARNING: ipaca: entry cache size > 512000B is > > less than db size 1015808B; We recommend to increase the entry cache size > > nsslapd-cachememsize. > > [26/May/2016:12:14:10 +0200] - WARNING: changelog: entry cache size > 512000B > > is less than db size 10100736B; We recommend to increase the entry cache size > > nsslapd-cachememsize. > > [26/May/2016:12:14:10 +0200] schema-compat-plugin - scheduled > > schema-compat-plugin tree scan in about 5 seconds after the server startup! > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=keys,cn=sec,cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=dns,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=groups,cn=compat,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=computers,cn=compat,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=ng,cn=compat,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > ou=sudoers,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=users,cn=compat,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=ad,cn=etc,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > cn=casigningcert > > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > cn=casigningcert > > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=bioinf,dc=local does not exist > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target cn=automember > > rebuild membership,cn=tasks,cn=config does not exist > > [26/May/2016:12:14:10 +0200] - Skipping CoS Definition cn=Password > > Policy,cn=accounts,dc=bioinf,dc=local--no CoS Templates found, which > should be > > added before the CoS Definition. > > [26/May/2016:12:14:10 +0200] schema-compat-plugin - schema-compat-plugin > > tree scan will start in about 5 seconds! > > [26/May/2016:12:14:10 +0200] - slapd started. Listening on All > Interfaces > > port 389 for LDAP requests > > [26/May/2016:12:14:10 +0200] - Listening on All Interfaces port 636 for > > LDAPS requests > > [26/May/2016:12:14:10 +0200] - Listening on > > /var/run/slapd-BIOINF-LOCAL.socket for LDAPI requests > > [26/May/2016:12:14:15 +0200] schema-compat-plugin - warning: no > entries set > > up under ou=sudoers,dc=bioinf,dc=local > > [26/May/2016:12:14:15 +0200] schema-compat-plugin - warning: no > entries set > > up under cn=ng, cn=compat,dc=bioinf,dc=local > > [26/May/2016:12:14:15 +0200] schema-compat-plugin - Finished plugin > > initialization. > > > > > > On Mon, May 30, 2016 at 4:46 PM, Martin Kosek > > >> wrote: > > > > On 05/30/2016 04:36 PM, Martin Basti wrote: > > > > > > > > > On 30.05.2016 14:20, seli irithyl wrote: > > >> Hi, > > >> > > >> Since last update, I'am unable to log in to web ui with FF (e.g. > blank page) > > >> Any idea where too look for ? > > >> > > >> Best regards, > > >> > > >> Seli > > >> > > >> > > >> > > >> > > >> > > > Hello, > > > > > > can you provide version of the freeIPA, firefox. Does it work from > different > > > browser? does it work from private mode? > > > > + does [CTRL]+F5 helps? Do advise in > > http://www.freeipa.org/page/Troubleshooting#Web_UI > > help? > > > > > > > > -- Petr Vobornik From bret.wortman at damascusgrp.com Fri Jun 3 11:36:53 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 3 Jun 2016 07:36:53 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: References: <5750416E.3070408@damascusgrp.com> <5750A599.6020305@redhat.com> <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> <20160602222419.GH4744@dhcp-40-8.bne.redhat.com> Message-ID: <57516BD5.2040700@damascusgrp.com> So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k /etc/pki/tls/private/server.key -r ipa-getcert list shows it approved. I set up SSL in apache to use the above .key and .crt, but when I try to run yum against this using ssl: # yum search ffmpeg Loaded plugins: langpacks https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." : Is there a step I need to take on the clients so they'll accept this cert as trusted? I thought having it be signed by the IPA CA would have taken care of that. # ls -l /etc/ipa/ca.crt -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt # --- Bret On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote: > Cool. I'll give this a go in the morning. > > Bret Wortman > http://wrapbuddies.co/ > > On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , > wrote: >> On Thu, Jun 02, 2016 at 05:35:01PM -0400, >> bret.wortman at damascusgrp.com wrote: >>> Sorry, let me back up a step. We need to implement hype >>> everywhere. All our web services. And clients need to get >>> keys&certs automatically whether through IPA or Puppet. These >>> systems use IPA for everything but authentication (to keep most >>> users off). I'm trying to wuss out the easiest way to make this >>> happen smoothly. >>> >> Hi Bret, >> >> You can use the IPA CA to sign service certificates. See >> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. >> >> IPA-enrolled machines already have the IPA certificate in their >> trust store. If the clients are IPA-enrolled, everything should >> Just Work, otherwise you can distribute the IPA CA certificate to >> clients via Puppet** or whatever means you prefer. >> >> ** you will have to work out how, because I do not know Puppet :) >> >> Cheers, >> Fraser >> >>> >>> >>> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, >>> wrote: >>>> Bret Wortman wrote: >>>>> Is it possible to use our freeipa CA as a trusted CA to sign our >>>>> internal SSL certificates? Our system runs on a private network and so >>>>> using the usual trusted sources isn't an option. We've been using >>>>> self-signed, but that adds some additional complications and we >>>>> thought >>>>> this might be a good solution. >>>>> >>>>> Is it possible, and, since most online guides defer to "submit the CSR >>>>> to Verisign" or whomever, how would you go about producing one in >>>>> this way? >>>> >>>> Not sure I understand the question. The IPA CA is also self-signed. For >>>> enrolled systems though at least the CA is pre-distributed so maybe >>>> that >>>> will help. >>>> >>>> rob >>>> >> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From seli.irithyl at gmail.com Fri Jun 3 13:10:40 2016 From: seli.irithyl at gmail.com (seli irithyl) Date: Fri, 3 Jun 2016 15:10:40 +0200 Subject: [Freeipa-users] Unable to access to web ui In-Reply-To: <92dac203-1494-463b-de50-16d3e15ea3de@redhat.com> References: <025e4e9e-c387-697a-0cae-94c957d3187e@redhat.com> <576cb80c-a91b-f6e4-f534-ce659afe1df6@redhat.com> <92dac203-1494-463b-de50-16d3e15ea3de@redhat.com> Message-ID: # getcert list returns 9 request ID. All 9 are in status "MONITORING" and expire after 2017. So no expired certificate. Number of certificates and requests being tracked: 9. Request ID '20150313092422': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-BIOINF-LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-BIOINF-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-BIOINF-LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=BIOINF.LOCAL subject: CN=lead.bioinf.local,O=BIOINF.LOCAL expires: 2017-03-13 09:24:21 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv BIOINF-LOCAL track: yes auto-renew: yes Request ID '20150313092456': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=BIOINF.LOCAL subject: CN=lead.bioinf.local,O=BIOINF.LOCAL expires: 2017-03-13 09:24:56 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20150710083112': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=BIOINF.LOCAL subject: CN=lead.bioinf.local,O=BIOINF.LOCAL expires: 2017-07-10 08:31:16 UTC principal name: host/lead.bioinf.local at BIOINF.LOCAL key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160106131740': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=BIOINF.LOCAL subject: CN=CA Audit,O=BIOINF.LOCAL expires: 2017-03-02 09:24:01 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160106131741': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=BIOINF.LOCAL subject: CN=OCSP Subsystem,O=BIOINF.LOCAL expires: 2017-03-02 09:24:00 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160106131742': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=BIOINF.LOCAL subject: CN=CA Subsystem,O=BIOINF.LOCAL expires: 2017-03-02 09:24:01 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160106131743': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=BIOINF.LOCAL subject: CN=Certificate Authority,O=BIOINF.LOCAL expires: 2035-03-13 09:23:59 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160106131744': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=BIOINF.LOCAL subject: CN=IPA RA,O=BIOINF.LOCAL expires: 2017-03-02 09:24:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20160106131745': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=BIOINF.LOCAL subject: CN=lead.bioinf.local,O=BIOINF.LOCAL expires: 2017-03-02 09:24:00 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Do you use IPA with externally signed CA cert? Are they valid? I don't think (but I don't know how to check this to be sure ?) Thx for your help ! Seli On Fri, Jun 3, 2016 at 1:15 PM, Petr Vobornik wrote: > On 06/03/2016 11:11 AM, seli irithyl wrote: > > Sorry Martin, > > I rebooted the IdM server: > > [root at lead sssd]# ipactl status > > Directory Service: RUNNING > > krb5kdc Service: RUNNING > > kadmin Service: RUNNING > > ipa_memcached Service: RUNNING > > httpd Service: RUNNING > > pki-tomcatd Service: RUNNING > > ipa-otpd Service: RUNNING > > ipa: INFO: The ipactl command was successful > > > > I checked DNS and it is ok > > > > I can login from any host. > > > > Unfortunately when trying to run any ipa command: > > [root at lead ~]# ipa service-find lead.bioinf.local > > ipa: ERROR: cert validation failed for > > "E=root at lead.bioinf.local > ,CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--" > > ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.) > > ipa: ERROR: cannot connect to 'https://lead.bioinf.local/ipa/json': > > (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid. > > > > Is anybody has an idea on where and what to check next ? > > Thx, > > > > Seli > > > > does > # getcert list > > show any expired certificate? > > Do you use IPA with externally signed CA cert? Are they valid? > > > > > > > On Tue, May 31, 2016 at 8:33 AM, Martin Kosek > > wrote: > > > > Hello Seli, > > > > Please reply to mailing list directly so that others can benefit > from the > > thread as well. > > > > Thanks, > > Martin > > > > On 05/30/2016 06:17 PM, seli irithyl wrote: > > > Freeipa version : 4.2.0-15.0.1.el7.centos.6.1 > > > FF: 45.1.1 > > > Could this problem be related to mod_ssl and mod_nss for httpd ? > > > Looking the logs, it seems there are lots of problems, here are > some > > parts that > > > look strange to me (and are probably unrelated) : > > > 1 sssd: > > > 1.1 krb5_child.log > > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [unpack_buffer] > > > (0x0100): cmd [249] uid [1713400053] gid [1713400053] validate > [true] > > enterprise > > > principal [false] offline [false] UPN [koto at BIOINF.LOCAL] > > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [k5c_setup_fast] > > > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to > > [host/lead.bioinf.local at BIOINF.LOCAL] > > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > > [check_fast_ccache] (0x0200): FAST TGT is still valid. > > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > [become_user] > > > (0x0200): Trying to become user [1713400053][1713400053]. > > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > > [set_lifetime_options] (0x0100): SSSD_KRB5_RENEWABLE_LIFETIME is > set to [7d] > > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > > [set_lifetime_options] (0x0100): SSSD_KRB5_LIFETIME is set to [1d] > > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set > to [true] > > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > > [sss_krb5_prompter] (0x0020): Cannot handle password prompts. > > > (Mon May 30 17:18:05 2016) [[sssd[krb5_child[32832]]]] > > [k5c_send_data] > > > (0x0200): Received error code 0 > > > 1.2 sssd_bioinf.local.log > > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > > [check_ccache_files] (0x0200): Failed to check ccache file > > > [KEYRING:persistent:1713400031]. > > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > > [check_ccache_files] (0x0200): Failed to check ccache file > > > [KEYRING:persistent:1713400053]. > > > ... > > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > > [check_and_export_options] (0x0100): No KDC explicitly > configured, using > > defaults. > > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > > [check_and_export_options] (0x0100): No kpasswd server explicitly > configured, > > > using the KDC or defaults. > > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > > [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty! > > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > > [load_backend_module] (0x0200): no module name found in confdb, > using [ipa]. > > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > > [common_parse_search_base] (0x0100): Search base added: > > > [SUDO][ou=SUDOers,dc=bioinf,dc=local][SUBTREE][] > > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_ipv4_addr] > > > (0x0200): Loopback IPv4 address 127.0.0.1 > > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > [check_ipv6_addr] > > > (0x0200): Loopback IPv6 address ::1 > > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > > [load_backend_module] (0x0200): no module name found in confdb, > using [ipa]. > > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > > [common_parse_search_base] (0x0100): Search base added: > > > [AUTOFS][cn=default,cn=automount,dc=bioinf,dc=local][SUBTREE][] > > > (Mon May 30 17:16:01 2016) [sssd[be[bioinf.local]]] > > > [load_backend_module] (0x0200): no module name found in confdb, > using [ipa]. > > > ... > > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not > parse > > domain SID > > > from [(null)] > > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not > parse > > domain SID > > > from [(null)] > > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not > parse > > domain SID > > > from [(null)] > > > ... > > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > > [sdap_process_group_send] (0x0040): No Members. Done! > > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > > [sdap_process_group_send] (0x0040): No Members. Done! > > > (Mon May 30 17:16:11 2016) [sssd[be[bioinf.local]]] > > > [sdap_process_group_send] (0x0040): No Members. Done! > > > ... > > > 1.3 sssd_nss.log > > > (Mon May 30 17:18:07 2016) [sssd[nss]] [calc_flat_name] > > (0x0080): Flat > > > name requested but domain has noflat name set, falling back to > domain name > > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [sss_cmd_get_version] > > (0x0200): > > > Received client version [1]. > > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [sss_cmd_get_version] > > (0x0200): > > > Offered version [1]. > > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [sss_cmd_get_version] > > (0x0200): > > > Received client version [1]. > > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [sss_cmd_get_version] > > (0x0200): > > > Offered version [1]. > > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [sss_parse_name_for_domains] > > > (0x0200): name 'root' matched without domain, user is root > > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [nss_cmd_getbynam] (0x0100): > > > Requesting info for [root] from [] > > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [nss_cmd_initgroups_search] > > > (0x0080): No matching domain found for [root], fail! > > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [sss_parse_name_for_domains] > > > (0x0200): name 'root' matched without domain, user is root > > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [nss_cmd_getbynam] (0x0100): > > > Requesting info for [root] from [] > > > (Mon May 30 17:20:01 2016) [sssd[nss]] > [nss_cmd_initgroups_search] > > > (0x0080): No matching domain found for [root], fail! > > > (Mon May 30 17:20:01 2016) [sssd[nss]] [client_recv] > (0x0200): > > Client > > > disconnected! > > > (Mon May 30 17:20:01 2016) [sssd[nss]] [client_recv] > (0x0200): > > Client > > > disconnected! > > > > > > 2 pki : catalina.2016-05-30.log > > > May 30, 2016 2:18:10 PM org.apache.coyote.AbstractProtocol > init > > > SEVERE: Failed to initialize end point associated with > ProtocolHandler > > > ["http-bio-8443"] > > > java.net.BindException: Could not bind to address: (-5982) > Local Network > > > address is in use. :8443 > > > at > org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411) > > > at > > > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) > > > at > > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) > > > at > > > > > > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) > > > at > > > org.apache.catalina.connector.Connector.initInternal(Connector.java:978) > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > > at > > > > > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > > at > > > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > > at > org.apache.catalina.startup.Catalina.load(Catalina.java:638) > > > at > org.apache.catalina.startup.Catalina.load(Catalina.java:663) > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > > at > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > > at > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > at java.lang.reflect.Method.invoke(Method.java:497) > > > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) > > > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) > > > Caused by: java.net.BindException: Could not bind to address: > > (-5982) Local > > > Network address is in use. > > > at org.mozilla.jss.ssl.SocketBase.socketBind(Native > Method) > > > at > > org.mozilla.jss.ssl.SSLServerSocket.(SSLServerSocket.java:159) > > > at > > > > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:937) > > > at > > > > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:929) > > > at > > > > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:924) > > > at > org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398) > > > ... 17 more > > > May 30, 2016 2:18:10 PM > org.apache.catalina.core.StandardService > > initInternal > > > SEVERE: Failed to initialize connector > [Connector[HTTP/1.1-8443]] > > > org.apache.catalina.LifecycleException: Failed to initialize > component > > > [Connector[HTTP/1.1-8443]] > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) > > > at > > > > > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > > at > > > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > > at > org.apache.catalina.startup.Catalina.load(Catalina.java:638) > > > at > org.apache.catalina.startup.Catalina.load(Catalina.java:663) > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > > at > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > > at > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > at java.lang.reflect.Method.invoke(Method.java:497) > > > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) > > > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) > > > Caused by: org.apache.catalina.LifecycleException: Protocol > handler > > > initialization failed > > > at > > > org.apache.catalina.connector.Connector.initInternal(Connector.java:980) > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > > ... 12 more > > > Caused by: java.net.BindException: Could not bind to address: > > (-5982) Local > > > Network address is in use. :8443 > > > at > org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:411) > > > at > > > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) > > > at > > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) > > > at > > > > > > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) > > > at > > > org.apache.catalina.connector.Connector.initInternal(Connector.java:978) > > > ... 13 more > > > Caused by: java.net.BindException: Could not bind to address: > > (-5982) Local > > > Network address is in use. > > > at org.mozilla.jss.ssl.SocketBase.socketBind(Native > Method) > > > at > > org.mozilla.jss.ssl.SSLServerSocket.(SSLServerSocket.java:159) > > > at > > > > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:937) > > > at > > > > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:929) > > > at > > > > > > org.apache.tomcat.util.net.jss.JSSSocketFactory.createSocket(JSSSocketFactory.java:924) > > > at > org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:398) > > > ... 17 more > > > > > > 3. dirsrv > > > [26/May/2016:12:14:10 +0200] - WARNING: userRoot: entry > cache size > > 512000B > > > is less than db size 1163264B; We recommend to increase the entry > cache size > > > nsslapd-cachememsize. > > > [26/May/2016:12:14:10 +0200] - WARNING: ipaca: entry cache > size > > 512000B is > > > less than db size 1015808B; We recommend to increase the entry > cache size > > > nsslapd-cachememsize. > > > [26/May/2016:12:14:10 +0200] - WARNING: changelog: entry > cache size > > 512000B > > > is less than db size 10100736B; We recommend to increase the > entry cache size > > > nsslapd-cachememsize. > > > [26/May/2016:12:14:10 +0200] schema-compat-plugin - scheduled > > > schema-compat-plugin tree scan in about 5 seconds after the > server startup! > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=dns,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=dns,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=keys,cn=sec,cn=dns,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=dns,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=dns,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=groups,cn=compat,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=computers,cn=compat,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=ng,cn=compat,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > ou=sudoers,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=users,cn=compat,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=vaults,cn=kra,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > > cn=ad,cn=etc,dc=bioinf,dc=local does not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=casigningcert > > > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=bioinf,dc=local does > not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > > cn=casigningcert > > > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=bioinf,dc=local does > not exist > > > [26/May/2016:12:14:10 +0200] NSACLPlugin - The ACL target > cn=automember > > > rebuild membership,cn=tasks,cn=config does not exist > > > [26/May/2016:12:14:10 +0200] - Skipping CoS Definition > cn=Password > > > Policy,cn=accounts,dc=bioinf,dc=local--no CoS Templates found, > which > > should be > > > added before the CoS Definition. > > > [26/May/2016:12:14:10 +0200] schema-compat-plugin - > schema-compat-plugin > > > tree scan will start in about 5 seconds! > > > [26/May/2016:12:14:10 +0200] - slapd started. Listening on > All > > Interfaces > > > port 389 for LDAP requests > > > [26/May/2016:12:14:10 +0200] - Listening on All Interfaces > port 636 for > > > LDAPS requests > > > [26/May/2016:12:14:10 +0200] - Listening on > > > /var/run/slapd-BIOINF-LOCAL.socket for LDAPI requests > > > [26/May/2016:12:14:15 +0200] schema-compat-plugin - warning: > no > > entries set > > > up under ou=sudoers,dc=bioinf,dc=local > > > [26/May/2016:12:14:15 +0200] schema-compat-plugin - warning: > no > > entries set > > > up under cn=ng, cn=compat,dc=bioinf,dc=local > > > [26/May/2016:12:14:15 +0200] schema-compat-plugin - Finished > plugin > > > initialization. > > > > > > > > > On Mon, May 30, 2016 at 4:46 PM, Martin Kosek > > > > >> wrote: > > > > > > On 05/30/2016 04:36 PM, Martin Basti wrote: > > > > > > > > > > > > On 30.05.2016 14:20, seli irithyl wrote: > > > >> Hi, > > > >> > > > >> Since last update, I'am unable to log in to web ui with FF > (e.g. > > blank page) > > > >> Any idea where too look for ? > > > >> > > > >> Best regards, > > > >> > > > >> Seli > > > >> > > > >> > > > >> > > > >> > > > >> > > > > Hello, > > > > > > > > can you provide version of the freeIPA, firefox. Does it > work from > > different > > > > browser? does it work from private mode? > > > > > > + does [CTRL]+F5 helps? Do advise in > > > http://www.freeipa.org/page/Troubleshooting#Web_UI > > > help? > > > > > > > > > > > > > > > > > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jun 3 13:30:03 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 3 Jun 2016 09:30:03 -0400 Subject: [Freeipa-users] Unable to access to web ui In-Reply-To: References: <025e4e9e-c387-697a-0cae-94c957d3187e@redhat.com> <576cb80c-a91b-f6e4-f534-ce659afe1df6@redhat.com> <92dac203-1494-463b-de50-16d3e15ea3de@redhat.com> Message-ID: <5751865B.8010808@redhat.com> seli irithyl wrote: > # getcert list > returns 9 request ID. All 9 are in status "MONITORING" and expire after > 2017. > So no expired certificate. > > Number of certificates and requests being tracked: 9. [snip] > Request ID '20150313092456': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=BIOINF.LOCAL > subject: CN=lead.bioinf.local,O=BIOINF.LOCAL > expires: 2017-03-13 09:24:56 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes [ more snip ] > > Unfortunately when trying to run any ipa command: > > [root at lead ~]# ipa service-find lead.bioinf.local > > ipa: ERROR: cert validation failed for > > "E=root at lead.bioinf.local,CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--" > > ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.) > > ipa: ERROR: cannot connect to 'https://lead.bioinf.local/ipa/json': > > (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid. Note that the subject of the certmonger-tracked certificate is different from the subject reported in the error. This looks like a default mod_ssl-generated certificate to me. Did you tweak your Apache config? rob From peljasz at yahoo.co.uk Fri Jun 3 13:39:00 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 3 Jun 2016 14:39:00 +0100 Subject: [Freeipa-users] a bit off topic- samba + sssd => AD Message-ID: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good except... smbclient @samba, in other words - to itself - fails session setup failed: NT_STATUS_LOGON_FAILURE and with smbclient -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private.dom at PRIVATE.DOM not found in Kerberos database] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR here is a snippet from smb.conf which I thought has relevance, I set it up following samba sssd wiki. security = ads realm = CCNR.DOM workgroup = CCNR kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.swir.ccnr.keytab client signing = auto client use spnego = yes encrypt passwords = yes password server = ccnr-winsrv1.ccnr.dom netbios name = SWIR template shell = /bin/bash template homedir = /home/%D/%U preferred master = no dns proxy = no wins server = ccnr-winsrv1.ccnr.dom wins proxy = no inherit acls = Yes map acl inherit = Yes acl group control = yes and in samba log: domain_client_validate: Domain password server not available. I've tried samba user list, dead silence. many thanks, L. From rcritten at redhat.com Fri Jun 3 13:48:29 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 3 Jun 2016 09:48:29 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: <57516BD5.2040700@damascusgrp.com> References: <5750416E.3070408@damascusgrp.com> <5750A599.6020305@redhat.com> <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> <20160602222419.GH4744@dhcp-40-8.bne.redhat.com> <57516BD5.2040700@damascusgrp.com> Message-ID: <57518AAD.4050304@redhat.com> Bret Wortman wrote: > So for our internal yum server, I created a new key and cert request (it > had a localhost key and cert but I wanted to start clean): > > # openssl genrsa 2048 > /etc/pki/tls/private/server.key > # openssl req -new -x509 -nodes -sha1 -days 365 -key > /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt > # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k > /etc/pki/tls/private/server.key -r I try not to argue with success but I'd be curious what is actually going on here. You generate a CSR and call it a certificate. It is probably the case that certmonger is ignoring it altogether and generating its own CSR. > ipa-getcert list shows it approved. I set up SSL in apache to use the > above .key and .crt, but when I try to run yum against this using ssl: > > # yum search ffmpeg > Loaded plugins: langpacks > https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: > [Errno 14] curl#60 - "Peer's certificate issuer has been marked as > not trusted by the user." > : > > Is there a step I need to take on the clients so they'll accept this > cert as trusted? I thought having it be signed by the IPA CA would have > taken care of that. > > # ls -l /etc/ipa/ca.crt > -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt > # Pretty much only IPA tools know to use this file. My knowledge is a bit stale on adding the IPA CA to the global trust but I'm pretty sure it is done automatically now and I think it was in the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have this code. Look at this, https://fedoraproject.org/wiki/Features/SharedSystemCertificates The idea is to add the IPA CA to that and then all tools using SSL would "just work". Something like: # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust You'd need to remember to manually undo this if you ever redo your IPA install (and get a new CA): # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem # update-ca-trust Like I said, I'm pretty sure this is all automatic in some more recent versions of IPA. rob > > --- > Bret > > On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote: >> Cool. I'll give this a go in the morning. >> >> Bret Wortman >> http://wrapbuddies.co/ >> >> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , >> wrote: >>> On Thu, Jun 02, 2016 at 05:35:01PM -0400, >>> bret.wortman at damascusgrp.com wrote: >>>> Sorry, let me back up a step. We need to implement hype >>>> everywhere. All our web services. And clients need to get >>>> keys&certs automatically whether through IPA or Puppet. These >>>> systems use IPA for everything but authentication (to keep most >>>> users off). I'm trying to wuss out the easiest way to make this >>>> happen smoothly. >>>> >>> Hi Bret, >>> >>> You can use the IPA CA to sign service certificates. See >>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. >>> >>> IPA-enrolled machines already have the IPA certificate in their >>> trust store. If the clients are IPA-enrolled, everything should >>> Just Work, otherwise you can distribute the IPA CA certificate to >>> clients via Puppet** or whatever means you prefer. >>> >>> ** you will have to work out how, because I do not know Puppet :) >>> >>> Cheers, >>> Fraser >>> >>>> >>>> >>>> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, >>>> wrote: >>>>> Bret Wortman wrote: >>>>>> Is it possible to use our freeipa CA as a trusted CA to sign our >>>>>> internal SSL certificates? Our system runs on a private network and so >>>>>> using the usual trusted sources isn't an option. We've been using >>>>>> self-signed, but that adds some additional complications and we >>>>>> thought >>>>>> this might be a good solution. >>>>>> >>>>>> Is it possible, and, since most online guides defer to "submit the CSR >>>>>> to Verisign" or whomever, how would you go about producing one in >>>>>> this way? >>>>> >>>>> Not sure I understand the question. The IPA CA is also self-signed. For >>>>> enrolled systems though at least the CA is pre-distributed so maybe >>>>> that >>>>> will help. >>>>> >>>>> rob >>>>> >>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >> >> > > > From seli.irithyl at gmail.com Fri Jun 3 13:53:39 2016 From: seli.irithyl at gmail.com (seli irithyl) Date: Fri, 3 Jun 2016 15:53:39 +0200 Subject: [Freeipa-users] Unable to access to web ui In-Reply-To: <5751865B.8010808@redhat.com> References: <025e4e9e-c387-697a-0cae-94c957d3187e@redhat.com> <576cb80c-a91b-f6e4-f534-ce659afe1df6@redhat.com> <92dac203-1494-463b-de50-16d3e15ea3de@redhat.com> <5751865B.8010808@redhat.com> Message-ID: Yes, you're right, I was also surprised by the subject of the error. I made changes in the /etc/httpd/conf.d/nss.conf file. I changed Listen 443 to Listen 8443 and to as it was in the /etc/httpd/conf.d/nss.conf file before the update. On Fri, Jun 3, 2016 at 3:30 PM, Rob Crittenden wrote: > seli irithyl wrote: > >> # getcert list >> returns 9 request ID. All 9 are in status "MONITORING" and expire after >> 2017. >> So no expired certificate. >> >> Number of certificates and requests being tracked: 9. >> > [snip] > >> Request ID '20150313092456': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=BIOINF.LOCAL >> subject: CN=lead.bioinf.local,O=BIOINF.LOCAL >> expires: 2017-03-13 09:24:56 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> > > [ more snip ] > >> > Unfortunately when trying to run any ipa command: >> > [root at lead ~]# ipa service-find lead.bioinf.local >> > ipa: ERROR: cert validation failed for >> > "E=root at lead.bioinf.local >> ,CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--" >> > ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.) >> > ipa: ERROR: cannot connect to 'https://lead.bioinf.local/ipa/json': >> > (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid. >> > > Note that the subject of the certmonger-tracked certificate is different > from the subject reported in the error. This looks like a default > mod_ssl-generated certificate to me. Did you tweak your Apache config? > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri Jun 3 14:11:20 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 3 Jun 2016 16:11:20 +0200 Subject: [Freeipa-users] a bit off topic- samba + sssd => AD In-Reply-To: References: Message-ID: <20160603141120.GN25486@p.Speedport_W_724V_Typ_A_05011603_00_009> On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote: > hi users, > > I have a samba and sssd trying AD, it's 7.2 Linux. > > That linux box is via sssd and samba talking to AD DC and win10 clients get > to samba shares, getent pass sees AD users, samba can get to DC's shares and > win10's clients shares, all good except... > > smbclient @samba, in other words - to itself - fails > > session setup failed: NT_STATUS_LOGON_FAILURE > > and with smbclient -k > > gss_init_sec_context failed with [Unspecified GSS failure. Minor code may > provide more information: Server cifs/swir.private.dom at PRIVATE.DOM not found > in Kerberos database] Which realm is PRIVATE.DOM? What does $ klist -k -t /etc/krb5.swir.ccnr.keytab return? bye, Sumit > > SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR > Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR > session setup failed: NT_STATUS_INTERNAL_ERROR > > here is a snippet from smb.conf which I thought has relevance, I set it up > following samba sssd wiki. > > security = ads > realm = CCNR.DOM > workgroup = CCNR > > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.swir.ccnr.keytab > client signing = auto > client use spnego = yes > encrypt passwords = yes > password server = ccnr-winsrv1.ccnr.dom > netbios name = SWIR > > template shell = /bin/bash > template homedir = /home/%D/%U > > preferred master = no > dns proxy = no > wins server = ccnr-winsrv1.ccnr.dom > wins proxy = no > > inherit acls = Yes > map acl inherit = Yes > acl group control = yes > > > and in samba log: > > domain_client_validate: Domain password server not available. > > I've tried samba user list, dead silence. > > many thanks, > > L. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Fri Jun 3 14:22:23 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 3 Jun 2016 17:22:23 +0300 Subject: [Freeipa-users] a bit off topic- samba + sssd => AD In-Reply-To: References: Message-ID: <20160603142223.g5evycofxwryrhpn@redhat.com> On Fri, 03 Jun 2016, lejeczek wrote: >hi users, > >I have a samba and sssd trying AD, it's 7.2 Linux. > >That linux box is via sssd and samba talking to AD DC and win10 >clients get to samba shares, getent pass sees AD users, samba can get >to DC's shares and win10's clients shares, all good except... > >smbclient @samba, in other words - to itself - fails > >session setup failed: NT_STATUS_LOGON_FAILURE Do you run winbindd? samba in RHEL 7.2 as of now has a regression that if you don't run winbindd, current code forbids establishing anonymous secure channel connections to AD DCs as part of Badlock fixes. The regression is fixed upstream and RHEL 7.2 packages are currently being tested by Red Hat QE team. If you start winbindd, this should not affect you -- if the machine is enrolled into Active Directory domain. However, the Kerberos error below makes me thinking you have some problems on AD side as well. > >and with smbclient -k > >gss_init_sec_context failed with [Unspecified GSS failure. Minor code >may provide more information: Server cifs/swir.private.dom at PRIVATE.DOM >not found in Kerberos database] The statement above says your KDC for PRIVATE.DOM does not know anything about cifs/swir.private.dom principal. Fix that problem and Kerberos authentication will be working. > >SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: >NT_STATUS_INTERNAL_ERROR >Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR >session setup failed: NT_STATUS_INTERNAL_ERROR > >here is a snippet from smb.conf which I thought has relevance, I set >it up following samba sssd wiki. > > security = ads > realm = CCNR.DOM > workgroup = CCNR > > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.swir.ccnr.keytab > client signing = auto > client use spnego = yes > encrypt passwords = yes > password server = ccnr-winsrv1.ccnr.dom > netbios name = SWIR > > template shell = /bin/bash > template homedir = /home/%D/%U > > preferred master = no > dns proxy = no > wins server = ccnr-winsrv1.ccnr.dom > wins proxy = no > > inherit acls = Yes > map acl inherit = Yes > acl group control = yes > > >and in samba log: > > domain_client_validate: Domain password server not available. > >I've tried samba user list, dead silence. > >many thanks, > >L. > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From schogan at us.ibm.com Fri Jun 3 14:23:05 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Fri, 3 Jun 2016 07:23:05 -0700 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: <5750A82F.3000406@redhat.com> References: <20160602162455.7149ABE039@b03ledav005.gho.boulder.ibm.com> <5750A82F.3000406@redhat.com> Message-ID: <20160603142315.78AC16A041@b03ledav003.gho.boulder.ibm.com> Hi Robert.. Thanks for the reply. Think I might have found the issue. The KVM host my master was running on was showing redhat release 6.5 but the libvrt packages were showing 6.6. I think the managers of the kvm host did not reboot it after an update with new kernel. Asked them to reboot the KVM host after I gracefully shut down my NFS profile server and Master IPA (both run on that host). However Master IPA would not shutdown so they rebooted it with the IPA server still running. Once it was back up and the 2 servers were back up I had to gracefully shutdown the Master IPA and this time it did shutdown. Powered back up and it seems to be running fine now. BTW... there is a lot of info in the upgrade log but will overview it more later. Thanks Sean Hogan From: Rob Crittenden To: Sean Hogan/Durham/IBM at IBMUS, freeipa-users Date: 06/02/2016 02:42 PM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Sean Hogan wrote: > Hello All, > > Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think > (not sure on this yet) that they changed ntp.. ntp used to point at my > ipas.. but they look like they are now pointing elsewhere. Everything > was stable at 6.7 3.0.47 pointing to IPA for NTP. However.. they all > seem to have the same date. > > > My master first IPA is acting up. Replication is off, kerberos seems to > be off, DNS is off and I think IPA in general on it is toast. > We do have 8 IPAs.. only FirstMaster is acting up it seems right now and > all either running on KVM or ESXI. > > > [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# kinit admin > kinit: Generic error (see e-text) while getting initial credential ipactl status should show what services are running. It looks like the KDC is responding but can't talk to the LDAP backend. > > > slapd-DOMAIN-LOCAL > [01/Jun/2016:18:25:43 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Cannot contact any > KDC for realm 'DOMAIN.LOCAL')) errno 115 (Operation now in progress) > [01/Jun/2016:18:25:43 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv2.domain.local" (ipaserv2:389): Replication bind > with GSSAPI auth resumed > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv3.domain.local" (ipaserv3:389): Replication bind > with GSSAPI auth resumed > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv4.domain.local" (ipaserv4:389): Replication bind > with GSSAPI auth resumed > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv5.domain.local" (ipaserv5:389): Replication bind > with GSSAPI auth resumed > [01/Jun/2016:18:28:04 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI > Failure: gss_accept_sec_context) errno 0 (Success) > [01/Jun/2016:18:28:04 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [01/Jun/2016:18:28:13 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No credentials > cache found)) errno 2 (No such file or directory) > [01/Jun/2016:18:28:13 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [01/Jun/2016:18:33:03 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI > Failure: gss_accept_sec_context) errno 0 (Success) > [01/Jun/2016:18:33:03 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [01/Jun/2016:18:33:18 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No credentials > cache found)) errno 2 (No such file or directory) > [01/Jun/2016:18:33:18 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [01/Jun/2016:18:38:03 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI > Failure: gss_accept_sec_context) errno 0 (Success) And this makes it look like it can't talk to the KDC. I'd check for SELinux errors, ausearch -m AVC -ts recent I think the rest is just indication that something is wrong with either the LDAP servers, the KDC or both. You may also want to look at /var/log/ipaupgrade.log to ensure that the upgrade was successful. rob > > [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipa-replica-manage -v list > --------------> just hangs and never returns > > > [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipactl start ------------->Just > hangs here as well.. never gets to the KDC. > > Starting Directory Service > Starting dirsrv: > PKI-IPA... already running [ OK ] > DOMAIN-LOCAL... already running [ OK ] > > > If I run nslookup it fails over to a Replica for the DNS resolution > instead of resolving ips itself. > > > > PKI log shows a bunch of this: > [02/Jun/2016:11:15:25 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" > (ipaserver2:7389): Replication bind with SIMPLE auth failed: LDAP error > -1 (Can't contact LDAP server) ((null)) > [02/Jun/2016:11:15:34 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" > (ipaserver2:7389): Replication bind with SIMPLE auth resumed > [02/Jun/2016:11:16:36 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:16:51 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:21:51 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:22:06 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:26:36 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:26:41 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:31:36 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:31:41 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:36:36 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:36:41 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:41:46 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:41:51 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:45:16 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:45:16 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" > (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error > -1 (Can't contact LDAP server) ((null)) > [02/Jun/2016:11:45:25 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" > (ipaserver3:7389): Replication bind with SIMPLE auth resumed > [02/Jun/2016:11:46:51 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:46:56 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:51:36 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:51:41 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:11:56:46 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:11:56:51 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:12:01:36 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:12:01:41 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:12:05:33 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:12:05:33 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" > (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error > -1 (Can't contact LDAP server) ((null)) > [02/Jun/2016:12:06:01 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > [02/Jun/2016:12:06:06 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" > (ipaserver3:7389): Replication bind with SIMPLE auth resumed > [02/Jun/2016:12:06:31 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > [02/Jun/2016:12:06:41 -0400] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) > > > > > NTP seems OK > [God at FirstMasterIPA slapd-PKI-IPA]# date > Thu Jun 2 12:23:00 EDT 2016 > > [God at ipaserver3 ~]# date > Thu Jun 2 12:23:02 EDT 2016 > > > > Sean Hogan > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From bret.wortman at damascusgrp.com Fri Jun 3 14:57:35 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 3 Jun 2016 10:57:35 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: <57518AAD.4050304@redhat.com> References: <5750416E.3070408@damascusgrp.com> <5750A599.6020305@redhat.com> <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> <20160602222419.GH4744@dhcp-40-8.bne.redhat.com> <57516BD5.2040700@damascusgrp.com> <57518AAD.4050304@redhat.com> Message-ID: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating a new one? On 06/03/2016 09:48 AM, Rob Crittenden wrote: > Bret Wortman wrote: >> So for our internal yum server, I created a new key and cert request (it >> had a localhost key and cert but I wanted to start clean): >> >> # openssl genrsa 2048 > /etc/pki/tls/private/server.key >> # openssl req -new -x509 -nodes -sha1 -days 365 -key >> /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt >> # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k >> /etc/pki/tls/private/server.key -r > > I try not to argue with success but I'd be curious what is actually > going on here. You generate a CSR and call it a certificate. It is > probably the case that certmonger is ignoring it altogether and > generating its own CSR. > >> ipa-getcert list shows it approved. I set up SSL in apache to use the >> above .key and .crt, but when I try to run yum against this using ssl: >> >> # yum search ffmpeg >> Loaded plugins: langpacks >> https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: >> [Errno 14] curl#60 - "Peer's certificate issuer has been marked as >> not trusted by the user." >> : >> >> Is there a step I need to take on the clients so they'll accept this >> cert as trusted? I thought having it be signed by the IPA CA would have >> taken care of that. >> >> # ls -l /etc/ipa/ca.crt >> -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt >> # > > Pretty much only IPA tools know to use this file. > > My knowledge is a bit stale on adding the IPA CA to the global trust > but I'm pretty sure it is done automatically now and I think it was in > the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have > this code. > > Look at this, > https://fedoraproject.org/wiki/Features/SharedSystemCertificates > > The idea is to add the IPA CA to that and then all tools using SSL > would "just work". > > Something like: > > # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem > # update-ca-trust > > You'd need to remember to manually undo this if you ever redo your IPA > install (and get a new CA): > > # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem > # update-ca-trust > > Like I said, I'm pretty sure this is all automatic in some more recent > versions of IPA. > > rob > >> >> --- >> Bret >> >> On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote: >>> Cool. I'll give this a go in the morning. >>> >>> Bret Wortman >>> http://wrapbuddies.co/ >>> >>> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , >>> wrote: >>>> On Thu, Jun 02, 2016 at 05:35:01PM -0400, >>>> bret.wortman at damascusgrp.com wrote: >>>>> Sorry, let me back up a step. We need to implement hype >>>>> everywhere. All our web services. And clients need to get >>>>> keys&certs automatically whether through IPA or Puppet. These >>>>> systems use IPA for everything but authentication (to keep most >>>>> users off). I'm trying to wuss out the easiest way to make this >>>>> happen smoothly. >>>>> >>>> Hi Bret, >>>> >>>> You can use the IPA CA to sign service certificates. See >>>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. >>>> >>>> IPA-enrolled machines already have the IPA certificate in their >>>> trust store. If the clients are IPA-enrolled, everything should >>>> Just Work, otherwise you can distribute the IPA CA certificate to >>>> clients via Puppet** or whatever means you prefer. >>>> >>>> ** you will have to work out how, because I do not know Puppet :) >>>> >>>> Cheers, >>>> Fraser >>>> >>>>> >>>>> >>>>> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, >>>>> wrote: >>>>>> Bret Wortman wrote: >>>>>>> Is it possible to use our freeipa CA as a trusted CA to sign our >>>>>>> internal SSL certificates? Our system runs on a private network >>>>>>> and so >>>>>>> using the usual trusted sources isn't an option. We've been using >>>>>>> self-signed, but that adds some additional complications and we >>>>>>> thought >>>>>>> this might be a good solution. >>>>>>> >>>>>>> Is it possible, and, since most online guides defer to "submit >>>>>>> the CSR >>>>>>> to Verisign" or whomever, how would you go about producing one in >>>>>>> this way? >>>>>> >>>>>> Not sure I understand the question. The IPA CA is also >>>>>> self-signed. For >>>>>> enrolled systems though at least the CA is pre-distributed so maybe >>>>>> that >>>>>> will help. >>>>>> >>>>>> rob >>>>>> >>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> >> >> >> > From rcritten at redhat.com Fri Jun 3 15:02:15 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 3 Jun 2016 11:02:15 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: References: <5750416E.3070408@damascusgrp.com> <5750A599.6020305@redhat.com> <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> <20160602222419.GH4744@dhcp-40-8.bne.redhat.com> <57516BD5.2040700@damascusgrp.com> <57518AAD.4050304@redhat.com> Message-ID: <57519BF7.9060301@redhat.com> Bret Wortman wrote: > I'm not sure I'd call what we have "success" just yet. ;-) > > You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and > see how we go. > > Rob, would you have just used the existing "localhost.key" instead of > generating a new one? No, I think you did the right thing, the default keysize was probably still 1024 in F21. I double-checked the getcert-request man page and it looks like it will use an existing key if one exists in the key file passed in so I was wrong about that bit. You just didn't need to use req to generate a CSR as certmonger will do that for you. rob > > > On 06/03/2016 09:48 AM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> So for our internal yum server, I created a new key and cert request (it >>> had a localhost key and cert but I wanted to start clean): >>> >>> # openssl genrsa 2048 > /etc/pki/tls/private/server.key >>> # openssl req -new -x509 -nodes -sha1 -days 365 -key >>> /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt >>> # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k >>> /etc/pki/tls/private/server.key -r >> >> I try not to argue with success but I'd be curious what is actually >> going on here. You generate a CSR and call it a certificate. It is >> probably the case that certmonger is ignoring it altogether and >> generating its own CSR. >> >>> ipa-getcert list shows it approved. I set up SSL in apache to use the >>> above .key and .crt, but when I try to run yum against this using ssl: >>> >>> # yum search ffmpeg >>> Loaded plugins: langpacks >>> https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: >>> >>> [Errno 14] curl#60 - "Peer's certificate issuer has been marked as >>> not trusted by the user." >>> : >>> >>> Is there a step I need to take on the clients so they'll accept this >>> cert as trusted? I thought having it be signed by the IPA CA would have >>> taken care of that. >>> >>> # ls -l /etc/ipa/ca.crt >>> -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt >>> # >> >> Pretty much only IPA tools know to use this file. >> >> My knowledge is a bit stale on adding the IPA CA to the global trust >> but I'm pretty sure it is done automatically now and I think it was in >> the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have >> this code. >> >> Look at this, >> https://fedoraproject.org/wiki/Features/SharedSystemCertificates >> >> The idea is to add the IPA CA to that and then all tools using SSL >> would "just work". >> >> Something like: >> >> # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem >> # update-ca-trust >> >> You'd need to remember to manually undo this if you ever redo your IPA >> install (and get a new CA): >> >> # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem >> # update-ca-trust >> >> Like I said, I'm pretty sure this is all automatic in some more recent >> versions of IPA. >> >> rob >> >>> >>> --- >>> Bret >>> >>> On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote: >>>> Cool. I'll give this a go in the morning. >>>> >>>> Bret Wortman >>>> http://wrapbuddies.co/ >>>> >>>> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , >>>> wrote: >>>>> On Thu, Jun 02, 2016 at 05:35:01PM -0400, >>>>> bret.wortman at damascusgrp.com wrote: >>>>>> Sorry, let me back up a step. We need to implement hype >>>>>> everywhere. All our web services. And clients need to get >>>>>> keys&certs automatically whether through IPA or Puppet. These >>>>>> systems use IPA for everything but authentication (to keep most >>>>>> users off). I'm trying to wuss out the easiest way to make this >>>>>> happen smoothly. >>>>>> >>>>> Hi Bret, >>>>> >>>>> You can use the IPA CA to sign service certificates. See >>>>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. >>>>> >>>>> IPA-enrolled machines already have the IPA certificate in their >>>>> trust store. If the clients are IPA-enrolled, everything should >>>>> Just Work, otherwise you can distribute the IPA CA certificate to >>>>> clients via Puppet** or whatever means you prefer. >>>>> >>>>> ** you will have to work out how, because I do not know Puppet :) >>>>> >>>>> Cheers, >>>>> Fraser >>>>> >>>>>> >>>>>> >>>>>> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, >>>>>> wrote: >>>>>>> Bret Wortman wrote: >>>>>>>> Is it possible to use our freeipa CA as a trusted CA to sign our >>>>>>>> internal SSL certificates? Our system runs on a private network >>>>>>>> and so >>>>>>>> using the usual trusted sources isn't an option. We've been using >>>>>>>> self-signed, but that adds some additional complications and we >>>>>>>> thought >>>>>>>> this might be a good solution. >>>>>>>> >>>>>>>> Is it possible, and, since most online guides defer to "submit >>>>>>>> the CSR >>>>>>>> to Verisign" or whomever, how would you go about producing one in >>>>>>>> this way? >>>>>>> >>>>>>> Not sure I understand the question. The IPA CA is also >>>>>>> self-signed. For >>>>>>> enrolled systems though at least the CA is pre-distributed so maybe >>>>>>> that >>>>>>> will help. >>>>>>> >>>>>>> rob >>>>>>> >>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> >>> >>> >>> >> > From peljasz at yahoo.co.uk Fri Jun 3 15:45:53 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 3 Jun 2016 16:45:53 +0100 Subject: [Freeipa-users] a bit off topic- samba + sssd => AD In-Reply-To: <20160603141120.GN25486@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <20160603141120.GN25486@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: On 03/06/16 15:11, Sumit Bose wrote: > On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote: >> hi users, >> >> I have a samba and sssd trying AD, it's 7.2 Linux. >> >> That linux box is via sssd and samba talking to AD DC and win10 clients get >> to samba shares, getent pass sees AD users, samba can get to DC's shares and >> win10's clients shares, all good except... >> >> smbclient @samba, in other words - to itself - fails >> >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> and with smbclient -k >> >> gss_init_sec_context failed with [Unspecified GSS failure. Minor code may >> provide more information: Server cifs/swir.private.dom at PRIVATE.DOM not found >> in Kerberos database] > Which realm is PRIVATE.DOM? What does > > $ klist -k -t /etc/krb5.swir.ccnr.keytab > > return? $ klist -k -t /etc/krb5.swir.ccnr.keytab Keytab name: FILE:/etc/krb5.swir.ccnr.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM 4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM 4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM 4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM 4 01/01/70 01:00:00 host/swir.private.ccnr.dom at CCNR.DOM and swir runs samba, but I'm trying to sssd together AD & IPA, I should have mentioned. From DNS perspective it's AD = ccnr.dom and IPA = private.ccnr.dom, everything seems to resolve OK, both @AD and @IPA ends. And my sssd.conf: ------------ ipa_hostname = swir.private.ccnr.dom chpass_provider = ipa ipa_server = swir.private.ccnr.dom ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt #krb5_keytab = /etc/krb5.private.ccnr.keytab [domain/ccnr.dom] ad_domain = ccnr.dom krb5_realm = CCNR.DOM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad auth_provider = ad krb5_keytab = /etc/krb5.swir.ccnr.keytab [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = private.ccnr.dom, ccnr.dom [nss] memcache_timeout = 600 homedir_substring = /home -------------- AD DC (to which shares smbclient @swir can get to) shows: C:\Users\Administrator.CCNR-WINSRV1>setspn -L swir Registered ServicePrincipalNames for CN=SWIR,OU=private,DC=ccnr,DC=dom: cifs/swir.private.ccnr.dom at CCNR.DOM host/swir.private.ccnr.dom host/swir.private.ccnr.dom at CCNR.DOM HOST/SWIR like I said, getnet and id see both domains If I $ kinit me at CCNR.DOM $ klist Ticket cache: KEYRING:persistent:0:krb_ccache_xoHU5iW Default principal: me at CCNR.DOM Valid starting Expires Service principal 03/06/16 16:37:06 04/06/16 02:37:06 krbtgt/CCNR.DOM at CCNR.DOM $ smbclient -L //$(hostname) -U me at CCNR.DOM -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private.ccnr.dom at PRIVATE.CCNR.DOM not found in Kerberos database] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR what I see in last one above is - cifs/swir.private.ccnr.dom at PRIVATE.CCNR.DOM I've just realized, for some reason, and maybe a valid one, smbclient don't do - cifs/swir.private.ccnr.dom at CCNR.DOM which is in the keytabs. but smbclient fails without -k which I understand should then use a password and should be sufficient to authenticate. many thanks Sumit, L. > bye, > Sumit > >> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR >> Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR >> session setup failed: NT_STATUS_INTERNAL_ERROR >> >> here is a snippet from smb.conf which I thought has relevance, I set it up >> following samba sssd wiki. >> >> security = ads >> realm = CCNR.DOM >> workgroup = CCNR >> >> kerberos method = secrets and keytab >> dedicated keytab file = /etc/krb5.swir.ccnr.keytab >> client signing = auto >> client use spnego = yes >> encrypt passwords = yes >> password server = ccnr-winsrv1.ccnr.dom >> netbios name = SWIR >> >> template shell = /bin/bash >> template homedir = /home/%D/%U >> >> preferred master = no >> dns proxy = no >> wins server = ccnr-winsrv1.ccnr.dom >> wins proxy = no >> >> inherit acls = Yes >> map acl inherit = Yes >> acl group control = yes >> >> >> and in samba log: >> >> domain_client_validate: Domain password server not available. >> >> I've tried samba user list, dead silence. >> >> many thanks, >> >> L. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From peljasz at yahoo.co.uk Fri Jun 3 15:49:45 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 3 Jun 2016 16:49:45 +0100 Subject: [Freeipa-users] a bit off topic- samba + sssd => AD In-Reply-To: <20160603142223.g5evycofxwryrhpn@redhat.com> References: <20160603142223.g5evycofxwryrhpn@redhat.com> Message-ID: <8892cce3-b6ac-0a49-5274-4d081666b80f@yahoo.co.uk> On 03/06/16 15:22, Alexander Bokovoy wrote: > On Fri, 03 Jun 2016, lejeczek wrote: >> hi users, >> >> I have a samba and sssd trying AD, it's 7.2 Linux. >> >> That linux box is via sssd and samba talking to AD DC and >> win10 clients get to samba shares, getent pass sees AD >> users, samba can get to DC's shares and win10's clients >> shares, all good except... >> >> smbclient @samba, in other words - to itself - fails >> >> session setup failed: NT_STATUS_LOGON_FAILURE > Do you run winbindd? samba in RHEL 7.2 as of now has a > regression that > if you don't run winbindd, current code forbids > establishing anonymous > secure channel connections to AD DCs as part of Badlock > fixes. The > regression is fixed upstream and RHEL 7.2 packages are > currently being > tested by Red Hat QE team. > > If you start winbindd, this should not affect you -- if > the machine is > enrolled into Active Directory domain. However, the > Kerberos error below > makes me thinking you have some problems on AD side as well. no winbind, I hope to completely relay on sssd. I should mentioned that I'm fiddling with my sssd so it engages two providers, AD and IPA - and it seems to work, like a I tried to describe, only that samba smbclient to itself is not working. thanks! > >> >> and with smbclient -k >> >> gss_init_sec_context failed with [Unspecified GSS >> failure. Minor code may provide more information: Server >> cifs/swir.private.dom at PRIVATE.DOM not found in Kerberos >> database] > The statement above says your KDC for PRIVATE.DOM does not > know anything > about cifs/swir.private.dom principal. Fix that problem > and Kerberos > authentication will be working. > >> >> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: >> NT_STATUS_INTERNAL_ERROR >> Failed to setup SPNEGO negTokenInit request: >> NT_STATUS_INTERNAL_ERROR >> session setup failed: NT_STATUS_INTERNAL_ERROR >> >> here is a snippet from smb.conf which I thought has >> relevance, I set it up following samba sssd wiki. >> >> security = ads >> realm = CCNR.DOM >> workgroup = CCNR >> >> kerberos method = secrets and keytab >> dedicated keytab file = /etc/krb5.swir.ccnr.keytab >> client signing = auto >> client use spnego = yes >> encrypt passwords = yes >> password server = ccnr-winsrv1.ccnr.dom >> netbios name = SWIR >> >> template shell = /bin/bash >> template homedir = /home/%D/%U >> >> preferred master = no >> dns proxy = no >> wins server = ccnr-winsrv1.ccnr.dom >> wins proxy = no >> >> inherit acls = Yes >> map acl inherit = Yes >> acl group control = yes >> >> >> and in samba log: >> >> domain_client_validate: Domain password server not >> available. >> >> I've tried samba user list, dead silence. >> >> many thanks, >> >> L. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > From abokovoy at redhat.com Fri Jun 3 16:00:52 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 3 Jun 2016 19:00:52 +0300 Subject: [Freeipa-users] a bit off topic- samba + sssd => AD In-Reply-To: <8892cce3-b6ac-0a49-5274-4d081666b80f@yahoo.co.uk> References: <20160603142223.g5evycofxwryrhpn@redhat.com> <8892cce3-b6ac-0a49-5274-4d081666b80f@yahoo.co.uk> Message-ID: <20160603160052.qsg434z2vsh2dy5r@redhat.com> On Fri, 03 Jun 2016, lejeczek wrote: > > >On 03/06/16 15:22, Alexander Bokovoy wrote: >>On Fri, 03 Jun 2016, lejeczek wrote: >>>hi users, >>> >>>I have a samba and sssd trying AD, it's 7.2 Linux. >>> >>>That linux box is via sssd and samba talking to AD DC and win10 >>>clients get to samba shares, getent pass sees AD users, samba can >>>get to DC's shares and win10's clients shares, all good except... >>> >>>smbclient @samba, in other words - to itself - fails >>> >>>session setup failed: NT_STATUS_LOGON_FAILURE >>Do you run winbindd? samba in RHEL 7.2 as of now has a regression >>that >>if you don't run winbindd, current code forbids establishing >>anonymous >>secure channel connections to AD DCs as part of Badlock fixes. The >>regression is fixed upstream and RHEL 7.2 packages are currently >>being >>tested by Red Hat QE team. >> >>If you start winbindd, this should not affect you -- if the machine >>is >>enrolled into Active Directory domain. However, the Kerberos error >>below >>makes me thinking you have some problems on AD side as well. >no winbind, I hope to completely relay on sssd. You cannot -- at least for now. Samba needs translation between SIDs and POSIX IDs. This translation cannot be done by SSSD alone right now because there is no separate mechanism to supply that translation into Samba from the system level. SSSD can be used as to imitate SID translation interface of winbindd by providing a libwbclient replacement but this would mean a lot of other functionality winbindd provides will be missing as SSSD does not implement it. Finally, you can run winbindd in parallel to SSSD. You just need to ensure they both have the same understanding how to map usernames and group names to POSIX ID and back. And you don't need to add winbindd to /etc/nsswitch.conf or PAM configuration. >I should mentioned that I'm fiddling with my sssd so it engages two >providers, AD and IPA - and it seems to work, like a I tried to >describe, only that samba smbclient to itself is not working. >thanks! SMB services with Kerberos require use of cifs/ service principal. Your keytab only has host/ keys, and your AD machine account for the does not have 'cifs/' SPN defined. The latter is what causes smbclient -k to fail -- AD DC doesn't know about 'cifs/' and refuses to issue a service ticket even before smbclient contacts Samba server. >>>and with smbclient -k >>> >>>gss_init_sec_context failed with [Unspecified GSS failure. Minor >>>code may provide more information: Server >>>cifs/swir.private.dom at PRIVATE.DOM not found in Kerberos database] >>The statement above says your KDC for PRIVATE.DOM does not know >>anything >>about cifs/swir.private.dom principal. Fix that problem and Kerberos >>authentication will be working. >> >>> >>>SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: >>>NT_STATUS_INTERNAL_ERROR >>>Failed to setup SPNEGO negTokenInit request: >>>NT_STATUS_INTERNAL_ERROR >>>session setup failed: NT_STATUS_INTERNAL_ERROR >>> >>>here is a snippet from smb.conf which I thought has relevance, I >>>set it up following samba sssd wiki. >>> >>> security = ads >>> realm = CCNR.DOM >>> workgroup = CCNR >>> >>> kerberos method = secrets and keytab >>> dedicated keytab file = /etc/krb5.swir.ccnr.keytab >>> client signing = auto >>> client use spnego = yes >>> encrypt passwords = yes >>> password server = ccnr-winsrv1.ccnr.dom >>> netbios name = SWIR >>> >>> template shell = /bin/bash >>> template homedir = /home/%D/%U >>> >>> preferred master = no >>> dns proxy = no >>> wins server = ccnr-winsrv1.ccnr.dom >>> wins proxy = no >>> >>> inherit acls = Yes >>> map acl inherit = Yes >>> acl group control = yes >>> >>> >>>and in samba log: >>> >>> domain_client_validate: Domain password server not available. >>> >>>I've tried samba user list, dead silence. >>> >>>many thanks, >>> >>>L. >>> >>>-- >>>Manage your subscription for the Freeipa-users mailing list: >>>https://www.redhat.com/mailman/listinfo/freeipa-users >>>Go to http://freeipa.org for more info on the project >> > -- / Alexander Bokovoy From bret.wortman at damascusgrp.com Fri Jun 3 16:00:54 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 3 Jun 2016 12:00:54 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: <57519BF7.9060301@redhat.com> References: <5750416E.3070408@damascusgrp.com> <5750A599.6020305@redhat.com> <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> <20160602222419.GH4744@dhcp-40-8.bne.redhat.com> <57516BD5.2040700@damascusgrp.com> <57518AAD.4050304@redhat.com> <57519BF7.9060301@redhat.com> Message-ID: <168cf282-1df9-b8e4-7db5-788c80bc98e6@damascusgrp.com> On 06/03/2016 11:02 AM, Rob Crittenden wrote: > Bret Wortman wrote: >> I'm not sure I'd call what we have "success" just yet. ;-) >> >> You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and >> see how we go. >> >> Rob, would you have just used the existing "localhost.key" instead of >> generating a new one? > > No, I think you did the right thing, the default keysize was probably > still 1024 in F21. I double-checked the getcert-request man page and > it looks like it will use an existing key if one exists in the key > file passed in so I was wrong about that bit. You just didn't need to > use req to generate a CSR as certmonger will do that for you. > Good to know. I tried the update-ca-trust on both the yum server and on my workstation but nothing changed even after an httpd restart. I did take a peek inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but I confess I'm not sure what should be where at this point). Bret > rob > >> >> >> On 06/03/2016 09:48 AM, Rob Crittenden wrote: >>> Bret Wortman wrote: >>>> So for our internal yum server, I created a new key and cert >>>> request (it >>>> had a localhost key and cert but I wanted to start clean): >>>> >>>> # openssl genrsa 2048 > /etc/pki/tls/private/server.key >>>> # openssl req -new -x509 -nodes -sha1 -days 365 -key >>>> /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt >>>> # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k >>>> /etc/pki/tls/private/server.key -r >>> >>> I try not to argue with success but I'd be curious what is actually >>> going on here. You generate a CSR and call it a certificate. It is >>> probably the case that certmonger is ignoring it altogether and >>> generating its own CSR. >>> >>>> ipa-getcert list shows it approved. I set up SSL in apache to use the >>>> above .key and .crt, but when I try to run yum against this using ssl: >>>> >>>> # yum search ffmpeg >>>> Loaded plugins: langpacks >>>> https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: >>>> >>>> >>>> [Errno 14] curl#60 - "Peer's certificate issuer has been marked as >>>> not trusted by the user." >>>> : >>>> >>>> Is there a step I need to take on the clients so they'll accept this >>>> cert as trusted? I thought having it be signed by the IPA CA would >>>> have >>>> taken care of that. >>>> >>>> # ls -l /etc/ipa/ca.crt >>>> -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt >>>> # >>> >>> Pretty much only IPA tools know to use this file. >>> >>> My knowledge is a bit stale on adding the IPA CA to the global trust >>> but I'm pretty sure it is done automatically now and I think it was in >>> the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have >>> this code. >>> >>> Look at this, >>> https://fedoraproject.org/wiki/Features/SharedSystemCertificates >>> >>> The idea is to add the IPA CA to that and then all tools using SSL >>> would "just work". >>> >>> Something like: >>> >>> # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem >>> # update-ca-trust >>> >>> You'd need to remember to manually undo this if you ever redo your IPA >>> install (and get a new CA): >>> >>> # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem >>> # update-ca-trust >>> >>> Like I said, I'm pretty sure this is all automatic in some more recent >>> versions of IPA. >>> >>> rob >>> >>>> >>>> --- >>>> Bret >>>> >>>> On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote: >>>>> Cool. I'll give this a go in the morning. >>>>> >>>>> Bret Wortman >>>>> http://wrapbuddies.co/ >>>>> >>>>> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , >>>>> wrote: >>>>>> On Thu, Jun 02, 2016 at 05:35:01PM -0400, >>>>>> bret.wortman at damascusgrp.com wrote: >>>>>>> Sorry, let me back up a step. We need to implement hype >>>>>>> everywhere. All our web services. And clients need to get >>>>>>> keys&certs automatically whether through IPA or Puppet. These >>>>>>> systems use IPA for everything but authentication (to keep most >>>>>>> users off). I'm trying to wuss out the easiest way to make this >>>>>>> happen smoothly. >>>>>>> >>>>>> Hi Bret, >>>>>> >>>>>> You can use the IPA CA to sign service certificates. See >>>>>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. >>>>>> >>>>>> IPA-enrolled machines already have the IPA certificate in their >>>>>> trust store. If the clients are IPA-enrolled, everything should >>>>>> Just Work, otherwise you can distribute the IPA CA certificate to >>>>>> clients via Puppet** or whatever means you prefer. >>>>>> >>>>>> ** you will have to work out how, because I do not know Puppet :) >>>>>> >>>>>> Cheers, >>>>>> Fraser >>>>>> >>>>>>> >>>>>>> >>>>>>> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, >>>>>>> wrote: >>>>>>>> Bret Wortman wrote: >>>>>>>>> Is it possible to use our freeipa CA as a trusted CA to sign our >>>>>>>>> internal SSL certificates? Our system runs on a private network >>>>>>>>> and so >>>>>>>>> using the usual trusted sources isn't an option. We've been using >>>>>>>>> self-signed, but that adds some additional complications and we >>>>>>>>> thought >>>>>>>>> this might be a good solution. >>>>>>>>> >>>>>>>>> Is it possible, and, since most online guides defer to "submit >>>>>>>>> the CSR >>>>>>>>> to Verisign" or whomever, how would you go about producing one in >>>>>>>>> this way? >>>>>>>> >>>>>>>> Not sure I understand the question. The IPA CA is also >>>>>>>> self-signed. For >>>>>>>> enrolled systems though at least the CA is pre-distributed so >>>>>>>> maybe >>>>>>>> that >>>>>>>> will help. >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >> > From rcritten at redhat.com Fri Jun 3 17:04:15 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 3 Jun 2016 13:04:15 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: <168cf282-1df9-b8e4-7db5-788c80bc98e6@damascusgrp.com> References: <5750416E.3070408@damascusgrp.com> <5750A599.6020305@redhat.com> <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> <20160602222419.GH4744@dhcp-40-8.bne.redhat.com> <57516BD5.2040700@damascusgrp.com> <57518AAD.4050304@redhat.com> <57519BF7.9060301@redhat.com> <168cf282-1df9-b8e4-7db5-788c80bc98e6@damascusgrp.com> Message-ID: <5751B88F.1080105@redhat.com> Bret Wortman wrote: > > > On 06/03/2016 11:02 AM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> I'm not sure I'd call what we have "success" just yet. ;-) >>> >>> You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and >>> see how we go. >>> >>> Rob, would you have just used the existing "localhost.key" instead of >>> generating a new one? >> >> No, I think you did the right thing, the default keysize was probably >> still 1024 in F21. I double-checked the getcert-request man page and >> it looks like it will use an existing key if one exists in the key >> file passed in so I was wrong about that bit. You just didn't need to >> use req to generate a CSR as certmonger will do that for you. >> > Good to know. > > I tried the update-ca-trust on both the yum server and on my workstation > but nothing changed even after an httpd restart. I did take a peek > inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and > didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but > I confess I'm not sure what should be where at this point). You'd only need to do this on the machine acting as a client. I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and trusted? $ certutil -L -d /etc/pki/nssdb rob > > > Bret > >> rob >> >>> >>> >>> On 06/03/2016 09:48 AM, Rob Crittenden wrote: >>>> Bret Wortman wrote: >>>>> So for our internal yum server, I created a new key and cert >>>>> request (it >>>>> had a localhost key and cert but I wanted to start clean): >>>>> >>>>> # openssl genrsa 2048 > /etc/pki/tls/private/server.key >>>>> # openssl req -new -x509 -nodes -sha1 -days 365 -key >>>>> /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt >>>>> # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k >>>>> /etc/pki/tls/private/server.key -r >>>> >>>> I try not to argue with success but I'd be curious what is actually >>>> going on here. You generate a CSR and call it a certificate. It is >>>> probably the case that certmonger is ignoring it altogether and >>>> generating its own CSR. >>>> >>>>> ipa-getcert list shows it approved. I set up SSL in apache to use the >>>>> above .key and .crt, but when I try to run yum against this using ssl: >>>>> >>>>> # yum search ffmpeg >>>>> Loaded plugins: langpacks >>>>> https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: >>>>> >>>>> >>>>> [Errno 14] curl#60 - "Peer's certificate issuer has been marked as >>>>> not trusted by the user." >>>>> : >>>>> >>>>> Is there a step I need to take on the clients so they'll accept this >>>>> cert as trusted? I thought having it be signed by the IPA CA would >>>>> have >>>>> taken care of that. >>>>> >>>>> # ls -l /etc/ipa/ca.crt >>>>> -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt >>>>> # >>>> >>>> Pretty much only IPA tools know to use this file. >>>> >>>> My knowledge is a bit stale on adding the IPA CA to the global trust >>>> but I'm pretty sure it is done automatically now and I think it was in >>>> the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have >>>> this code. >>>> >>>> Look at this, >>>> https://fedoraproject.org/wiki/Features/SharedSystemCertificates >>>> >>>> The idea is to add the IPA CA to that and then all tools using SSL >>>> would "just work". >>>> >>>> Something like: >>>> >>>> # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem >>>> # update-ca-trust >>>> >>>> You'd need to remember to manually undo this if you ever redo your IPA >>>> install (and get a new CA): >>>> >>>> # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem >>>> # update-ca-trust >>>> >>>> Like I said, I'm pretty sure this is all automatic in some more recent >>>> versions of IPA. >>>> >>>> rob >>>> >>>>> >>>>> --- >>>>> Bret >>>>> >>>>> On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote: >>>>>> Cool. I'll give this a go in the morning. >>>>>> >>>>>> Bret Wortman >>>>>> http://wrapbuddies.co/ >>>>>> >>>>>> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale , >>>>>> wrote: >>>>>>> On Thu, Jun 02, 2016 at 05:35:01PM -0400, >>>>>>> bret.wortman at damascusgrp.com wrote: >>>>>>>> Sorry, let me back up a step. We need to implement hype >>>>>>>> everywhere. All our web services. And clients need to get >>>>>>>> keys&certs automatically whether through IPA or Puppet. These >>>>>>>> systems use IPA for everything but authentication (to keep most >>>>>>>> users off). I'm trying to wuss out the easiest way to make this >>>>>>>> happen smoothly. >>>>>>>> >>>>>>> Hi Bret, >>>>>>> >>>>>>> You can use the IPA CA to sign service certificates. See >>>>>>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. >>>>>>> >>>>>>> IPA-enrolled machines already have the IPA certificate in their >>>>>>> trust store. If the clients are IPA-enrolled, everything should >>>>>>> Just Work, otherwise you can distribute the IPA CA certificate to >>>>>>> clients via Puppet** or whatever means you prefer. >>>>>>> >>>>>>> ** you will have to work out how, because I do not know Puppet :) >>>>>>> >>>>>>> Cheers, >>>>>>> Fraser >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, >>>>>>>> wrote: >>>>>>>>> Bret Wortman wrote: >>>>>>>>>> Is it possible to use our freeipa CA as a trusted CA to sign our >>>>>>>>>> internal SSL certificates? Our system runs on a private network >>>>>>>>>> and so >>>>>>>>>> using the usual trusted sources isn't an option. We've been using >>>>>>>>>> self-signed, but that adds some additional complications and we >>>>>>>>>> thought >>>>>>>>>> this might be a good solution. >>>>>>>>>> >>>>>>>>>> Is it possible, and, since most online guides defer to "submit >>>>>>>>>> the CSR >>>>>>>>>> to Verisign" or whomever, how would you go about producing one in >>>>>>>>>> this way? >>>>>>>>> >>>>>>>>> Not sure I understand the question. The IPA CA is also >>>>>>>>> self-signed. For >>>>>>>>> enrolled systems though at least the CA is pre-distributed so >>>>>>>>> maybe >>>>>>>>> that >>>>>>>>> will help. >>>>>>>>> >>>>>>>>> rob >>>>>>>>> >>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>> >> > From rcritten at redhat.com Fri Jun 3 17:09:10 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 3 Jun 2016 13:09:10 -0400 Subject: [Freeipa-users] Unable to access to web ui In-Reply-To: References: <025e4e9e-c387-697a-0cae-94c957d3187e@redhat.com> <576cb80c-a91b-f6e4-f534-ce659afe1df6@redhat.com> <92dac203-1494-463b-de50-16d3e15ea3de@redhat.com> <5751865B.8010808@redhat.com> Message-ID: <5751B9B6.3000200@redhat.com> seli irithyl wrote: > Yes, you're right, I was also surprised by the subject of the error. > I made changes in the /etc/httpd/conf.d/nss.conf file. > I changed > Listen 443 to Listen 8443 > and > to > as it was in the /etc/httpd/conf.d/nss.conf file before the update. You have to change it back. mod_nss must listen on 443. rob > > On Fri, Jun 3, 2016 at 3:30 PM, Rob Crittenden > wrote: > > seli irithyl wrote: > > # getcert list > returns 9 request ID. All 9 are in status "MONITORING" and > expire after > 2017. > So no expired certificate. > > Number of certificates and requests being tracked: 9. > > [snip] > > Request ID '20150313092456': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=BIOINF.LOCAL > subject: CN=lead.bioinf.local,O=BIOINF.LOCAL > expires: 2017-03-13 09:24:56 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > > [ more snip ] > > > Unfortunately when trying to run any ipa command: > > [root at lead ~]# ipa service-find lead.bioinf.local > > ipa: ERROR: cert validation failed for > > > "E=root at lead.bioinf.local,CN=lead.bioinf.local,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--" > > ((SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid.) > > ipa: ERROR: cannot connect to > 'https://lead.bioinf.local/ipa/json': > > (SEC_ERROR_CA_CERT_INVALID) Issuer certificate is invalid. > > > Note that the subject of the certmonger-tracked certificate is > different from the subject reported in the error. This looks like a > default mod_ssl-generated certificate to me. Did you tweak your > Apache config? > > rob > > From bret.wortman at damascusgrp.com Fri Jun 3 18:41:08 2016 From: bret.wortman at damascusgrp.com (bret.wortman at damascusgrp.com) Date: Fri, 3 Jun 2016 14:41:08 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: <5751B88F.1080105@redhat.com> References: <5750416E.3070408@damascusgrp.com> <5750A599.6020305@redhat.com> <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> <20160602222419.GH4744@dhcp-40-8.bne.redhat.com> <57516BD5.2040700@damascusgrp.com> <57518AAD.4050304@redhat.com> <57519BF7.9060301@redhat.com> <168cf282-1df9-b8e4-7db5-788c80bc98e6@damascusgrp.com> <5751B88F.1080105@redhat.com> Message-ID: <2e7c0d4d-dd07-4fd9-a8fd-afa1b78384fb@Spark> I'll check and report back Tuesday. Bret Wortman http://wrapbuddies.co/ On Jun 3, 2016, 1:04 PM -0400, Rob Crittenden, wrote: > Bret Wortman wrote: > > > > > > On 06/03/2016 11:02 AM, Rob Crittenden wrote: > > > Bret Wortman wrote: > > > > I'm not sure I'd call what we have "success" just yet. ;-) > > > > > > > > You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and > > > > see how we go. > > > > > > > > Rob, would you have just used the existing "localhost.key" instead of > > > > generating a new one? > > > > > > No, I think you did the right thing, the default keysize was probably > > > still 1024 in F21. I double-checked the getcert-request man page and > > > it looks like it will use an existing key if one exists in the key > > > file passed in so I was wrong about that bit. You just didn't need to > > > use req to generate a CSR as certmonger will do that for you. > > > > > Good to know. > > > > I tried the update-ca-trust on both the yum server and on my workstation > > but nothing changed even after an httpd restart. I did take a peek > > inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and > > didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but > > I confess I'm not sure what should be where at this point). > > You'd only need to do this on the machine acting as a client. > > I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and trusted? > > $ certutil -L -d /etc/pki/nssdb > > rob > > > > > > > Bret > > > > > rob > > > > > > > > > > > > > > > On 06/03/2016 09:48 AM, Rob Crittenden wrote: > > > > > Bret Wortman wrote: > > > > > > So for our internal yum server, I created a new key and cert > > > > > > request (it > > > > > > had a localhost key and cert but I wanted to start clean): > > > > > > > > > > > > # openssl genrsa 2048>/etc/pki/tls/private/server.key > > > > > > # openssl req -new -x509 -nodes -sha1 -days 365 -key > > > > > > /etc/pki/tls/private/server.key>/etc/pki/tls/certs/server.crt > > > > > > # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k > > > > > > /etc/pki/tls/private/server.key -r > > > > > > > > > > I try not to argue with success but I'd be curious what is actually > > > > > going on here. You generate a CSR and call it a certificate. It is > > > > > probably the case that certmonger is ignoring it altogether and > > > > > generating its own CSR. > > > > > > > > > > > ipa-getcert list shows it approved. I set up SSL in apache to use the > > > > > > above .key and .crt, but when I try to run yum against this using ssl: > > > > > > > > > > > > # yum search ffmpeg > > > > > > Loaded plugins: langpacks > > > > > > https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: > > > > > > > > > > > > > > > > > > [Errno 14] curl#60 - "Peer's certificate issuer has been marked as > > > > > > not trusted by the user." > > > > > > : > > > > > > > > > > > > Is there a step I need to take on the clients so they'll accept this > > > > > > cert as trusted? I thought having it be signed by the IPA CA would > > > > > > have > > > > > > taken care of that. > > > > > > > > > > > > # ls -l /etc/ipa/ca.crt > > > > > > -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt > > > > > > # > > > > > > > > > > Pretty much only IPA tools know to use this file. > > > > > > > > > > My knowledge is a bit stale on adding the IPA CA to the global trust > > > > > but I'm pretty sure it is done automatically now and I think it was in > > > > > the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have > > > > > this code. > > > > > > > > > > Look at this, > > > > > https://fedoraproject.org/wiki/Features/SharedSystemCertificates > > > > > > > > > > The idea is to add the IPA CA to that and then all tools using SSL > > > > > would "just work". > > > > > > > > > > Something like: > > > > > > > > > > # cp /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem > > > > > # update-ca-trust > > > > > > > > > > You'd need to remember to manually undo this if you ever redo your IPA > > > > > install (and get a new CA): > > > > > > > > > > # rm /etc/ipa/ca.crt /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem > > > > > # update-ca-trust > > > > > > > > > > Like I said, I'm pretty sure this is all automatic in some more recent > > > > > versions of IPA. > > > > > > > > > > rob > > > > > > > > > > > > > > > > > --- > > > > > > Bret > > > > > > > > > > > > On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote: > > > > > > > Cool. I'll give this a go in the morning. > > > > > > > > > > > > > > Bret Wortman > > > > > > > http://wrapbuddies.co/ > > > > > > > > > > > > > > On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale, > > > > > > > wrote: > > > > > > > > On Thu, Jun 02, 2016 at 05:35:01PM -0400, > > > > > > > > bret.wortman at damascusgrp.com wrote: > > > > > > > > > Sorry, let me back up a step. We need to implement hype > > > > > > > > > everywhere. All our web services. And clients need to get > > > > > > > > > keys&certs automatically whether through IPA or Puppet. These > > > > > > > > > systems use IPA for everything but authentication (to keep most > > > > > > > > > users off). I'm trying to wuss out the easiest way to make this > > > > > > > > > happen smoothly. > > > > > > > > > > > > > > > > > Hi Bret, > > > > > > > > > > > > > > > > You can use the IPA CA to sign service certificates. See > > > > > > > > http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. > > > > > > > > > > > > > > > > IPA-enrolled machines already have the IPA certificate in their > > > > > > > > trust store. If the clients are IPA-enrolled, everything should > > > > > > > > Just Work, otherwise you can distribute the IPA CA certificate to > > > > > > > > clients via Puppet** or whatever means you prefer. > > > > > > > > > > > > > > > > ** you will have to work out how, because I do not know Puppet :) > > > > > > > > > > > > > > > > Cheers, > > > > > > > > Fraser > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden, > > > > > > > > > wrote: > > > > > > > > > > Bret Wortman wrote: > > > > > > > > > > > Is it possible to use our freeipa CA as a trusted CA to sign our > > > > > > > > > > > internal SSL certificates? Our system runs on a private network > > > > > > > > > > > and so > > > > > > > > > > > using the usual trusted sources isn't an option. We've been using > > > > > > > > > > > self-signed, but that adds some additional complications and we > > > > > > > > > > > thought > > > > > > > > > > > this might be a good solution. > > > > > > > > > > > > > > > > > > > > > > Is it possible, and, since most online guides defer to "submit > > > > > > > > > > > the CSR > > > > > > > > > > > to Verisign" or whomever, how would you go about producing one in > > > > > > > > > > > this way? > > > > > > > > > > > > > > > > > > > > Not sure I understand the question. The IPA CA is also > > > > > > > > > > self-signed. For > > > > > > > > > > enrolled systems though at least the CA is pre-distributed so > > > > > > > > > > maybe > > > > > > > > > > that > > > > > > > > > > will help. > > > > > > > > > > > > > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Manage your subscription for the Freeipa-users mailing list: > > > > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dan.Finkelstein at high5games.com Fri Jun 3 20:14:35 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Fri, 3 Jun 2016 20:14:35 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> Message-ID: A further update: when I try to install the CA component, it erroneously says that the CA is installed: root at ipa ~]# ipa-ca-install --skip-conncheck --debug ipa : DEBUG /sbin/ipa-ca-install was invoked with options: {'external_cert_files': None, 'skip_schema_check': False, 'external_ca_type': None, 'unattended': False, 'no_host_dns': False, 'ca_signing_algorithm': None, 'debug': True, 'external_ca': False, 'skip_conncheck': True} ipa : DEBUG IPA version 4.2.0-15.0.1.el7.centos.6.1 ipa : DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipa : DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa : DEBUG importing all plugin modules in ipalib.plugins... ipa : DEBUG importing plugin module ipalib.plugins.aci ipa : DEBUG importing plugin module ipalib.plugins.automember ipa : DEBUG importing plugin module ipalib.plugins.automount ipa : DEBUG importing plugin module ipalib.plugins.baseldap ipa : DEBUG importing plugin module ipalib.plugins.baseuser ipa : DEBUG importing plugin module ipalib.plugins.batch ipa : DEBUG importing plugin module ipalib.plugins.caacl ipa : DEBUG importing plugin module ipalib.plugins.cert ipa : DEBUG importing plugin module ipalib.plugins.certprofile ipa : DEBUG importing plugin module ipalib.plugins.config ipa : DEBUG importing plugin module ipalib.plugins.delegation ipa : DEBUG importing plugin module ipalib.plugins.dns ipa : DEBUG importing plugin module ipalib.plugins.domainlevel ipa : DEBUG importing plugin module ipalib.plugins.group ipa : DEBUG importing plugin module ipalib.plugins.hbacrule ipa : DEBUG importing plugin module ipalib.plugins.hbacsvc ipa : DEBUG importing plugin module ipalib.plugins.hbacsvcgroup ipa : DEBUG importing plugin module ipalib.plugins.hbactest ipa : DEBUG importing plugin module ipalib.plugins.host ipa : DEBUG importing plugin module ipalib.plugins.hostgroup ipa : DEBUG importing plugin module ipalib.plugins.idrange ipa : DEBUG importing plugin module ipalib.plugins.idviews ipa : DEBUG importing plugin module ipalib.plugins.internal ipa : DEBUG importing plugin module ipalib.plugins.kerberos ipa : DEBUG importing plugin module ipalib.plugins.krbtpolicy ipa : DEBUG importing plugin module ipalib.plugins.migration ipa : DEBUG importing plugin module ipalib.plugins.misc ipa : DEBUG importing plugin module ipalib.plugins.netgroup ipa : DEBUG importing plugin module ipalib.plugins.otpconfig ipa : DEBUG importing plugin module ipalib.plugins.otptoken ipa : DEBUG importing plugin module ipalib.plugins.otptoken_yubikey ipa : DEBUG importing plugin module ipalib.plugins.passwd ipa : DEBUG importing plugin module ipalib.plugins.permission ipa : DEBUG importing plugin module ipalib.plugins.ping ipa : DEBUG importing plugin module ipalib.plugins.pkinit ipa : DEBUG importing plugin module ipalib.plugins.privilege ipa : DEBUG importing plugin module ipalib.plugins.pwpolicy ipa : DEBUG Starting external process ipa : DEBUG args='klist' '-V' ipa : DEBUG Process finished, return code=0 ipa : DEBUG stdout=Kerberos 5 version 1.13.2 ipa : DEBUG stderr= ipa : DEBUG importing plugin module ipalib.plugins.radiusproxy ipa : DEBUG importing plugin module ipalib.plugins.realmdomains ipa : DEBUG importing plugin module ipalib.plugins.role ipa : DEBUG importing plugin module ipalib.plugins.rpcclient ipa : DEBUG importing plugin module ipalib.plugins.selfservice ipa : DEBUG importing plugin module ipalib.plugins.selinuxusermap ipa : DEBUG importing plugin module ipalib.plugins.server ipa : DEBUG importing plugin module ipalib.plugins.service ipa : DEBUG importing plugin module ipalib.plugins.servicedelegation ipa : DEBUG importing plugin module ipalib.plugins.session ipa : DEBUG importing plugin module ipalib.plugins.stageuser ipa : DEBUG importing plugin module ipalib.plugins.sudocmd ipa : DEBUG importing plugin module ipalib.plugins.sudocmdgroup ipa : DEBUG importing plugin module ipalib.plugins.sudorule ipa : DEBUG importing plugin module ipalib.plugins.topology ipa : DEBUG importing plugin module ipalib.plugins.trust ipa : DEBUG importing plugin module ipalib.plugins.user ipa : DEBUG importing plugin module ipalib.plugins.vault ipa : DEBUG importing plugin module ipalib.plugins.virtual ipa : DEBUG importing all plugin modules in ipaserver.plugins... ipa : DEBUG importing plugin module ipaserver.plugins.dogtag ipa : DEBUG importing plugin module ipaserver.plugins.join ipa : DEBUG importing plugin module ipaserver.plugins.ldap2 ipa : DEBUG importing plugin module ipaserver.plugins.rabase ipa : DEBUG importing plugin module ipaserver.plugins.xmlserver ipa.ipalib.session.SessionAuthManager: DEBUG SessionAuthManager.register: name=jsonserver_session_59800912 ipa.ipalib.session.SessionAuthManager: DEBUG SessionAuthManager.register: name=xmlserver_session_59823824 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.login_password() at '/session/login_password' ipa.ipaserver.rpcserver.login_password: DEBUG session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' ipa.ipaserver.rpcserver.jsonserver_session: DEBUG session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' ipa.ipaserver.rpcserver.jsonserver_kerb: DEBUG session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' ipa.ipaserver.rpcserver.xmlserver_session: DEBUG session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.xmlserver_session: DEBUG session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' ipa.ipaserver.rpcserver.login_kerberos: DEBUG session_auth_duration: 0:20:00 ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.change_password() at '/session/change_password' ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG Mounting ipaserver.rpcserver.xmlserver() at '/xml' ipa.ipaserver.rpcserver.xmlserver: DEBUG session_auth_duration: 0:20:00 Directory Manager (existing master) password: ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection context.ldap2_59800272 ipa.ipalib.plugins.config.config_show: DEBUG raw: config_show(version=u'2.156') ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False, all=False, raw=False, version=u'2.156') ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn= ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG raw: ca_is_enabled(version=u'2.156') ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG ca_is_enabled(version=u'2.156') ipa : DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 732, in run_script return_value = main_function() File "/sbin/ipa-ca-install", line 204, in main install_master(safe_options, options) File "/sbin/ipa-ca-install", line 191, in install_master ca.install_check(True, None, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 49, in install_check sys.exit("CA is already installed.\n") ipa : DEBUG The ipa-ca-install command failed, exception: SystemExit: CA is already installed. CA is already installed. Yet: [root at ipa ~]# ipa-csreplica-manage list Directory Manager password: ipa.example.com: CA not configured [cid:image001.jpg at 01D1BDB3.052EE4D0] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: on behalf of Daniel Finkestein Date: Thursday, June 2, 2016 at 17:42 To: "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master Hi Rob, There's a few logs in there, I'm not sure which is most informative. Here are some sections from what I think are relevant logs: /var/log/pki/pki-tomcat/localhost.log: Jun 01, 2016 12:16:34 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception org.jboss.resteasy.spi.UnhandledException: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) ...skipping... at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/x-www-form-urlencoded at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:67) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:153) ... 52 more /var/log/pki/pki-tomcat/catalina.out: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. /var/log/pki/pki-tomcat/ca/system: 0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value 0.http-bio-8443-exec-3 - [01/Jun/2016:12:15:55 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.Thread-14 - [01/Jun/2016:12:16:17 EDT] [8] [3] Publishing: Could not publish certificate serial number 0x7. Error Failed to publish using rule: No rules enabled 0.Thread-13 - [01/Jun/2016:12:16:45 EDT] [8] [3] Publishing: Could not publish certificate serial number 0x8. Error Failed to publish using rule: No rules enabled 0.Thread-13 - [01/Jun/2016:12:20:22 EDT] [8] [3] Publishing: Could not publish certificate serial number 0x9. Error Failed to publish using rule: No rules enabled 0.Thread-14 - [01/Jun/2016:12:20:23 EDT] [8] [3] Publishing: Could not publish certificate serial number 0xa. Error Failed to publish using rule: No rules enabled 0.profileChangeMonitor - [01/Jun/2016:12:20:28 EDT] [8] [3] In Ldap (bound) connection pool to host ipa.example.com port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) (repeats) 0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap (bound) connection pool to host ipa.h5c.local port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) 0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [5] [3] Failed to get a connection to the LDAP server. Error Could not connect to LDAP server host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) 0.profileChangeMonitor - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap (bound) connection pool to host ipa.example.com port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) Thanks, Dan [cid:image002.jpg at 01D1BDB3.052EE4D0] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden Date: Thursday, June 2, 2016 at 17:29 To: Daniel Finkestein , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master Dan.Finkelstein at high5games.com wrote: Hi Sebastian, Unfortunately, that doesn't seem to be it and reinstalling the replica with ?setup-ca failed again with the same errors. I've included relevant sections of the logs. /var/log/ipareplica-install.log: 016-06-02T10:43:16Z DEBUG Starting external process 2016-06-02T10:43:16Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM' 2016-06-02T10:43:16Z DEBUG Process finished, return code=1 2016-06-02T10:43:16Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160602064316.log Loading deployment configuration from /tmp/tmpl8RqSM. 2016-06-02T10:43:16Z DEBUG stderr=Traceback (most recent call last): File "/usr/sbin/pkispawn", line 717, in main(sys.argv) File "/usr/sbin/pkispawn", line 523, in main parser.compose_pki_master_dictionary() File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", line 573, in compose_pki_master_dictionary instance.load() File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 454, in load subsystem.load() File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 118, in load lines = open(self.cs_conf).read().splitlines() IOError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/ca/conf/CS.cfg' 2016-06-02T10:43:16Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM'' returned non-zero exit status 1 2016-06-02T10:43:16Z CRITICAL See the installation logs and the following files/directories for more information: 2016-06-02T10:43:16Z CRITICAL /var/log/pki-ca-install.log 2016-06-02T10:43:16Z CRITICAL /var/log/pki/pki-tomcat 2016-06-02T10:43:16Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-06-02T10:43:16Z DEBUG [error] RuntimeError: CA configuration failed. 2016-06-02T10:43:16Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 281, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 303, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 524, in _configure executor.next() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 343, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 418, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 365, in _handle_exception util.raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 333, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from raise_exc_info(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 879, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 295, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 584, in install ca.install(False, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, in install_step_0 ra_p12=getattr(options, 'ra_p12', None)) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1543, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 486, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2016-06-02T10:43:16Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed. 2016-06-02T10:43:16Z ERROR CA configuration failed. Of note, there is no /var/log/pki-ca-install.log file nor (as the error above shows) is there /var/lib/pki/pki-tomcat/ca/conf/CS.cfg. Best regards, Dan cid:image001.jpg at 01D1BC9A.CBB33580 *Daniel Alex Finkelstein*| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook , Twitter , YouTube , Linkedin // /This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful./ *From: *Sebastian Sch?fer > *Date: *Thursday, June 2, 2016 at 02:59 *To: *"freeipa-users at redhat.com" >, Daniel Finkestein > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master Hi Dan, I had a similar problem when updating my FreeIPA. In my case it turned out that the certificates that get bundled with the replica preparation file were expired. This is due to the /root/cacert.p12 file not being updated during the preparation process until FreeIPA 3.2.2 The file can be recreated with the commands from step 2 of http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password If that does not solve the problem, it would be good to see (part of) the actual logfiles of your replica installation attempt. Best regards -- Sebastian Sch?fer, M. A. ------------------------------- Deutsches Zentrum f?r Luft- und Raumfahrt e.V. (DLR) Institute of Space Operations and Astronaut Training Microgravity User Support Center (MUSC) Linder H?he | 51147 K?ln Telefon 02203 601-30 01 | Telefax: 02203 61471 | sebastian.schaefer at dlr.de www.DLR.de On 06/01/2016 06:45 PM, Dan.Finkelstein at high5games.com wrote: Hi folks, As the subject suggests, we're converting from FreeIPA 3.0.0 on CentOS 6 to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA replicas in CentOS 7 and then hope to promote one of them to the CA master. I'm running into two problems: The first is that when we create a replica in FreeIPA 4.2.0 with the ?setup-ca option, that portion fails. Here's a snippet of the output: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/23]: creating certificate server user [2/23]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpqPeYOW'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. You need to find the CA logs. All IPA gets is "the install failed" and no details why. Lok in /var/log/pki/pki-tomcat for the relevant logs. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4331 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 4332 bytes Desc: image002.jpg URL: From jpazdziora at redhat.com Fri Jun 3 20:42:59 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Fri, 3 Jun 2016 22:42:59 +0200 Subject: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI In-Reply-To: References: Message-ID: <20160603204259.GF17518@redhat.com> On Thu, Jun 02, 2016 at 03:00:36PM +0200, Karl Forner wrote: > > My problem is: > I have an ipa.example.com server on the internal network, with > self-signed certificates. > I'd like to be able to connect to the UI from the internet, using > https with other certificates (e.g. let's encrypt certificates). > > So I tried to setup an SNI apache reverse proxy, but I could not make it work. > I saw this blog > [https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy] but I can > not use the same FQDN name for the LAN and the WAN. > > I tried many many things, I could have the login form, but never could > not connect. What is the correct way of doing this ? If the hostname of the proxy and the FreeIPA server differ, you will likely need some additional configuration on the proxy, to make sure cookies produced by the FreeIPA server are used by the browser for the subsequent HTTP requests, and also to make the Referer header match FreeIPA's expectations. Something like ProxyPassReverseCookieDomain ipa.example.com ipa.public.company.com RequestHeader edit Referer ^https://ipa\.public\.company\.com/ https://ipa.example.com/ Note that you will not be able to use SSO (Kerberos) authentication for the accesses via the ipa.public.company.com proxy but I assume that's not needed. Hope this helps. I will likely do another writeup about this setup. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From rcritten at redhat.com Fri Jun 3 21:21:17 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 3 Jun 2016 17:21:17 -0400 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> Message-ID: <5751F4CD.5040307@redhat.com> Dan.Finkelstein at high5games.com wrote: > A further update: when I try to install the CA component, it erroneously > says that the CA is installed: > > root at ipa ~]# ipa-ca-install --skip-conncheck --debug [ snip ] > ipa : DEBUG The ipa-ca-install command failed, exception: > SystemExit: CA is already installed. > > CA is already installed. Try: # pkidestroy -i pki-tomcat -s CA > Yet: > > [root at ipa ~]# ipa-csreplica-manage list > > Directory Manager password: > > ipa.example.com: CA not configured Two different methods are used to determine whether a CA is installed. I'll open a ticket to look into that. rob > > > > *Daniel Alex Finkelstein*| Senior Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _| 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: * on behalf of Daniel > Finkestein > *Date: *Thursday, June 2, 2016 at 17:42 > *To: *"freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of > FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, > cannot promote to master > > Hi Rob, > > There's a few logs in there, I'm not sure which is most informative. > Here are some sections from what I think are relevant logs: > > /var/log/pki/pki-tomcat/localhost.log: > > Jun 01, 2016 12:16:34 PM org.apache.catalina.core.StandardWrapperValve > invoke > > SEVERE: Servlet.service() for servlet [Resteasy] in context with path > [/ca] threw exception > > org.jboss.resteasy.spi.UnhandledException: > org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find > MessageBodyWriter for response object of type: > com.netscape.certsrv.base.PKIException$Data of media type: > application/x-www-form-urlencoded > > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > > at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) > > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > > at java.security.AccessController.doPrivileged(Native Method) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > > at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) > > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > > at java.security.AccessController.doPrivileged(Native Method) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) > > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) > > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) > > ...skipping... > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) > > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > > at java.security.AccessController.doPrivileged(Native Method) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > > at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) > > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > > at java.security.AccessController.doPrivileged(Native Method) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) > > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) > > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: > Could not find MessageBodyWriter for response object of type: > com.netscape.certsrv.base.PKIException$Data of media type: > application/x-www-form-urlencoded > > at > org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:67) > > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:153) > > ... 52 more > > /var/log/pki/pki-tomcat/catalina.out: > > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting > property 'ssl2Ciphers' to > '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' > did not find a matching property. > > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting > property 'ssl3Ciphers' to > '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' > did not find a matching property. > > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting > property 'tlsCiphers' to > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' > did not find a matching property. > > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting > property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a > matching property. > > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting > property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a > matching property. > > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting > property 'sslRangeCiphers' to > '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,! -TLS_ECDHE _ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' > did not find a matching property. > > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting > property 'serverCertNickFile' to > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a > matching property. > > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting > property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' > did not find a matching property. > > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting > property 'passwordClass' to > 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a > matching property. > > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting > property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a > matching property. > > WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting > property 'xmlValidation' to 'false' did not find a matching property. > > WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting > property 'xmlNamespaceAware' to 'false' did not find a matching property. > > /var/log/pki/pki-tomcat/ca/system: > > 0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [3] [3] Cannot > build CA chain. Error java.security.cert.CertificateException: > Certificate is not a PKCS #11 certificate > > 0.localhost-startStop-1 - [01/Jun/2016:12:15:12 EDT] [13] [3] authz > instance DirAclAuthz initialization failed and skipped, error=Property > internaldb.ldapconn.port missing value > > 0.http-bio-8443-exec-3 - [01/Jun/2016:12:15:55 EDT] [3] [3] Cannot build > CA chain. Error java.security.cert.CertificateException: Certificate is > not a PKCS #11 certificate > > 0.Thread-14 - [01/Jun/2016:12:16:17 EDT] [8] [3] Publishing: Could not > publish certificate serial number 0x7. Error Failed to publish using > rule: No rules enabled > > 0.Thread-13 - [01/Jun/2016:12:16:45 EDT] [8] [3] Publishing: Could not > publish certificate serial number 0x8. Error Failed to publish using > rule: No rules enabled > > 0.Thread-13 - [01/Jun/2016:12:20:22 EDT] [8] [3] Publishing: Could not > publish certificate serial number 0x9. Error Failed to publish using > rule: No rules enabled > > 0.Thread-14 - [01/Jun/2016:12:20:23 EDT] [8] [3] Publishing: Could not > publish certificate serial number 0xa. Error Failed to publish using > rule: No rules enabled > > 0.profileChangeMonitor - [01/Jun/2016:12:20:28 EDT] [8] [3] In Ldap > (bound) connection pool to host ipa.example.com port 636, Cannot connect > to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating > JSS SSL Socket (-1) > > (repeats) > > 0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap > (bound) connection pool to host ipa.h5c.local port 636, Cannot connect > to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating > JSS SSL Socket (-1) > > 0.RetrieveModificationsTask - [01/Jun/2016:12:21:33 EDT] [5] [3] Failed > to get a connection to the LDAP server. Error Could not connect to LDAP > server host ipa.example.com port 636 Error netscape.ldap.LDAPException: > IO Error creating JSS SSL Socket (-1) > > 0.profileChangeMonitor - [01/Jun/2016:12:21:33 EDT] [8] [3] In Ldap > (bound) connection pool to host ipa.example.com port 636, Cannot connect > to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating > JSS SSL Socket (-1) > > Thanks, > > Dan > > > > *Daniel Alex Finkelstein*| Senior Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _| 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: *Rob Crittenden > *Date: *Thursday, June 2, 2016 at 17:29 > *To: *Daniel Finkestein , > "freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of > FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, > cannot promote to master > > Dan.Finkelstein at high5games.com > wrote: > > Hi Sebastian, > > Unfortunately, that doesn't seem to be it and reinstalling the replica > > with ?setup-ca failed again with the same errors. I've included relevant > > sections of the logs. > > /var/log/ipareplica-install.log: > > 016-06-02T10:43:16Z DEBUG Starting external process > > 2016-06-02T10:43:16Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > > '/tmp/tmpl8RqSM' > > 2016-06-02T10:43:16Z DEBUG Process finished, return code=1 > > 2016-06-02T10:43:16Z DEBUG stdout=Log file: > > /var/log/pki/pki-ca-spawn.20160602064316.log > > Loading deployment configuration from /tmp/tmpl8RqSM. > > 2016-06-02T10:43:16Z DEBUG stderr=Traceback (most recent call last): > > File "/usr/sbin/pkispawn", line 717, in > > main(sys.argv) > > File "/usr/sbin/pkispawn", line 523, in main > > parser.compose_pki_master_dictionary() > > File > > "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", > > line 573, in compose_pki_master_dictionary > > instance.load() > > File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", > line > > 454, in load > > subsystem.load() > > File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", > line > > 118, in load > > lines = open(self.cs_conf).read().splitlines() > > IOError: [Errno 2] No such file or directory: > > '/var/lib/pki/pki-tomcat/ca/conf/CS.cfg' > > 2016-06-02T10:43:16Z CRITICAL Failed to configure CA instance: Command > > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpl8RqSM'' returned non-zero > > exit status 1 > > 2016-06-02T10:43:16Z CRITICAL See the installation logs and the > > following files/directories for more information: > > 2016-06-02T10:43:16Z CRITICAL /var/log/pki-ca-install.log > > 2016-06-02T10:43:16Z CRITICAL /var/log/pki/pki-tomcat > > 2016-06-02T10:43:16Z DEBUG Traceback (most recent call last): > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > line 418, in start_creation > > run_step(full_msg, method) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > line 408, in run_step > > method() > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > > 620, in __spawn_instance > > DogtagInstance.spawn_instance(self, cfg_file) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > > line 201, in spawn_instance > > self.handle_setup_error(e) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > > line 465, in handle_setup_error > > raise RuntimeError("%s configuration failed." % self.subsystem) > > RuntimeError: CA configuration failed. > > 2016-06-02T10:43:16Z DEBUG [error] RuntimeError: CA configuration > failed. > > 2016-06-02T10:43:16Z DEBUG File > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > > execute > > return_value = self.run() > > File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", > > line 311, in run > > cfgr.run() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > > line 281, in run > > self.execute() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > > line 303, in execute > > for nothing in self._executor(): > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > > line 343, in __runner > > self._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > > line 333, in __runner > > step() > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > > line 87, in run_generator_with_yield_from > > raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > > line 65, in run_generator_with_yield_from > > value = gen.send(prev_value) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > > line 524, in _configure > > executor.next() > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > > line 343, in __runner > > self._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > > line 421, in _handle_exception > > self.__parent._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > > line 418, in _handle_exception > > super(ComponentBase, self)._handle_exception(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > > line 365, in _handle_exception > > util.raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > > line 333, in __runner > > step() > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > > line 87, in run_generator_with_yield_from > > raise_exc_info(exc_info) > > File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > > line 65, in run_generator_with_yield_from > > value = gen.send(prev_value) > > File > "/usr/lib/python2.7/site-packages/ipapython/install/common.py", > > line 63, in _install > > for nothing in self._installer(self.parent): > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > > line 879, in main > > install(self) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > > line 295, in decorated > > func(installer) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > > line 584, in install > > ca.install(False, config, options) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > > 106, in install > > install_step_0(standalone, replica_config, options) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > > 130, in install_step_0 > > ra_p12=getattr(options, 'ra_p12', None)) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > > 1543, in install_replica_ca > > subject_base=config.subject_base) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > > 486, in configure_instance > > self.start_creation(runtime=210) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > line 418, in start_creation > > run_step(full_msg, method) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > line 408, in run_step > > method() > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > > 620, in __spawn_instance > > DogtagInstance.spawn_instance(self, cfg_file) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > > line 201, in spawn_instance > > self.handle_setup_error(e) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > > line 465, in handle_setup_error > > raise RuntimeError("%s configuration failed." % self.subsystem) > > 2016-06-02T10:43:16Z DEBUG The ipa-replica-install command failed, > > exception: RuntimeError: CA configuration failed. > > 2016-06-02T10:43:16Z ERROR CA configuration failed. > > Of note, there is no /var/log/pki-ca-install.log file nor (as the error > > above shows) is there /var/lib/pki/pki-tomcat/ca/conf/CS.cfg. > > Best regards, > > Dan > > cid:image001.jpg at 01D1BC9A.CBB33580 > > > *Daniel Alex Finkelstein*| Senior Dev Ops Engineer > > Dan.Finkelstein at h5g.com > | > 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and > Shake > > the Sky > > Follow us on: Facebook , Twitter > > , YouTube > > , Linkedin > > > > // > > /This message and any attachments may contain confidential or privileged > > information and are only for the use of the intended recipient of this > > message. If you are not the intended recipient, please notify the sender > > by return email, and delete or destroy this and all copies of this > > message and all attachments. Any unauthorized disclosure, use, > > distribution, or reproduction of this message or any attachments is > > prohibited and may be unlawful./ > > *From: *Sebastian Sch?fer > > > *Date: *Thursday, June 2, 2016 at 02:59 > > *To: *"freeipa-users at redhat.com " > >, Daniel > > Finkestein > > > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of > > FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, > > cannot promote to master > > Hi Dan, > > I had a similar problem when updating my FreeIPA. In my case it turned > > out that the certificates that get bundled with the replica preparation > > file were expired. This is due to the /root/cacert.p12 file not being > > updated during the preparation process until FreeIPA 3.2.2 > > The file can be recreated with the commands from step 2 of > > http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password > > If that does not solve the problem, it would be good to see (part of) > > the actual logfiles of your replica installation attempt. > > Best regards > > -- > > Sebastian Sch?fer, M. A. > > ------------------------------- > > Deutsches Zentrum f?r Luft- und Raumfahrt e.V. (DLR) > > Institute of Space Operations and Astronaut Training > > Microgravity User Support Center (MUSC) > > Linder H?he | 51147 K?ln > > Telefon 02203 601-30 01 | Telefax: 02203 61471 | > > sebastian.schaefer at dlr.de > > > www.DLR.de > > On 06/01/2016 06:45 PM, Dan.Finkelstein at high5games.com > > > wrote: > > Hi folks, > > As the subject suggests, we're converting from FreeIPA 3.0.0 > on CentOS 6 > > to 4.2.0 on CentOS 7. The way we're doing it is to create FreeIPA > > replicas in CentOS 7 and then hope to promote one of them to > the CA > > master. I'm running into two problems: > > The first is that when we create a replica in FreeIPA 4.2.0 > with the > > ?setup-ca option, that portion fails. Here's a snippet of the > output: > > Configuring certificate server (pki-tomcatd). Estimated time: > 3 minutes > > 30 seconds > > [1/23]: creating certificate server user > > [2/23]: configuring certificate server instance > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > > configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' > '-f' > > '/tmp/tmpqPeYOW'' returned non-zero exit status 1 > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the > > installation logs and the following files/directories for more > > information: > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > > /var/log/pki-ca-install.log > > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > > /var/log/pki/pki-tomcat > > [error] RuntimeError: CA configuration failed. > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > You need to find the CA logs. All IPA gets is "the install failed" and > > no details why. Lok in /var/log/pki/pki-tomcat for the relevant logs. > > rob > > > From Dan.Finkelstein at high5games.com Fri Jun 3 21:34:08 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Fri, 3 Jun 2016 21:34:08 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: <5751F4CD.5040307@redhat.com> References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> <5751F4CD.5040307@redhat.com> Message-ID: No dice: root at ipa ~]# pkidestroy -i pki-tomcat -s CA ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [cid:image001.jpg at 01D1BDBE.23A5A830] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden Date: Friday, June 3, 2016 at 17:21 To: Daniel Finkestein , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master Try: # pkidestroy -i pki-tomcat -s CA -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4331 bytes Desc: image001.jpg URL: From rcritten at redhat.com Fri Jun 3 21:47:03 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 3 Jun 2016 17:47:03 -0400 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> <5751F4CD.5040307@redhat.com> Message-ID: <5751FAD7.6020205@redhat.com> Dan.Finkelstein at high5games.com wrote: > No dice: > > root at ipa ~]# pkidestroy -i pki-tomcat -s CA > > ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! The IPA installer is looking for the existence of /var/lib/pki/pki-tomcat/ca/conf/CS.cfg. At least some things in /var/lib/pki/pki-tomcat are links to /etc, notably alias and conf. You can try manually cleaning those up. rob > > > > *Daniel Alex Finkelstein*| Senior Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _| 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: *Rob Crittenden > *Date: *Friday, June 3, 2016 at 17:21 > *To: *Daniel Finkestein , > "freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of > FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, > cannot promote to master > > Try: > > # pkidestroy -i pki-tomcat -s CA > > > From Dan.Finkelstein at high5games.com Sat Jun 4 02:48:18 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Sat, 4 Jun 2016 02:48:18 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: <5751FAD7.6020205@redhat.com> References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> <5751F4CD.5040307@redhat.com> <5751FAD7.6020205@redhat.com> Message-ID: <6B847FD2-8DD0-4640-B6AF-4F8BC0989F42@high5games.com> I didn't get the chance to clean anything up because there's truly nothing there: root at ipa pki]# pwd /var/lib/pki [root at ipa pki]# ls [root at ipa pki]# [cid:image001.jpg at 01D1BDEA.06FFA830] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden Date: Friday, June 3, 2016 at 17:47 To: Daniel Finkestein , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master root at ipa ~]# pkidestroy -i pki-tomcat -s CA ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! The IPA installer is looking for the existence of /var/lib/pki/pki-tomcat/ca/conf/CS.cfg. At least some things in /var/lib/pki/pki-tomcat are links to /etc, notably alias and conf. You can try manually cleaning those up. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4331 bytes Desc: image001.jpg URL: From jpazdziora at redhat.com Mon Jun 6 09:13:38 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Mon, 6 Jun 2016 11:13:38 +0200 Subject: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI In-Reply-To: <20160603204259.GF17518@redhat.com> References: <20160603204259.GF17518@redhat.com> Message-ID: <20160606091338.GF29312@redhat.com> On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote: > > Hope this helps. I will likely do another writeup about this setup. https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From peljasz at yahoo.co.uk Mon Jun 6 09:53:27 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Mon, 6 Jun 2016 10:53:27 +0100 Subject: [Freeipa-users] a bit off topic- samba + sssd => AD In-Reply-To: <20160603160052.qsg434z2vsh2dy5r@redhat.com> References: <20160603142223.g5evycofxwryrhpn@redhat.com> <8892cce3-b6ac-0a49-5274-4d081666b80f@yahoo.co.uk> <20160603160052.qsg434z2vsh2dy5r@redhat.com> Message-ID: <4bf2268d-af90-4d0b-54b3-443f9d152f96@yahoo.co.uk> On 03/06/16 17:00, Alexander Bokovoy wrote: > On Fri, 03 Jun 2016, lejeczek wrote: >> >> >> On 03/06/16 15:22, Alexander Bokovoy wrote: >>> On Fri, 03 Jun 2016, lejeczek wrote: >>>> hi users, >>>> >>>> I have a samba and sssd trying AD, it's 7.2 Linux. >>>> >>>> That linux box is via sssd and samba talking to AD DC >>>> and win10 clients get to samba shares, getent pass sees >>>> AD users, samba can get to DC's shares and win10's >>>> clients shares, all good except... >>>> >>>> smbclient @samba, in other words - to itself - fails >>>> >>>> session setup failed: NT_STATUS_LOGON_FAILURE >>> Do you run winbindd? samba in RHEL 7.2 as of now has a >>> regression that >>> if you don't run winbindd, current code forbids >>> establishing anonymous >>> secure channel connections to AD DCs as part of Badlock >>> fixes. The >>> regression is fixed upstream and RHEL 7.2 packages are >>> currently being >>> tested by Red Hat QE team. >>> >>> If you start winbindd, this should not affect you -- if >>> the machine is >>> enrolled into Active Directory domain. However, the >>> Kerberos error below >>> makes me thinking you have some problems on AD side as >>> well. >> no winbind, I hope to completely relay on sssd. > You cannot -- at least for now. Samba needs translation > between SIDs and > POSIX IDs. This translation cannot be done by SSSD alone > right now > because there is no separate mechanism to supply that > translation into > Samba from the system level. > > SSSD can be used as to imitate SID translation interface > of winbindd by > providing a libwbclient replacement but this would mean a > lot of other > functionality winbindd provides will be missing as SSSD > does not > implement it. > Finally, you can run winbindd in parallel to SSSD. You > just need to > ensure they both have the same understanding how to map > usernames and > group names to POSIX ID and back. And you don't need to > add winbindd to > /etc/nsswitch.conf or PAM configuration. > >> I should mentioned that I'm fiddling with my sssd so it >> engages two providers, AD and IPA - and it seems to work, >> like a I tried to describe, only that samba smbclient to >> itself is not working. >> thanks! > SMB services with Kerberos require use of cifs/ > service > principal. Your keytab only has host/ keys, and > your AD > machine account for the does not have > 'cifs/' SPN > defined. The latter is what causes smbclient -k to fail -- > AD DC doesn't > know about 'cifs/' and refuses to issue a > service ticket even > before smbclient contacts Samba server. Alexander, thanks! yes, cifs needs to be in keytab file, smbclient to itself(on smb server locally) works now with -k. I wonder - should it also work with only passwords? It does not, for me. Users mapping concept (which I do not grasp completely yet) - when an AD client (win10) now gets to samba shares okey it is done with AD user credentials, win client sees share like: user at my.dom which user is not IPA's user (there are no trusts no syncing). Now, when you say mapping - this would be winbind/smb translating/mapping AD's SIDs to match IPA's UIDs - which is/would be different from syncying users from AD => IPA ,correct? Another thing, not having winbind in nsswitch (or not having it at all), but still having sssd using AD - should I be able to access linux+sssd=>AD box with means like ssh? eg. ssh me at my.dom@swir.private.my.dom (I think I had it worked with windbind in nsswitch) L. > >>>> and with smbclient -k >>>> >>>> gss_init_sec_context failed with [Unspecified GSS >>>> failure. Minor code may provide more information: >>>> Server cifs/swir.private.dom at PRIVATE.DOM not found in >>>> Kerberos database] >>> The statement above says your KDC for PRIVATE.DOM does >>> not know anything >>> about cifs/swir.private.dom principal. Fix that problem >>> and Kerberos >>> authentication will be working. >>> >>>> >>>> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: >>>> NT_STATUS_INTERNAL_ERROR >>>> Failed to setup SPNEGO negTokenInit request: >>>> NT_STATUS_INTERNAL_ERROR >>>> session setup failed: NT_STATUS_INTERNAL_ERROR >>>> >>>> here is a snippet from smb.conf which I thought has >>>> relevance, I set it up following samba sssd wiki. >>>> >>>> security = ads >>>> realm = CCNR.DOM >>>> workgroup = CCNR >>>> >>>> kerberos method = secrets and keytab >>>> dedicated keytab file = /etc/krb5.swir.ccnr.keytab >>>> client signing = auto >>>> client use spnego = yes >>>> encrypt passwords = yes >>>> password server = ccnr-winsrv1.ccnr.dom >>>> netbios name = SWIR >>>> >>>> template shell = /bin/bash >>>> template homedir = /home/%D/%U >>>> >>>> preferred master = no >>>> dns proxy = no >>>> wins server = ccnr-winsrv1.ccnr.dom >>>> wins proxy = no >>>> >>>> inherit acls = Yes >>>> map acl inherit = Yes >>>> acl group control = yes >>>> >>>> >>>> and in samba log: >>>> >>>> domain_client_validate: Domain password server not >>>> available. >>>> >>>> I've tried samba user list, dead silence. >>>> >>>> many thanks, >>>> >>>> L. >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing >>>> list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >> > From mitra.dehghan at gmail.com Mon Jun 6 10:01:30 2016 From: mitra.dehghan at gmail.com (Mitra Dehghan) Date: Mon, 6 Jun 2016 14:31:30 +0430 Subject: [Freeipa-users] problem in sudo policy when target commands use local environment variables Message-ID: Hello, I have a problem using sudo policy in FreeIPA when target commands use environment variables defined on a specific local user's profile. Here is the problem: 1- There is a client machine with local user called *srvusr .*this user has permission to run *target_cmd*. 2- *target_cmd* is dependent on environment variables defined in *srvusr'*s profile. Even before joining to FreeIPA, users had to use "su *srvusr*" command to get permission for executing the *target_cmd*. 3- I defined a sudo policy for *target_cmd* to be executed by external user permissions (*srvusr)*. 4- when I run sudo -l on client machine it says IPA user has permission to run *target_cmd* with *srvusr* privileges. 5- The command I run with my IPA user is: $ sudo -H -u *srvusr* */path/to/**target_cmd* *target_cmd**_argument* *or* $ sudo -H -u *srvusr* */path/to/**target_cmd* I used -H to inherit target user's environment variables The command fails to run and the error is: "Check environment error! environment not defined or NULL" I would be glad if someone help me to find a solution for that! thanks for your advice in advance -- m-dehghan -------------- next part -------------- An HTML attachment was scrubbed... URL: From karl.forner at gmail.com Mon Jun 6 11:29:15 2016 From: karl.forner at gmail.com (Karl Forner) Date: Mon, 6 Jun 2016 13:29:15 +0200 Subject: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI In-Reply-To: <20160606091338.GF29312@redhat.com> References: <20160603204259.GF17518@redhat.com> <20160606091338.GF29312@redhat.com> Message-ID: Thanks a lot Jan. It works perfectly, and it is crystal-clear. Best, Karl On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora wrote: > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote: >> >> Hope this helps. I will likely do another writeup about this setup. > > https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red Hat From abokovoy at redhat.com Mon Jun 6 11:42:12 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jun 2016 14:42:12 +0300 Subject: [Freeipa-users] a bit off topic- samba + sssd => AD In-Reply-To: <4bf2268d-af90-4d0b-54b3-443f9d152f96@yahoo.co.uk> References: <20160603142223.g5evycofxwryrhpn@redhat.com> <8892cce3-b6ac-0a49-5274-4d081666b80f@yahoo.co.uk> <20160603160052.qsg434z2vsh2dy5r@redhat.com> <4bf2268d-af90-4d0b-54b3-443f9d152f96@yahoo.co.uk> Message-ID: <20160606114212.yyfae35tjwqrkdzh@redhat.com> On Mon, 06 Jun 2016, lejeczek wrote: >>SMB services with Kerberos require use of cifs/ service >>principal. Your keytab only has host/ keys, and your AD >>machine account for the does not have 'cifs/' SPN >>defined. The latter is what causes smbclient -k to fail -- AD DC >>doesn't know about 'cifs/' and refuses to issue a service >>ticket even before smbclient contacts Samba server. >Alexander, thanks! >yes, cifs needs to be in keytab file, smbclient to itself(on smb >server locally) works now with -k. >I wonder - should it also work with only passwords? It does not, for >me. >Users mapping concept (which I do not grasp completely yet) - when an >AD client (win10) now gets to samba shares okey it is done with AD >user credentials, win client sees share like: user at my.dom which user >is not IPA's user (there are no trusts no syncing). I don't know details of what you have configured. For IPA with trusts both Kerberos and passwords should work when Samba is running on IPA master. For IPA client, we have procedure defined for SSSD+Samba. For anything else only Kerberos would work. >Now, when you say mapping - this would be winbind/smb >translating/mapping AD's SIDs to match IPA's UIDs - which is/would be >different from syncying users from AD => IPA ,correct? SIDs to UID/GID on the system. You seem to confuse a lot in your emails -- you are claiming that there is no IPA trust or sync in place yet you expect somehow things to magically work, I simply don't understand your situation to comment on it. >Another thing, not having winbind in nsswitch (or not having it at >all), but still having sssd using AD - should I be able to access >linux+sssd=>AD box with means like ssh? eg. ssh >me at my.dom@swir.private.my.dom (I think I had it worked with windbind in >nsswitch) SSSD client as IPA client will work with passwords in AD but only if trust is established between IPA and AD. -- / Alexander Bokovoy From gjn at gjn.priv.at Mon Jun 6 12:59:25 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Mon, 06 Jun 2016 14:59:25 +0200 Subject: [Freeipa-users] DNSSEC DANE TLSA Message-ID: <14509794.Gy9lNml7nr@techz> Hello, is it possible with a FreeIPA Certificate make a DANE entry in IPA DNS ? Thanks for a answer, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From pspacek at redhat.com Mon Jun 6 13:50:37 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 6 Jun 2016 15:50:37 +0200 Subject: [Freeipa-users] DNSSEC DANE TLSA In-Reply-To: <14509794.Gy9lNml7nr@techz> References: <14509794.Gy9lNml7nr@techz> Message-ID: On 6.6.2016 14:59, G?nther J. Niederwimmer wrote: > Hello, > > is it possible with a FreeIPA Certificate make a DANE entry in IPA DNS ? Yes, in recent versions of FreeIPA you can add TLSA records. You have to generate the TLSA records manually, e.g. using hash-slinger: https://admin.fedoraproject.org/pkgdb/package/rpms/hash-slinger/ Feel free to open a feature request on https://fedorahosted.org/freeipa/newticket if you can think of way to automate this. -- Petr^2 Spacek From rcritten at redhat.com Mon Jun 6 13:51:57 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 6 Jun 2016 09:51:57 -0400 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: <6B847FD2-8DD0-4640-B6AF-4F8BC0989F42@high5games.com> References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> <5751F4CD.5040307@redhat.com> <5751FAD7.6020205@redhat.com> <6B847FD2-8DD0-4640-B6AF-4F8BC0989F42@high5games.com> Message-ID: <57557FFD.3080600@redhat.com> Dan.Finkelstein at high5games.com wrote: > I didn't get the chance to clean anything up because there's truly > nothing there: > > root at ipa pki]# pwd > > /var/lib/pki > > [root at ipa pki]# ls > > [root at ipa pki]# I think I figured out what is wrong. It is trying to add a NEW CA, not creating a replica of the CA on this host. You need to pass in the replica install file as an argument: # ipa-replica-install foo.example.com Not sure skipping the conncheck is a great idea either. rob > > > > *Daniel Alex Finkelstein*| Senior Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _| 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: *Rob Crittenden > *Date: *Friday, June 3, 2016 at 17:47 > *To: *Daniel Finkestein , > "freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of > FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, > cannot promote to master > > root at ipa ~]# pkidestroy -i pki-tomcat -s CA > > ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! > > The IPA installer is looking for the existence of > > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg. At least some things in > > /var/lib/pki/pki-tomcat are links to /etc, notably alias and conf. You > > can try manually cleaning those up. > > rob > > > From peljasz at yahoo.co.uk Mon Jun 6 14:47:24 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Mon, 6 Jun 2016 15:47:24 +0100 Subject: [Freeipa-users] a bit off topic- samba + sssd => AD In-Reply-To: <20160606114212.yyfae35tjwqrkdzh@redhat.com> References: <20160603142223.g5evycofxwryrhpn@redhat.com> <8892cce3-b6ac-0a49-5274-4d081666b80f@yahoo.co.uk> <20160603160052.qsg434z2vsh2dy5r@redhat.com> <4bf2268d-af90-4d0b-54b3-443f9d152f96@yahoo.co.uk> <20160606114212.yyfae35tjwqrkdzh@redhat.com> Message-ID: On 06/06/16 12:42, Alexander Bokovoy wrote: > On Mon, 06 Jun 2016, lejeczek wrote: >>> SMB services with Kerberos require use of >>> cifs/ service >>> principal. Your keytab only has host/ keys, >>> and your AD >>> machine account for the does not have >>> 'cifs/' SPN >>> defined. The latter is what causes smbclient -k to fail >>> -- AD DC >>> doesn't know about 'cifs/' and refuses to >>> issue a service >>> ticket even before smbclient contacts Samba server. >> Alexander, thanks! >> yes, cifs needs to be in keytab file, smbclient to >> itself(on smb server locally) works now with -k. >> I wonder - should it also work with only passwords? It >> does not, for me. >> Users mapping concept (which I do not grasp completely >> yet) - when an AD client (win10) now gets to samba shares >> okey it is done with AD user credentials, win client sees >> share like: user at my.dom which user is not IPA's user >> (there are no trusts no syncing). > I don't know details of what you have configured. For IPA > with trusts > both Kerberos and passwords should work when Samba is > running on IPA > master. For IPA client, we have procedure defined for > SSSD+Samba. For > anything else only Kerberos would work. I emailed (this thread) most of the configs, if not all, ~two emails ago, last Friday. > >> Now, when you say mapping - this would be winbind/smb >> translating/mapping AD's SIDs to match IPA's UIDs - which >> is/would be different from syncying users from AD => IPA >> ,correct? > SIDs to UID/GID on the system. You seem to confuse a lot > in your emails > -- you are claiming that there is no IPA trust or sync in > place yet you > expect somehow things to magically work, I simply don't > understand your > situation to comment on it. not magically, no, it's the same one box, IPA server and at the same time samba(non-IPA, might be why smbclient without kerberos does Not work) + sssd to an AD. And now after fixing keytabs all seems to work ok, and no winbind yet - thus my only question now is more about concepts, which - yes - I don't grasp fully. Yes I confuse, the way I understand is: my linux box now has two separate user db backends, two different users catalogs, first one is IPA's and the second is AD's via sssd(which samba being an AD's client also uses) with no winbind at this point. Last thing I wonder is that SIDs/UIDs mapping - one: do I want/need it? and if one then two: how to achieve it running setup like mine? > >> Another thing, not having winbind in nsswitch (or not >> having it at all), but still having sssd using AD - >> should I be able to access >> linux+sssd=>AD box with means like ssh? eg. ssh >> me at my.dom@swir.private.my.dom (I think I had it worked >> with windbind in >> nsswitch) > SSSD client as IPA client will work with passwords in AD > but only if > trust is established between IPA and AD. > From skrawczenko at gmail.com Mon Jun 6 15:26:43 2016 From: skrawczenko at gmail.com (Serge Krawczenko) Date: Mon, 6 Jun 2016 18:26:43 +0300 Subject: [Freeipa-users] external ad users in ldap directory is it possible in general? Message-ID: Hello, my apologies if the question is asked too frequently While implementing an SSO in my environment, i have a need to integrate with existing AD Win2008R2. The systems i need to be included into SSO can only authorize via LDAP, many of them have been already configured and tested against FreeIPA and local users. Those systems are apache, jira, radius and so. However, how is it applicable for external users from windows AD? Trusted relations have been configured according to manual. As stated in FreeIPA 4.3 release notes, "AD users are now shown as members of IPA groups when external group is added to IPA group #4403" So i expect external users to be visible by ldapsearch etc on FreeIPA upon corresponding groups mapping. Well, no. Users are not visible. Please advise is this achievable at all or do i have some fundamental misunderstanding of the technology or is there some misconfiguration? Thanks a lot. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dan.Finkelstein at high5games.com Mon Jun 6 15:39:37 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Mon, 6 Jun 2016 15:39:37 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: <57557FFD.3080600@redhat.com> References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> <5751F4CD.5040307@redhat.com> <5751FAD7.6020205@redhat.com> <6B847FD2-8DD0-4640-B6AF-4F8BC0989F42@high5games.com> <57557FFD.3080600@redhat.com> Message-ID: <81E03624-3BDE-45AB-B476-A568F0082561@high5games.com> Swing and a miss: when setting up the replicas, we always use the ?setup-ca and end the command with the replica gpg file, but it's the ?setup-ca that fails as per the earlier messages. If we proceed without ?setup-ca, it's fine. I'll try it without skipping the connection check, but I don't think the replica file is the issue. Thanks, Dan [cid:image001.jpg at 01D1BFE8.1A68AAC0] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden Date: Monday, June 6, 2016 at 09:51 To: Daniel Finkestein , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master I think I figured out what is wrong. It is trying to add a NEW CA, not creating a replica of the CA on this host. You need to pass in the replica install file as an argument: # ipa-replica-install foo.example.com Not sure skipping the conncheck is a great idea either. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4331 bytes Desc: image001.jpg URL: From rcritten at redhat.com Mon Jun 6 15:44:19 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 6 Jun 2016 11:44:19 -0400 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: <81E03624-3BDE-45AB-B476-A568F0082561@high5games.com> References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> <5751F4CD.5040307@redhat.com> <5751FAD7.6020205@redhat.com> <6B847FD2-8DD0-4640-B6AF-4F8BC0989F42@high5games.com> <57557FFD.3080600@redhat.com> <81E03624-3BDE-45AB-B476-A568F0082561@high5games.com> Message-ID: <57559A53.9020108@redhat.com> Dan.Finkelstein at high5games.com wrote: > Swing and a miss: when setting up the replicas, we always use the > ?setup-ca and end the command with the replica gpg file, but it's the > ?setup-ca that fails as per the earlier messages. If we proceed without > ?setup-ca, it's fine. I'll try it without skipping the connection check, > but I don't think the replica file is the issue. I meant to say: ipa-ca-install replicafile When running ipa-ca-install without a replicafile then it assumes you are trying to set up a brand new CA which isn't allowed if one already exists. The messaging has been improved upstream. Skipping the conncheck can mask odd problems and should be used sparingly. rob > > Thanks, > > Dan > > > > *Daniel Alex Finkelstein*| Senior Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _| 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: *Rob Crittenden > *Date: *Monday, June 6, 2016 at 09:51 > *To: *Daniel Finkestein , > "freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of > FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, > cannot promote to master > > I think I figured out what is wrong. It is trying to add a NEW CA, not > > creating a replica of the CA on this host. You need to pass in the > > replica install file as an argument: > > # ipa-replica-install foo.example.com > > Not sure skipping the conncheck is a great idea either. > > rob > > > From abokovoy at redhat.com Mon Jun 6 15:47:36 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jun 2016 18:47:36 +0300 Subject: [Freeipa-users] a bit off topic- samba + sssd => AD In-Reply-To: References: <20160603142223.g5evycofxwryrhpn@redhat.com> <8892cce3-b6ac-0a49-5274-4d081666b80f@yahoo.co.uk> <20160603160052.qsg434z2vsh2dy5r@redhat.com> <4bf2268d-af90-4d0b-54b3-443f9d152f96@yahoo.co.uk> <20160606114212.yyfae35tjwqrkdzh@redhat.com> Message-ID: <20160606154736.mtej65cglpnbitnw@redhat.com> On Mon, 06 Jun 2016, lejeczek wrote: >>>Users mapping concept (which I do not grasp completely yet) - when >>>an AD client (win10) now gets to samba shares okey it is done with >>>AD user credentials, win client sees share like: user at my.dom which >>>user is not IPA's user (there are no trusts no syncing). >>I don't know details of what you have configured. For IPA with >>trusts >>both Kerberos and passwords should work when Samba is running on IPA >>master. For IPA client, we have procedure defined for SSSD+Samba. >>For >>anything else only Kerberos would work. >I emailed (this thread) most of the configs, if not all, ~two emails >ago, last Friday. Configs were not really helpful without a bigger picture. >>>Now, when you say mapping - this would be winbind/smb >>>translating/mapping AD's SIDs to match IPA's UIDs - which is/would >>>be different from syncying users from AD => IPA ,correct? >>SIDs to UID/GID on the system. You seem to confuse a lot in your >>emails -- you are claiming that there is no IPA trust or sync in place >>yet you expect somehow things to magically work, I simply don't >>understand your situation to comment on it. >not magically, no, it's the same one box, IPA server and at the same >time samba(non-IPA, might be why smbclient without kerberos does Not >work) + sssd to an AD. >And now after fixing keytabs all seems to work ok, and no winbind yet >- thus my only question now is more about concepts, which - yes - I >don't grasp fully. Ok. >Yes I confuse, the way I understand is: my linux box now has two >separate user db backends, two different users catalogs, first one is >IPA's and the second is AD's via sssd(which samba being an AD's client >also uses) with no winbind at this point. Yes, you have two different user db backends, and there is not enough interoperability between them yet. As you can guess, this is not really supported -- I would rather not spend time on that myself as there are more urgent issues to fix that scale better. >Last thing I wonder is that SIDs/UIDs mapping - one: do I want/need >it? and if one then two: how to achieve it running setup like mine? It is not a question of whether you want something. It is required, as Windows world is different from POSIX and something needs to map between concepts in both worlds. That something is called Samba and it requires a proper configuration for SID/ID mapping -- which is done by winbindd. -- / Alexander Bokovoy From Paul.Brennan at itec.suny.edu Mon Jun 6 15:53:41 2016 From: Paul.Brennan at itec.suny.edu (Brennan, Paul J) Date: Mon, 6 Jun 2016 15:53:41 +0000 Subject: [Freeipa-users] problem in sudo policy when target commands use local environment variables Message-ID: <6FB2F9495EBCAB469F1F3B0E0FA02107A02CCF3F@itxxmb001.exhosted.itec.suny.edu> Hi Mitra, I'm not sure if '-H' is the best option for this. If I'm reading the documentation correctly, it sounds like that option only sets the value of $HOME to ~srvusr. You may want to try: $ sudo -u srvusr -i /path/to/target_cmd That should run the command using a login shell for srvusr, instantiating that user's variables. Good luck, Paul Brennan (Apologies if this ends up in the wrong thread or something, I just signed up to this list.) -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Mon Jun 6 16:10:40 2016 From: sbose at redhat.com (Sumit Bose) Date: Mon, 6 Jun 2016 18:10:40 +0200 Subject: [Freeipa-users] external ad users in ldap directory is it possible in general? In-Reply-To: References: Message-ID: <20160606161040.GV25486@p.Speedport_W_724V_Typ_A_05011603_00_009> On Mon, Jun 06, 2016 at 06:26:43PM +0300, Serge Krawczenko wrote: > Hello, > my apologies if the question is asked too frequently > > While implementing an SSO in my environment, i have a need to integrate > with existing AD Win2008R2. > The systems i need to be included into SSO can only authorize via LDAP, > many of them have been already configured and tested against FreeIPA and > local users. Those systems are apache, jira, radius and so. > > However, how is it applicable for external users from windows AD? > Trusted relations have been configured according to manual. > > As stated in FreeIPA 4.3 release notes, > > "AD users are now shown as members of IPA groups when external group is > added to IPA group #4403" > > So i expect external users to be visible by ldapsearch etc on FreeIPA upon > corresponding groups mapping. Well, no. Users are not visible. How does your ldapsearch command look like? Are you searching in the compat tree 'cn=compat,dc=your,dc=ipa,dc=domain'? Do you have slapi-nis enabled? HTH bye, Sumit > > Please advise is this achievable at all or do i have some fundamental > misunderstanding of the technology or is there some misconfiguration? > > Thanks a lot. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Mon Jun 6 16:27:39 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jun 2016 19:27:39 +0300 Subject: [Freeipa-users] external ad users in ldap directory is it possible in general? In-Reply-To: References: Message-ID: <20160606162739.llbstc4vqlgqyojy@redhat.com> On Mon, 06 Jun 2016, Serge Krawczenko wrote: >Hello, >my apologies if the question is asked too frequently > >While implementing an SSO in my environment, i have a need to integrate >with existing AD Win2008R2. >The systems i need to be included into SSO can only authorize via LDAP, >many of them have been already configured and tested against FreeIPA and >local users. Those systems are apache, jira, radius and so. > >However, how is it applicable for external users from windows AD? >Trusted relations have been configured according to manual. > >As stated in FreeIPA 4.3 release notes, > >"AD users are now shown as members of IPA groups when external group is >added to IPA group #4403" > >So i expect external users to be visible by ldapsearch etc on FreeIPA upon >corresponding groups mapping. Well, no. Users are not visible. > >Please advise is this achievable at all or do i have some fundamental >misunderstanding of the technology or is there some misconfiguration? Yes, you have fundamental misunderstanding. FreeIPA is not a meta-directory unlike other solutions that attempt to integrate with Active Directory. Our approach is different and is more effective, in our view. FreeIPA presents itself as another Active Directory deployment to some degree. Most features AD expects don't really work but authentication and basic authorization works just fine. We rely on this to allow pulling the data from AD DS (and GC) on request but we never store this information in FreeIPA directory by itself. SSSD on FreeIPA clients recognize situations when FreeIPA trusts AD and ask FreeIPA masters for the information about AD users and groups. This information then can be used by other applications which authenticate AD users and check permissions based on the group membership -- in both AD and FreeIPA. LDAP directory server has a particular structure that is enforced through the use of LDAP schema -- object classes define which attributes may or may not exist in the objects stored in the LDAP directory. The schema FreeIPA uses differs from the schema used in Active Directory. Not only some fundamental object classes are different (including naming of attributes), but also internal identifiers assigned to these objectclass and attribute objects are different between FreeIPA and Active Directory, even to the point that some are different even for objects that are otherwise the same in their behavior. This is fundamental difference of Active Directory LDAP store from traditional UNIX LDAP stores. FreeIPA doesn't store complete AD user/group objects in LDAP. However, a schema used by FreeIPA to represent objects' relationship, requires that object do exist in the LDAP store and can be addressed by their DNs. When 'external users and groups' are mentioned in the context of FreeIPA forest trust to Active Directory, these are not real LDAP objects but instead are references -- strings of data stored as part of a so-called 'external group' LDAP object. This LDAP object is a real one and can be included as a member into any other LDAP object in FreeIPA that could have members (POSIX groups, permissions, etc.). SSSD on FreeIPA clients are capable to resolve these special 'external group' objects by taking the references (stored in a separate attribute) and resolving them via a different mechanism than LDAP. Then they combine resulted data together with IPA users/groups/etc objects and present a combined result to the operating system. As you can guess, it requires SSSD running on IPA client. And it requires your application to use POSIX API to query users/groups and their membership. For applications that don't do that, we have created a number of integration modules -- for Apache you can read about them at https://www.freeipa.org/page/Web_App_Authentication and related resources from Jan P. (https://www.adelton.com). For more complex software integration via SAML IdP or OpenID Connect and other mechanisms is provided as well -- see https://ipsilon-project.org/ For those cases where you cannot really run recent SSSD that understands IPA-AD trust, we have something else -- a special read-only virtual tree called Schema Compatibility tree. This is a special plugin at FreeIPA LDAP server that takes data of IPA users and presents them using an older POSIX schema defined by RFC2307. We extended this plugin to allow querying for AD users via SSSD on FreeIPA master. When a request of special type (as performed by all POSIX LDAP clients -- nslcd, sssd, nss_ldap, etc) comes in and this user/group is not found in IPA database, a request is made to SSSD on the same FreeIPA master in an attempt to lookup an Active Directory user or group. This work requires a lot of coordination between FreeIPA, SSSD, and slapi-nis project (which implements Schema Compatibility plugin). Very recently (as of February-May 2016) we fixed a number of important bugs in all three of those to allow full expansion of user group memberships between IPA and AD. So this code, for example, is in the recent RHEL 7.2.4 or corresponding update of CentOS 7, but not in Fedora 23 (it is in Fedora 24 though). Instead of pointing your application directly to LDAP, we recommend to use other means which are more efficient from a performance and caching perspectives. For example, for Jira, I'd recommend to use SAML 2.0 connector and Ipsilon: https://marketplace.atlassian.com/plugins/com.resolution.atlasplugins.samlsso.Jira/server/overview should be enough on Jira side. For Apache -- use modules written by Jan P. For RADIUS situation is worse but at least you can point FreeRADIUS to both FreeIPA and AD DS at the same time. If nothing works, then Schema Compatibility is a final stop. However, because of the way it presents the data, all users there are present only with RFC2307 schema and AD users are inserted on request, and these requests are of special format as required for POSIX ID operations. You can read more about it at https://git.fedorahosted.org/cgit/slapi-nis.git/tree/doc/ipa/sch-ipa.txt -- / Alexander Bokovoy From Dan.Finkelstein at high5games.com Mon Jun 6 18:13:56 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Mon, 6 Jun 2016 18:13:56 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: <57559A53.9020108@redhat.com> References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> <5751F4CD.5040307@redhat.com> <5751FAD7.6020205@redhat.com> <6B847FD2-8DD0-4640-B6AF-4F8BC0989F42@high5games.com> <57557FFD.3080600@redhat.com> <81E03624-3BDE-45AB-B476-A568F0082561@high5games.com> <57559A53.9020108@redhat.com> Message-ID: <791A4E84-318B-4AA1-BBAC-776B51415BEC@high5games.com> Thanks for the clarification. I tried again, but no luck. The stdout/err was: [root at ipa ~]# ipa-ca-install /var/lib/ipa/replica-info-ipa.example.com.local.gpg Directory Manager (existing master) password: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpD3cjWu'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. CA configuration failed. And the ipareplica-ca-install.log is: [root at ipa log]# cat ipareplica-ca-install.log 2016-06-06T17:59:37Z DEBUG /sbin/ipa-ca-install was invoked with argument "/var/lib/ipa/replica-info-ipa.example.com.local.gpg" and options: {'external_cert_files': None, 'skip_schema_check': False, 'external_ca_type': None, 'unattended': False, 'no_host_dns': False, 'ca_signing_algorithm': None, 'debug': False, 'external_ca': False, 'skip_conncheck': False} 2016-06-06T17:59:37Z DEBUG IPA version 4.2.0-15.0.1.el7.centos.6.1 2016-06-06T17:59:37Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-06T17:59:37Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-06-06T17:59:37Z DEBUG importing all plugin modules in ipalib.plugins... 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.aci 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.automember 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.automount 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.baseldap 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.baseuser 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.batch 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.caacl 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.cert 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.certprofile 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.config 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.delegation 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.dns 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.domainlevel 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.group 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hbacrule 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hbacsvc 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hbacsvcgroup 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hbactest 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.host 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.hostgroup 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.idrange 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.idviews 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.internal 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.kerberos 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.krbtpolicy 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.migration 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.misc 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.netgroup 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.otpconfig 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.otptoken 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.otptoken_yubikey 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.passwd 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.permission 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.ping 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.pkinit 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.privilege 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.pwpolicy 2016-06-06T17:59:37Z DEBUG Starting external process 2016-06-06T17:59:37Z DEBUG args='klist' '-V' 2016-06-06T17:59:37Z DEBUG Process finished, return code=0 2016-06-06T17:59:37Z DEBUG stdout=Kerberos 5 version 1.13.2 2016-06-06T17:59:37Z DEBUG stderr= 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.radiusproxy 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.realmdomains 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.role 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.rpcclient 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.selfservice 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.selinuxusermap 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.server 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.service 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.servicedelegation 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.session 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.stageuser 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.sudocmd 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.sudocmdgroup 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.sudorule 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.topology 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.trust 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.user 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.vault 2016-06-06T17:59:37Z DEBUG importing plugin module ipalib.plugins.virtual 2016-06-06T17:59:37Z DEBUG importing all plugin modules in ipaserver.plugins... 2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.dogtag 2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.join 2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.ldap2 2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.rabase 2016-06-06T17:59:37Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2016-06-06T17:59:37Z DEBUG SessionAuthManager.register: name=jsonserver_session_42663248 2016-06-06T17:59:37Z DEBUG SessionAuthManager.register: name=xmlserver_session_42686160 2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' 2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' 2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.login_password() at '/session/login_password' 2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.change_password() at '/session/change_password' 2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' 2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:37Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:37Z DEBUG Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' 2016-06-06T17:59:38Z DEBUG Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' 2016-06-06T17:59:38Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:38Z DEBUG Mounting ipaserver.rpcserver.xmlserver() at '/xml' 2016-06-06T17:59:38Z DEBUG session_auth_duration: 0:20:00 2016-06-06T17:59:40Z DEBUG Starting external process 2016-06-06T17:59:40Z DEBUG args='/usr/bin/gpg-agent' '--batch' '--homedir' '/tmp/tmpm9cf7Xipa/ipa-cLLKJh/.gnupg' '--daemon' '/usr/bin/gpg' '--batch' '--homedir' '/tmp/tmpm9cf7Xipa/ipa-cLLKJh/.gnupg' '--passphrase-fd' '0' '--yes' '--no-tty' '-o' '/tmp/tmpm9cf7Xipa/files.tar' '-d' '/var/lib/ipa/replica-info-ipa.example.com.gpg' 2016-06-06T17:59:41Z DEBUG Process finished, return code=0 2016-06-06T17:59:41Z DEBUG Starting external process 2016-06-06T17:59:41Z DEBUG args='tar' 'xf' '/tmp/tmpm9cf7Xipa/files.tar' '-C' '/tmp/tmpm9cf7Xipa' 2016-06-06T17:59:41Z DEBUG Process finished, return code=0 2016-06-06T17:59:41Z DEBUG stdout= 2016-06-06T17:59:41Z DEBUG stderr= 2016-06-06T17:59:41Z DEBUG Installing replica file with version 300 (0 means no version in prepared file). 2016-06-06T17:59:41Z DEBUG Check if ipa.example.com is a primary hostname for localhost 2016-06-06T17:59:41Z DEBUG Primary hostname for localhost: ipa.example.com 2016-06-06T17:59:41Z DEBUG Search DNS for ipa.example.com 2016-06-06T17:59:41Z DEBUG Check if ipa.h5c.local is not a CNAME 2016-06-06T17:59:41Z DEBUG Check reverse address of 10.55.10.31 2016-06-06T17:59:41Z DEBUG Found reverse name: ipa.example.com 2016-06-06T17:59:41Z DEBUG Created connection context.ldap2_42662608 2016-06-06T17:59:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-06T17:59:41Z DEBUG Checking if IPA schema is present in ldap://ipa-replica.example.com:7389 2016-06-06T17:59:41Z DEBUG retrieving schema for SchemaCache url=ldap://ipa-replica.example.com:7389 conn= 2016-06-06T17:59:41Z DEBUG Check OK 2016-06-06T17:59:41Z DEBUG Destroyed connection context.ldap2_42662608 2016-06-06T17:59:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-06T17:59:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-06T17:59:41Z DEBUG Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds 2016-06-06T17:59:41Z DEBUG [1/21]: creating certificate server user 2016-06-06T17:59:41Z DEBUG group pkiuser exists 2016-06-06T17:59:41Z DEBUG user pkiuser exists 2016-06-06T17:59:41Z DEBUG duration: 0 seconds 2016-06-06T17:59:41Z DEBUG [2/21]: configuring certificate server instance 2016-06-06T17:59:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-06T17:59:41Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-06T17:59:41Z DEBUG Contents of pkispawn configuration file (/tmp/tmpD3cjWu): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_client_database_dir = /tmp/tmp-jUfjcK pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root at localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject_dn = cn=CA Subsystem,O= EXAMPLE.COM pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O= EXAMPLE.COM pki_ssl_server_subject_dn = cn=ipa.example.com,O= EXAMPLE.COM pki_audit_signing_subject_dn = cn=CA Audit,O= EXAMPLE.COM pki_ca_signing_subject_dn = cn=Certificate Authority,O= EXAMPLE.COM pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_key_algorithm = SHA256withRSA pki_security_domain_hostname = ipa-replica.example.com pki_security_domain_https_port = 443 pki_security_domain_user = admin pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 7389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://ipa-replica.example.com:443 2016-06-06T17:59:41Z DEBUG Starting external process 2016-06-06T17:59:41Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpD3cjWu' 2016-06-06T17:59:41Z DEBUG Process finished, return code=1 2016-06-06T17:59:41Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160606135941.log Loading deployment configuration from /tmp/tmpD3cjWu. 2016-06-06T17:59:41Z DEBUG stderr=Traceback (most recent call last): File "/usr/sbin/pkispawn", line 717, in main(sys.argv) File "/usr/sbin/pkispawn", line 523, in main parser.compose_pki_master_dictionary() File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py", line 573, in compose_pki_master_dictionary instance.load() File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 454, in load subsystem.load() File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 118, in load lines = open(self.cs_conf).read().splitlines() IOError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/ca/conf/CS.cfg' 2016-06-06T17:59:41Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpD3cjWu'' returned non-zero exit status 1 2016-06-06T17:59:41Z CRITICAL See the installation logs and the following files/directories for more information: 2016-06-06T17:59:41Z CRITICAL /var/log/pki-ca-install.log 2016-06-06T17:59:41Z CRITICAL /var/log/pki/pki-tomcat 2016-06-06T17:59:41Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-06-06T17:59:41Z DEBUG [error] RuntimeError: CA configuration failed. 2016-06-06T17:59:41Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 732, in run_script return_value = main_function() File "/sbin/ipa-ca-install", line 202, in main install_replica(safe_options, options, filename) File "/sbin/ipa-ca-install", line 150, in install_replica ca.install(True, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, in install_step_0 ra_p12=getattr(options, 'ra_p12', None)) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1543, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 486, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) 2016-06-06T17:59:41Z DEBUG The ipa-ca-install command failed, exception: RuntimeError: CA configuration failed. [cid:image001.jpg at 01D1BFFD.A8A3E740] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden Date: Monday, June 6, 2016 at 11:44 To: Daniel Finkestein , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master Dan.Finkelstein at high5games.com wrote: Swing and a miss: when setting up the replicas, we always use the ?setup-ca and end the command with the replica gpg file, but it's the ?setup-ca that fails as per the earlier messages. If we proceed without ?setup-ca, it's fine. I'll try it without skipping the connection check, but I don't think the replica file is the issue. I meant to say: ipa-ca-install replicafile When running ipa-ca-install without a replicafile then it assumes you are trying to set up a brand new CA which isn't allowed if one already exists. The messaging has been improved upstream. Skipping the conncheck can mask odd problems and should be used sparingly. rob Thanks, Dan *Daniel Alex Finkelstein*| Senior Dev Ops Engineer _Dan.Finkelstein at h5g.com _| 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook , Twitter , YouTube , Linkedin // /This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful./ *From: *Rob Crittenden > *Date: *Monday, June 6, 2016 at 09:51 *To: *Daniel Finkestein >, "freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master I think I figured out what is wrong. It is trying to add a NEW CA, not creating a replica of the CA on this host. You need to pass in the replica install file as an argument: # ipa-replica-install foo.example.com Not sure skipping the conncheck is a great idea either. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4331 bytes Desc: image001.jpg URL: From michael.rainey.ctr at nrlssc.navy.mil Mon Jun 6 19:13:20 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Mon, 6 Jun 2016 14:13:20 -0500 Subject: [Freeipa-users] DNA Ranges Message-ID: Greetings Community, I have a question about restoring the DNA Ranges on my IPA servers. A couple of weeks ago I took down one of my servers which involved a few issues I had created for myself, but luckily I managed to recover. Today I noticed that the DNA Ranges on the retired server was not carried over to the new server. After checking my other servers, I also noticed none of the other servers have any ranges set. So, my primary question is; if I reset the range values to what they were on the retired server to the new server, do I run the risk of generating duplicate UIDs and GIDs, or should I set a new range to prevent duplicate values? At this point, I haven't found anything in my research which matches my current scenario. Thanks in advance. -- *Michael Rainey* -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dan.Finkelstein at high5games.com Mon Jun 6 21:31:14 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Mon, 6 Jun 2016 21:31:14 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: <57559A53.9020108@redhat.com> References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> <5751F4CD.5040307@redhat.com> <5751FAD7.6020205@redhat.com> <6B847FD2-8DD0-4640-B6AF-4F8BC0989F42@high5games.com> <57557FFD.3080600@redhat.com> <81E03624-3BDE-45AB-B476-A568F0082561@high5games.com> <57559A53.9020108@redhat.com> Message-ID: By the way, I want to mention the conncheck: if I don't skip it, it tries to ssh into the master IPA instance as 'admin@', rather than the user (root), and fails. All other parts of the connectivity check work, however. Why does it try to access the master as a Kerberos principal instead of the process user? Thanks, Dan [cid:image001.jpg at 01D1C019.39465100] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden Date: Monday, June 6, 2016 at 11:44 To: Daniel Finkestein , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master Skipping the conncheck can mask odd problems and should be used sparingly. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4331 bytes Desc: image001.jpg URL: From rcritten at redhat.com Mon Jun 6 22:08:39 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 6 Jun 2016 18:08:39 -0400 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> <5751F4CD.5040307@redhat.com> <5751FAD7.6020205@redhat.com> <6B847FD2-8DD0-4640-B6AF-4F8BC0989F42@high5games.com> <57557FFD.3080600@redhat.com> <81E03624-3BDE-45AB-B476-A568F0082561@high5games.com> <57559A53.9020108@redhat.com> Message-ID: <5755F467.2030901@redhat.com> Dan.Finkelstein at high5games.com wrote: > By the way, I want to mention the conncheck: if I don't skip it, it > tries to ssh into the master IPA instance as 'admin@', rather > than the user (root), and fails. All other parts of the connectivity > check work, however. Why does it try to access the master as a Kerberos > principal instead of the process user? Because the remote master, being an IPA server, should have an admin account, so it's a known. root over ssh is not allowed in some environments. There is a ticket open to be able to set the login to be used, right now admin is hardcoded. As for the install failure you should now have the appropriate logs to start diagnosing what was going on in /var/log/pki. rob > > Thanks, > > Dan > > > > *Daniel Alex Finkelstein*| Senior Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _| 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: *Rob Crittenden > *Date: *Monday, June 6, 2016 at 11:44 > *To: *Daniel Finkestein , > "freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of > FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, > cannot promote to master > > Skipping the conncheck can mask odd problems and should be used sparingly. > > rob > > > From bret.wortman at damascusgrp.com Tue Jun 7 10:07:36 2016 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 7 Jun 2016 06:07:36 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: <5751B88F.1080105@redhat.com> References: <5750416E.3070408@damascusgrp.com> <5750A599.6020305@redhat.com> <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> <20160602222419.GH4744@dhcp-40-8.bne.redhat.com> <57516BD5.2040700@damascusgrp.com> <57518AAD.4050304@redhat.com> <57519BF7.9060301@redhat.com> <168cf282-1df9-b8e4-7db5-788c80bc98e6@damascusgrp.com> <5751B88F.1080105@redhat.com> Message-ID: <2bcc8777-e17f-b10b-b590-aea566c7ee54@damascusgrp.com> On 06/03/2016 01:04 PM, Rob Crittenden wrote: > Bret Wortman wrote: >> >> >> On 06/03/2016 11:02 AM, Rob Crittenden wrote: >>> Bret Wortman wrote: >>>> I'm not sure I'd call what we have "success" just yet. ;-) >>>> >>>> You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and >>>> see how we go. >>>> >>>> Rob, would you have just used the existing "localhost.key" instead of >>>> generating a new one? >>> >>> No, I think you did the right thing, the default keysize was probably >>> still 1024 in F21. I double-checked the getcert-request man page and >>> it looks like it will use an existing key if one exists in the key >>> file passed in so I was wrong about that bit. You just didn't need to >>> use req to generate a CSR as certmonger will do that for you. >>> >> Good to know. >> >> I tried the update-ca-trust on both the yum server and on my workstation >> but nothing changed even after an httpd restart. I did take a peek >> inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and >> didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but >> I confess I'm not sure what should be where at this point). > > You'd only need to do this on the machine acting as a client. > > I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and > trusted? > > $ certutil -L -d /etc/pki/nssdb It's in there on both the server and client. > rob > >> >> >> Bret >> >>> rob >>> >>>> >>>> >>>> On 06/03/2016 09:48 AM, Rob Crittenden wrote: >>>>> Bret Wortman wrote: >>>>>> So for our internal yum server, I created a new key and cert >>>>>> request (it >>>>>> had a localhost key and cert but I wanted to start clean): >>>>>> >>>>>> # openssl genrsa 2048 > /etc/pki/tls/private/server.key >>>>>> # openssl req -new -x509 -nodes -sha1 -days 365 -key >>>>>> /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt >>>>>> # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k >>>>>> /etc/pki/tls/private/server.key -r >>>>> >>>>> I try not to argue with success but I'd be curious what is actually >>>>> going on here. You generate a CSR and call it a certificate. It is >>>>> probably the case that certmonger is ignoring it altogether and >>>>> generating its own CSR. >>>>> >>>>>> ipa-getcert list shows it approved. I set up SSL in apache to use >>>>>> the >>>>>> above .key and .crt, but when I try to run yum against this using >>>>>> ssl: >>>>>> >>>>>> # yum search ffmpeg >>>>>> Loaded plugins: langpacks >>>>>> https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: >>>>>> >>>>>> >>>>>> >>>>>> [Errno 14] curl#60 - "Peer's certificate issuer has been >>>>>> marked as >>>>>> not trusted by the user." >>>>>> : >>>>>> >>>>>> Is there a step I need to take on the clients so they'll accept this >>>>>> cert as trusted? I thought having it be signed by the IPA CA would >>>>>> have >>>>>> taken care of that. >>>>>> >>>>>> # ls -l /etc/ipa/ca.crt >>>>>> -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt >>>>>> # >>>>> >>>>> Pretty much only IPA tools know to use this file. >>>>> >>>>> My knowledge is a bit stale on adding the IPA CA to the global trust >>>>> but I'm pretty sure it is done automatically now and I think it >>>>> was in >>>>> the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have >>>>> this code. >>>>> >>>>> Look at this, >>>>> https://fedoraproject.org/wiki/Features/SharedSystemCertificates >>>>> >>>>> The idea is to add the IPA CA to that and then all tools using SSL >>>>> would "just work". >>>>> >>>>> Something like: >>>>> >>>>> # cp /etc/ipa/ca.crt >>>>> /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem >>>>> # update-ca-trust >>>>> >>>>> You'd need to remember to manually undo this if you ever redo your >>>>> IPA >>>>> install (and get a new CA): >>>>> >>>>> # rm /etc/ipa/ca.crt >>>>> /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem >>>>> # update-ca-trust >>>>> >>>>> Like I said, I'm pretty sure this is all automatic in some more >>>>> recent >>>>> versions of IPA. >>>>> >>>>> rob >>>>> >>>>>> >>>>>> --- >>>>>> Bret >>>>>> >>>>>> On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote: >>>>>>> Cool. I'll give this a go in the morning. >>>>>>> >>>>>>> Bret Wortman >>>>>>> http://wrapbuddies.co/ >>>>>>> >>>>>>> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale >>>>>>> , >>>>>>> wrote: >>>>>>>> On Thu, Jun 02, 2016 at 05:35:01PM -0400, >>>>>>>> bret.wortman at damascusgrp.com wrote: >>>>>>>>> Sorry, let me back up a step. We need to implement hype >>>>>>>>> everywhere. All our web services. And clients need to get >>>>>>>>> keys&certs automatically whether through IPA or Puppet. These >>>>>>>>> systems use IPA for everything but authentication (to keep most >>>>>>>>> users off). I'm trying to wuss out the easiest way to make this >>>>>>>>> happen smoothly. >>>>>>>>> >>>>>>>> Hi Bret, >>>>>>>> >>>>>>>> You can use the IPA CA to sign service certificates. See >>>>>>>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. >>>>>>>> >>>>>>>> IPA-enrolled machines already have the IPA certificate in their >>>>>>>> trust store. If the clients are IPA-enrolled, everything should >>>>>>>> Just Work, otherwise you can distribute the IPA CA certificate to >>>>>>>> clients via Puppet** or whatever means you prefer. >>>>>>>> >>>>>>>> ** you will have to work out how, because I do not know Puppet :) >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Fraser >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Jun 2, 2016, 5:31 PM -0400, Rob >>>>>>>>> Crittenden, >>>>>>>>> wrote: >>>>>>>>>> Bret Wortman wrote: >>>>>>>>>>> Is it possible to use our freeipa CA as a trusted CA to sign >>>>>>>>>>> our >>>>>>>>>>> internal SSL certificates? Our system runs on a private network >>>>>>>>>>> and so >>>>>>>>>>> using the usual trusted sources isn't an option. We've been >>>>>>>>>>> using >>>>>>>>>>> self-signed, but that adds some additional complications and we >>>>>>>>>>> thought >>>>>>>>>>> this might be a good solution. >>>>>>>>>>> >>>>>>>>>>> Is it possible, and, since most online guides defer to "submit >>>>>>>>>>> the CSR >>>>>>>>>>> to Verisign" or whomever, how would you go about producing >>>>>>>>>>> one in >>>>>>>>>>> this way? >>>>>>>>>> >>>>>>>>>> Not sure I understand the question. The IPA CA is also >>>>>>>>>> self-signed. For >>>>>>>>>> enrolled systems though at least the CA is pre-distributed so >>>>>>>>>> maybe >>>>>>>>>> that >>>>>>>>>> will help. >>>>>>>>>> >>>>>>>>>> rob >>>>>>>>>> >>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > From wdh at dds.nl Tue Jun 7 12:47:44 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Tue, 7 Jun 2016 14:47:44 +0200 Subject: [Freeipa-users] FreeOTP Message-ID: An HTML attachment was scrubbed... URL: From Dan.Finkelstein at high5games.com Tue Jun 7 12:53:28 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Tue, 7 Jun 2016 12:53:28 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: <5755F467.2030901@redhat.com> References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> <5751F4CD.5040307@redhat.com> <5751FAD7.6020205@redhat.com> <6B847FD2-8DD0-4640-B6AF-4F8BC0989F42@high5games.com> <57557FFD.3080600@redhat.com> <81E03624-3BDE-45AB-B476-A568F0082561@high5games.com> <57559A53.9020108@redhat.com> <5755F467.2030901@redhat.com> Message-ID: <1936FD85-01A0-45F0-90D5-E7B5A3A79BC2@high5games.com> This advice has gotten me much further, thanks. We didn't have an HBAC rule for admin and, now with it in place, connection checks and other commands appear to be working that haven't worked before. I'm still getting caught on the CA portion of the replica installation. Confoundingly, neither the ipa-replica-install or ipa-ca-install commands will complete (the former with the ?setup-ca option), the latter producing this output in the last few lines of pareplica-ca-install.log: 2016-06-07T12:44:32Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-07T12:44:32Z DEBUG Checking if IPA schema is present in ldap://ipa-replica.example.com:7389 2016-06-07T12:44:32Z DEBUG retrieving schema for SchemaCache url=ldap://ipa-replica.example.com:7389 conn= 2016-06-07T12:44:32Z DEBUG Check OK 2016-06-07T12:44:32Z DEBUG Destroyed connection context.ldap2_50387920 2016-06-07T12:44:32Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2016-06-07T12:44:32Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 732, in run_script return_value = main_function() File "/usr/sbin/ipa-ca-install", line 202, in main install_replica(safe_options, options, filename) File "/usr/sbin/ipa-ca-install", line 150, in install_replica ca.install(True, config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 106, in install install_step_0(standalone, replica_config, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 130, in install_step_0 ra_p12=getattr(options, 'ra_p12', None)) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1530, in install_replica_ca sys.exit("A CA is already configured on this system.") 2016-06-07T12:44:32Z DEBUG The ipa-ca-install command failed, exception: SystemExit: A CA is already configured on this system. This occurs when I run either the replica or ca installer commands a second time. Best regards, Dan [cid:image001.jpg at 01D1C09A.0E1C0930] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden Date: Monday, June 6, 2016 at 18:08 To: Daniel Finkestein , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master Dan.Finkelstein at high5games.com wrote: By the way, I want to mention the conncheck: if I don't skip it, it tries to ssh into the master IPA instance as 'admin@', rather than the user (root), and fails. All other parts of the connectivity check work, however. Why does it try to access the master as a Kerberos principal instead of the process user? Because the remote master, being an IPA server, should have an admin account, so it's a known. root over ssh is not allowed in some environments. There is a ticket open to be able to set the login to be used, right now admin is hardcoded. As for the install failure you should now have the appropriate logs to start diagnosing what was going on in /var/log/pki. rob Thanks, Dan *Daniel Alex Finkelstein*| Senior Dev Ops Engineer _Dan.Finkelstein at h5g.com _| 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook , Twitter , YouTube , Linkedin // /This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful./ *From: *Rob Crittenden > *Date: *Monday, June 6, 2016 at 11:44 *To: *Daniel Finkestein >, "freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master Skipping the conncheck can mask odd problems and should be used sparingly. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4331 bytes Desc: image001.jpg URL: From abokovoy at redhat.com Tue Jun 7 13:02:03 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 16:02:03 +0300 Subject: [Freeipa-users] FreeOTP In-Reply-To: References: Message-ID: <20160607130203.zyms26vj3bhztozz@redhat.com> On Tue, 07 Jun 2016, Winfried de Heiden wrote: >Hi all, > >I am trying to setup Freeipa with otp using the freeotp app. All looks fine, >adding the user to the FreeOTP app also works fine. The users looks like: >ipa user-show otpuser >? User login: otpuser >? First name: otp >? Last name: user >? Home directory: /home/otpuser >? Login shell: /bin/bash >? Email address: otpuser at blabla.bla >? UID: 10011 >? GID: 10011 >? User authentication types: otp >? Account disabled: False >? Password: True >? Member of groups: ipausers >? Kerberos keys available: True > >However, trying to login in will fail; /var/log/krb5kdc.log will tell: > >Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): AS_REQ (6 etypes {18 17 16 >23 25 26}) 192.168.1.251: NEEDED_PREAUTH: otpuser at BLABLA.BLA for krbtgt/ >BLABLA.BLA at BLABLA.BLA, Additional pre-authentication required >Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): closing down fd 12 >Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888](info): preauth (otp) verify >failure: Connection timed out > >I just cannot figure out what's going wrong. What is trying to connect to >causing this timeout? (yep, I disabled firewalld for this...) How did you try to login? -- / Alexander Bokovoy From arthur at deus.pro Tue Jun 7 13:10:51 2016 From: arthur at deus.pro (Arthur Fayzullin) Date: Tue, 7 Jun 2016 18:10:51 +0500 Subject: [Freeipa-users] question about automount config In-Reply-To: References: <552e1d8a-1e60-26aa-19eb-a0f02fa6b3bf@deus.pro> Message-ID: I have done like You said. Here is output: [root at nfsclient ~]# automount -vvvf 1 Starting automounter version 5.1.1-3.fc23, master map auto.master 2 using kernel protocol version 5.02 3 mounted indirect on /misc with timeout 300, freq 75 seconds 4 mounted indirect on /net with timeout 300, freq 75 seconds 5 mounted indirect on /home with timeout 300, freq 75 seconds 6 lookup_read_map: lookup(sss): getautomntent_r: No such file or directory 7 attempting to mount entry /home/afayzullin 8 >> mount.nfs4: Connection timed out 9 mount(nfs): nfs: mount failure nfserver.ciktrb.ru:/home/afayzullin on /home/afayzullin 10 failed to mount /home/afayzullin 11 re-reading map for /home 12 attempting to mount entry /home/afayzullin from string 1 till 6 is startup output. I have googled by 'getautomntent_r', it has shown some closed threads that should be fixed (line 3, 4, 5 shows that it is ok) from line 7 I try to login as afayzullin and autofs tries to mount it as I wish, but for some reason it can not. How can I know why it can not do it? Where to look for it? also I have put debug_level=6 in [autofs] at /etc/sssd/sssd.conf and here is a piece from /var/log/sssd/sssd_autofs.log (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [accept_fd_handler] (0x0400): Client connected! (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_autofs_cmd_setautomntent] (0x0400): Got request for automount map named auto.home (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_parse_name_for_domains] (0x0200): name 'auto.home' matched without domain, user is auto.home (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [setautomntent_send] (0x0400): Requesting info for automount map [auto.home] from [] (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [lookup_automntmap_step] (0x0400): Requesting info for [auto.home at ciktrb.ru] (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_dp_issue_request] (0x0400): Issuing request for [0x558ed3ebab90:0:auto.home at ciktrb.ru] (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_dp_get_autofs_msg] (0x0400): Creating autofs request for [ciktrb.ru][4105][mapname=auto.home] (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_dp_internal_get_send] (0x0400): Entering request [0x558ed3ebab90:0:auto.home at ciktrb.ru] (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [lookup_automntmap_step] (0x0400): Requesting info for [auto.home at ciktrb.ru] (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sysdb_autofs_entries_by_map] (0x0400): Getting entries for map auto.home (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [lookup_automntmap_step] (0x0400): setautomntent done for map auto.home (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_autofs_cmd_setautomntent_done] (0x0400): setautomntent found data (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x558ed3ebab90:0:auto.home at ciktrb.ru] (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_autofs_cmd_getautomntbyname] (0x0400): Requested data of map auto.home key afayzullin (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [getautomntbyname_process] (0x0080): No key named [afayzullin] found (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_autofs_cmd_getautomntbyname] (0x0400): Requested data of map auto.home key / (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [getautomntbyname_process] (0x0080): No key named [/] found (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_autofs_cmd_getautomntbyname] (0x0400): Requested data of map auto.home key * (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_autofs_cmd_endautomntent] (0x0400): endautomntent called While manual mount works fine: # mount -vvv -t nfs4 nfserver.ciktrb.ru:/home/afayzullin /mnt mount.nfs4: timeout set for Tue Jun 7 17:07:25 2016 mount.nfs4: trying text-based options 'vers=4.2,addr=10.254.1.167,clientaddr=10.254.1.168' [root at nfsclient ~]# echo $? 0 [root at nfsclient ~]# mount -l nfserver.ciktrb.ru:/home/afayzullin on /mnt type nfs4 (rw,relatime,seclabel,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=10.254.1.168,local_lock=none,addr=10.254.1.167) $ ssh nfsclient Creating home directory for afayzullin. Last login: Tue Jun 7 17:34:14 2016 Could not chdir to home directory /home/afayzullin: No such file or directory -bash-4.3$ ll /mnt ????? 0 -rw-rw-r--. 1 afayzullin afayzullin 0 ??? 7 17:00 test but home is empty # ll /home/ ????? 0 So what steps should I take next? 24.05.2016 18:01, Prasun Gera ?????: > You can stop the autofs daemon, and run it in foreground with > automount -fvv. Then try to access the mount point in parallel. The > logs from the foreground run should shed some light. Also, does your > autofs setup work without kerberos ? As a first step it to work with > non-kerberised nfs. > > On Mon, May 23, 2016 at 11:06 AM, Arthur Fayzullin > wrote: > > Good day, colleagues! > I am confused about how automount work and howto configure it. I have > tried to configure it according to > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html > document (paragraph 9.1.1 and chapter 20). > I have tried to make it work on 3 servers: > 1. ipa server; > 2. nfs server (node00); > 3. nfs client (postgres). > > > *** so here how it configured on ipa server: > $ ipa automountlocation-tofiles amantai > /etc/auto.master: > /- /etc/auto.direct > /home /etc/auto.home > --------------------------- > /etc/auto.direct: > --------------------------- > /etc/auto.home: > * -sec=kr5i,rw,fstype=nfs4 node00.glavsn.ab:/home/& > > maps not connected to /etc/auto.master: > > $ ipa service-find nfs > ------------------ > 2 services matched > ------------------ > ????????: nfs/node00.glavsn.ab at GLAVSN.AB > Keytab: True > Managed by: node00.glavsn.ab > > ????????: nfs/postgres.glavsn.ab at GLAVSN.AB > Keytab: True > Managed by: postgres.glavsn.ab > > > *** here is nfs server config: > $ sudo klist -k > ??????: > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/node00.glavsn.ab at GLAVSN.AB > 1 host/node00.glavsn.ab at GLAVSN.AB > 1 host/node00.glavsn.ab at GLAVSN.AB > 1 host/node00.glavsn.ab at GLAVSN.AB > 2 nfs/node00.glavsn.ab at GLAVSN.AB > 2 nfs/node00.glavsn.ab at GLAVSN.AB > 2 nfs/node00.glavsn.ab at GLAVSN.AB > 2 nfs/node00.glavsn.ab at GLAVSN.AB > > $ cat /etc/exports > /home *(rw,sec=sys:krb5:krb5i:krb5p) > > $ sudo firewall-cmd --list-all > public (default, active) > interfaces: bridge0 enp1s0 > sources: > services: dhcpv6-client nfs ssh > ports: 8001/tcp > masquerade: no > forward-ports: > icmp-blocks: > rich rules: > > $ getenforce > Enforcing > > > *** here nfs client config: > # klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/postgres.glavsn.ab at GLAVSN.AB > 1 host/postgres.glavsn.ab at GLAVSN.AB > 1 host/postgres.glavsn.ab at GLAVSN.AB > 1 host/postgres.glavsn.ab at GLAVSN.AB > 1 nfs/postgres.glavsn.ab at GLAVSN.AB > 1 nfs/postgres.glavsn.ab at GLAVSN.AB > 1 nfs/postgres.glavsn.ab at GLAVSN.AB > 1 nfs/postgres.glavsn.ab at GLAVSN.AB > > # firewall-cmd --list-all > FedoraServer (default, active) > interfaces: ens3 > sources: > services: cockpit dhcpv6-client ssh > ports: > protocols: > masquerade: no > forward-ports: > icmp-blocks: > rich rules: > > # mount -l (contains next string) > auto.home on /home type autofs > (rw,relatime,fd=25,pgrp=960,timeout=300,minproto=5,maxproto=5,indirect) > > # ll /home/afayzullin > ls says that it cannot access /home/afayzullin: no such file or > directory > > I have run > # ipa-client-automount --location=amantai > on client and it has completed successfully. > > I have tried to disable selinux, drop iptables rules. And now I am > little confused about what to do next. May if someone has faced with > automount config can give me some advice, or if there is any howto > config automount, or some can advise howto debug this situation? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From khankin.konstantin at gmail.com Tue Jun 7 13:21:04 2016 From: khankin.konstantin at gmail.com (Konstantin M. Khankin) Date: Tue, 7 Jun 2016 16:21:04 +0300 Subject: [Freeipa-users] FreeIPA 4.2 on CentOS 7.2 restricts an access to krb* attributes Message-ID: HI! I used to run FreeIPA 3.0 on CentOS 6 but recently upgraded this setup to FreeIPA 4.2 on CentOS 7.2. And I got 2 my applications failing, because they were accessing LDAP fields krb* (one by itself, another through mod_lookup_identity). For the one which makes LDAP requests by its own I created an account and LDAP happily gives an access to krb* fields once that app makes simple bind But with the one which relies on mod_lookup_identity I'm having troubles. Even though SSSD is being authenticated through GSSAPI, LDAP does not give an access to krb* fields. I tried to create a separate service record for SSSD - no change. And I couldn't make SSSD do simple bind instead of using GSSAPI. I tried to setup FreeIPA so that by default it gives an access to krb* fields, but web interface rejected that change Could you please help me with this issue? How can I control this behavior properly, not with ugly hacks? Thanks! -- Konstantin Khankin -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Jun 7 13:40:29 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 16:40:29 +0300 Subject: [Freeipa-users] FreeIPA 4.2 on CentOS 7.2 restricts an access to krb* attributes In-Reply-To: References: Message-ID: <20160607134029.z6a444tnmk3zwezz@redhat.com> On Tue, 07 Jun 2016, Konstantin M. Khankin wrote: >HI! > >I used to run FreeIPA 3.0 on CentOS 6 but recently upgraded this setup to >FreeIPA 4.2 on CentOS 7.2. And I got 2 my applications failing, because >they were accessing LDAP fields krb* (one by itself, another through >mod_lookup_identity). For the one which makes LDAP requests by its own I >created an account and LDAP happily gives an access to krb* fields once >that app makes simple bind FreeIPA 4.x has enhanced ACIs but it mostly means there are less attributes accessible to non-authenticated (anonymous) connections. Once you are authenticated, most of the attributes which were accessed by anonymous connections before are now available. >But with the one which relies on mod_lookup_identity I'm having troubles. >Even though SSSD is being authenticated through GSSAPI, LDAP does not give >an access to krb* fields. I tried to create a separate service record for >SSSD - no change. And I couldn't make SSSD do simple bind instead of using >GSSAPI. I tried to setup FreeIPA so that by default it gives an access to >krb* fields, but web interface rejected that change > >Could you please help me with this issue? How can I control this behavior >properly, not with ugly hacks? Can you show your SSSD configuration? host/ principals should be just fine to access krb* attributes. -- / Alexander Bokovoy From anthonyclarka2 at gmail.com Tue Jun 7 13:50:07 2016 From: anthonyclarka2 at gmail.com (Anthony Clark) Date: Tue, 7 Jun 2016 09:50:07 -0400 Subject: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI In-Reply-To: References: <20160603204259.GF17518@redhat.com> <20160606091338.GF29312@redhat.com> Message-ID: One thing I noticed was that once I had set up the proxy as per the document from Jan, I was getting access denied to /ipa until I disabled the Kerberos authentication stuff: # Protect /ipa and everything below it in webspace with Apache Kerberos auth # AuthType GSSAPI # AuthName "Kerberos Login" # GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab # GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab # GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches # GssapiUseS4U2Proxy on # Require valid-user # ErrorDocument 401 /ipa/errors/unauthorized.html WSGIProcessGroup ipa WSGIApplicationGroup ipa Once that change was made, the following proxy worked: Listen 9443 ErrorLog /etc/httpd/logs/password-error_log TransferLog /etc/httpd/logs/password-access_log LogLevel debug NSSEngine on NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias NSSProxyEngine on NSSProxyCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha ProxyPass / https://ns01.dev.example.net/ ProxyPassReverse / https://ns01.dev.example.net/ ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net RequestHeader edit Referer ^https://password\.example\.net/ https://ns01.dev.example.net/ I hope this helps someone down the line. -Anthony Clark On Mon, Jun 6, 2016 at 7:29 AM, Karl Forner wrote: > Thanks a lot Jan. It works perfectly, and it is crystal-clear. > Best, > Karl > > On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora > wrote: > > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote: > >> > >> Hope this helps. I will likely do another writeup about this setup. > > > > https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name > > > > -- > > Jan Pazdziora > > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From khankin.konstantin at gmail.com Tue Jun 7 13:51:24 2016 From: khankin.konstantin at gmail.com (Konstantin M. Khankin) Date: Tue, 7 Jun 2016 16:51:24 +0300 Subject: [Freeipa-users] FreeIPA 4.2 on CentOS 7.2 restricts an access to krb* attributes In-Reply-To: <20160607134029.z6a444tnmk3zwezz@redhat.com> References: <20160607134029.z6a444tnmk3zwezz@redhat.com> Message-ID: Hi Alexander! Here's the config (mostly auto-generated by ipa-client-install): ------------------------------------------------------------------------------------------------------------------------------------- [domain/gsk.loc] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = gsk.loc id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = garage.gsk.loc chpass_provider = ipa ipa_server = _srv_, drone.gsk.loc ldap_tls_cacert = /etc/ipa/ca.crt #ldap_search_base = cn=accounts,dc=gsk,dc=loc ldap_user_extra_attrs = uid, krbLastSuccessfulAuth, krbLastFailedAuth [sssd] services = nss, sudo, pam, ssh, ifp config_file_version = 2 domains = gsk.loc [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] allowed_uids = apache, root user_attributes = +uid, +krbLastSuccessfulAuth, +krbLastFailedAuth ------------------------------------------------------------------------------------------------------------------------------------- In debug logs I can see that sssd establishes secure connection using host/ principal: (Tue Jun 7 18:08:36 2016) [sssd[be[gsk.loc]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/garage.gsk.loc (Tue Jun 7 18:08:37 2016) [sssd[be[gsk.loc]]] [child_sig_handler] (0x0100): child [2377] finished successfully. (Tue Jun 7 18:08:37 2016) [sssd[be[gsk.loc]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'drone.gsk.loc' as 'working' (Tue Jun 7 18:08:37 2016) [sssd[be[gsk.loc]]] [set_server_common_status] (0x0100): Marking server 'drone.gsk.loc' as 'working' (Tue Jun 7 18:08:37 2016) [sssd[be[gsk.loc]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'drone.gsk.loc' as 'working' But this is what happens when I query info via dbus: ... (Tue Jun 7 17:55:32 2016) [sssd[be[gsk.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding uid [hc] to attributes of [hc]. (Tue Jun 7 17:55:32 2016) [sssd[be[gsk.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastSuccessfulAuth is not available for [hc]. (Tue Jun 7 17:55:32 2016) [sssd[be[gsk.loc]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastFailedAuth is not available for [hc]. ... (Tue Jun 7 17:55:32 2016) [sssd[be[gsk.loc]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbLastSuccessfulAuth] from [hc] (Tue Jun 7 17:55:32 2016) [sssd[be[gsk.loc]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbLastFailedAuth] from [hc] ... > FreeIPA 4.x has enhanced ACIs but it mostly means there are less > attributes accessible to non-authenticated (anonymous) connections. Once > you are authenticated, most of the attributes which were accessed by > anonymous connections before are now available. Where can I see and/or control these ACIs? Thanks! 2016-06-07 16:40 GMT+03:00 Alexander Bokovoy : > On Tue, 07 Jun 2016, Konstantin M. Khankin wrote: > >> HI! >> >> I used to run FreeIPA 3.0 on CentOS 6 but recently upgraded this setup to >> FreeIPA 4.2 on CentOS 7.2. And I got 2 my applications failing, because >> they were accessing LDAP fields krb* (one by itself, another through >> mod_lookup_identity). For the one which makes LDAP requests by its own I >> created an account and LDAP happily gives an access to krb* fields once >> that app makes simple bind >> > FreeIPA 4.x has enhanced ACIs but it mostly means there are less > attributes accessible to non-authenticated (anonymous) connections. Once > you are authenticated, most of the attributes which were accessed by > anonymous connections before are now available. > > But with the one which relies on mod_lookup_identity I'm having troubles. >> Even though SSSD is being authenticated through GSSAPI, LDAP does not give >> an access to krb* fields. I tried to create a separate service record for >> SSSD - no change. And I couldn't make SSSD do simple bind instead of using >> GSSAPI. I tried to setup FreeIPA so that by default it gives an access to >> krb* fields, but web interface rejected that change >> >> Could you please help me with this issue? How can I control this behavior >> properly, not with ugly hacks? >> > Can you show your SSSD configuration? host/ principals should be just > fine to access krb* attributes. > > > -- > / Alexander Bokovoy > -- Konstantin Khankin -------------- next part -------------- An HTML attachment was scrubbed... URL: From wdh at dds.nl Tue Jun 7 13:55:36 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Tue, 7 Jun 2016 15:55:36 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: <20160607130203.zyms26vj3bhztozz@redhat.com> References: <20160607130203.zyms26vj3bhztozz@redhat.com> Message-ID: <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Jun 7 14:08:53 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 17:08:53 +0300 Subject: [Freeipa-users] FreeIPA 4.2 on CentOS 7.2 restricts an access to krb* attributes In-Reply-To: References: <20160607134029.z6a444tnmk3zwezz@redhat.com> Message-ID: <20160607140853.u4i3744u3srrzieq@redhat.com> On Tue, 07 Jun 2016, Konstantin M. Khankin wrote: >Hi Alexander! > >Here's the config (mostly auto-generated by ipa-client-install): >------------------------------------------------------------------------------------------------------------------------------------- >[domain/gsk.loc] >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = gsk.loc >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = garage.gsk.loc >chpass_provider = ipa >ipa_server = _srv_, drone.gsk.loc >ldap_tls_cacert = /etc/ipa/ca.crt >#ldap_search_base = cn=accounts,dc=gsk,dc=loc >ldap_user_extra_attrs = uid, krbLastSuccessfulAuth, krbLastFailedAuth > >[sssd] >services = nss, sudo, pam, ssh, ifp >config_file_version = 2 > >domains = gsk.loc >[nss] >homedir_substring = /home > >[pam] > >[sudo] > >[autofs] > >[ssh] > >[pac] > >[ifp] >allowed_uids = apache, root >user_attributes = +uid, +krbLastSuccessfulAuth, +krbLastFailedAuth >------------------------------------------------------------------------------------------------------------------------------------- Ok, for these there is a separate permission, 'System: Read User Kerberos Login Attributes'. ipa permission-show 'System: Read User Kerberos Login Attributes' It is by default assigned to 'User administrators' role. You can use 'ipa role-add-member' to add others, like hosts: ipa role-add-member 'User Administrator' --hosts=garage.gsk.loc -- / Alexander Bokovoy From cal-s at blue-bolt.com Tue Jun 7 14:10:12 2016 From: cal-s at blue-bolt.com (Cal Sawyer) Date: Tue, 7 Jun 2016 15:10:12 +0100 Subject: [Freeipa-users] Replica without CA: implications? In-Reply-To: <5750A4DE.1090206@redhat.com> References: <56E0484B.4080006@blue-bolt.com> <1457540024.8257.279.camel@redhat.com> <57504068.5010003@blue-bolt.com> <5750A4DE.1090206@redhat.com> Message-ID: <5756D5C4.3070407@blue-bolt.com> For the benefit, or added confusion, of future generations, some observations ipa-ca-install, run successful replica instantiation w/o --setup-ca fails consistently with the errors in my orig post. Never figured out what the script was finding that needed purging. After a multitude of attempts (thank you, ESXi snapshots) with multiple ipa-server-install --uninstall's , i gave up and rebuilt from the gound up withlatest packages and --setup-ca which works great I found that installing a replica with firewalld enabled would consistently fail during initial replication. Disabling firewalld always allowed replication and later stages to complete [24/38]: setting up initial replication Starting replication, please wait until this has completed. [ipa.localdomain.local] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server] The first master and all replicas are all CentOS Linux release 7.2.1511 (Core) with ipa-server-4.2.0-15.0.1.el7 One other thing. if, during ipa-replica-install,+ you choose the default answer to the following: Existing BIND configuration detected, overwrite? [no]: ipa.ipapython.install.cli.install_tool(Replica): ERROR Aborting installation. Not sure if that is intended? Which BIND configuration is being detected? Anyhow, up and running with 4 replicas, 2 of which will be split off to a failover instance of ESXi in the future. When it works, it's a joy Now back to getting these Mac clients to play nicely with IPA ... thanks for the help and advice - cal On 02/06/16 22:27, Rob Crittenden wrote: > Cal Sawyer wrote: >> Apologies for the lengthy pause in getting back onto this. I ended up >> destroying the replica and reprovisioning frmm scratch, but the replica >> still lists as being CA-less. >> >> Is what i'm seeing normal? Would this 2-node setup in this state >> survive failure of the master? > > It will until the certificates start expiring. You want at least 2 > CA's to avoid a single point of failure situation. > >> >> ----------------- >> >> ON MASTER ipa.localdomain.local >> >> # ipa-replica-manage list >> >> ipa2.localdomain.local: master >> ipa.localdomain.local: master >> >> # ipa-csreplica-manage list >> >> >> ipa2.localdomain.local: CA not configured >> ipa.localdomain.local: master >> >> >> ------------------ >> >> ON REPLICA ipa2.localdomain.local >> >> # ipa-ca-install >> Directory Manager (existing master) password: >> >> >> CA is already installed. >> >> ok .... >> >> # ipa-ca-install -d >> >> >> >> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG Created connection >> context.ldap2_73731152 >> ipa.ipalib.plugins.config.config_show: DEBUG raw: >> config_show(version=u'2.156') >> ipa.ipalib.plugins.config.config_show: DEBUG config_show(rights=False, >> all=False, raw=False, version=u'2.156') >> ipa.ipapython.ipaldap.SchemaCache: DEBUG retrieving schema for >> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket >> conn= >> ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG raw: >> ca_is_enabled(version=u'2.156') >> ipa.ipalib.plugins.cert.ca_is_enabled: DEBUG >> ca_is_enabled(version=u'2.156') >> ipa : DEBUG File >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >> line 732, in run_script >> return_value = main_function() >> >> File "/usr/sbin/ipa-ca-install", line 204, in main >> install_master(safe_options, options) >> >> File "/usr/sbin/ipa-ca-install", line 191, in install_master >> ca.install_check(True, None, options) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line >> 49, in install_check >> sys.exit("CA is already installed.\n") >> >> ipa : DEBUG The ipa-ca-install command failed, exception: >> SystemExit: CA is already installed. >> >> >> CA is already installed. > > It detects whether a CA is installed by the existence of something > like /var/lib/pki-tomcat/ca. You can use pkidestroy to remove any > remnants that might be left over from some previous failed install. > > Or it could be that something wasn't updated properly in LDAP and > there actually is a working CA. You might try manually starting the CA > to see if it comes up, and/or run ipa-csreplica-manage to see if there > are any working agreements. > > rob > > >> >> >> >> >> thanks >> >> - cal sawyer >> >> >> >> On 09/03/16 16:13, Simo Sorce wrote: >>> On Wed, 2016-03-09 at 15:59 +0000, Cal Sawyer wrote: >>>> Hi >>>> >>>> Somehow i picked the wrong cookbook when i provisioned my first (and >>>> only) replica and it lacks CA aso, as pointed out in a recent thread, >>>> creates a single point of failure. Not ready to set up more 2 >>>> replicas >>>> yet and am still in testing. Is it possible to replicate the master's >>>> CA to the replica without destroying and reprovisioning with >>>> --setup-ca >>>> this time? >>> Use ipa-ca-install on the replica. >>> >>> Simo. >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Jun 7 14:13:44 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 17:13:44 +0300 Subject: [Freeipa-users] FreeOTP In-Reply-To: <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> Message-ID: <20160607141344.a55hvf64n6k3rbht@redhat.com> On Tue, 07 Jun 2016, Winfried de Heiden wrote: >Hi all, >I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result. Ok. > Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): AS_REQ > (6 etypes {18 17 16 > 23 25 26}) 192.168.1.251: NEEDED_PREAUTH: > otpuser at BLABLA.BLA for krbtgt/ > BLABLA.BLA at BLABLA.BLA, Additional pre-authentication > required > Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): closing > down fd 12 > Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888](info): preauth > (otp) verify > failure: Connection timed out > > I just cannot figure out what's going wrong. What is trying > to connect to > causing this timeout? (yep, I disabled firewalld for > this...) What is the output of systemctl status ipa-otpd.socket ? if it is disabled, do systemctl enable ipa-otpd.socket systemctl start ipa-otpd.socket -- / Alexander Bokovoy From wdh at dds.nl Tue Jun 7 14:17:32 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Tue, 7 Jun 2016 16:17:32 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: <20160607141344.a55hvf64n6k3rbht@redhat.com> References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> Message-ID: An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Tue Jun 7 14:44:32 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Tue, 7 Jun 2016 10:44:32 -0400 Subject: [Freeipa-users] question about automount config In-Reply-To: References: <552e1d8a-1e60-26aa-19eb-a0f02fa6b3bf@deus.pro> Message-ID: >From your errors, it looks like sssd is not able to find the autofs entries. In order to confirm that, you can add the autofs mapping manually to your config file (under /etc/auto.* depending on your config), and test if that works. If you can get that to work, the problem lies in freeipa/sssd configuration. I see that you are using sec=krb5. You may want to disable kerberos too while debugging, both at the nfs server export config, and at the client/automount config. On Tue, Jun 7, 2016 at 9:10 AM, Arthur Fayzullin wrote: > I have done like You said. Here is output: > [root at nfsclient ~]# automount -vvvf > 1 Starting automounter version 5.1.1-3.fc23, master map auto.master > 2 using kernel protocol version 5.02 > 3 mounted indirect on /misc with timeout 300, freq 75 seconds > 4 mounted indirect on /net with timeout 300, freq 75 seconds > 5 mounted indirect on /home with timeout 300, freq 75 seconds > 6 lookup_read_map: lookup(sss): getautomntent_r: No such file or directory > 7 attempting to mount entry /home/afayzullin > 8 >> mount.nfs4: Connection timed out > 9 mount(nfs): nfs: mount failure nfserver.ciktrb.ru:/home/afayzullin on > /home/afayzullin > 10 failed to mount /home/afayzullin > 11 re-reading map for /home > 12 attempting to mount entry /home/afayzullin > > from string 1 till 6 is startup output. I have googled by > 'getautomntent_r', it has shown some closed threads that should be fixed > (line 3, 4, 5 shows that it is ok) > from line 7 I try to login as afayzullin and autofs tries to mount it as I > wish, but for some reason it can not. > How can I know why it can not do it? Where to look for it? > > also I have put debug_level=6 in [autofs] at /etc/sssd/sssd.conf and here > is a piece from /var/log/sssd/sssd_autofs.log > > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [accept_fd_handler] (0x0400): > Client connected! > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_autofs_cmd_setautomntent] > (0x0400): Got request for automount map named auto.home > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_parse_name_for_domains] > (0x0200): name 'auto.home' matched without domain, user is auto.home > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [setautomntent_send] (0x0400): > Requesting info for automount map [auto.home] from [] > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [lookup_automntmap_step] > (0x0400): Requesting info for [auto.home at ciktrb.ru] > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x558ed3ebab90:0:auto.home at ciktrb.ru] > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_dp_get_autofs_msg] > (0x0400): Creating autofs request for [ciktrb.ru][4105][mapname=auto.home] > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x558ed3ebab90:0:auto.home at ciktrb.ru] > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [lookup_automntmap_step] > (0x0400): Requesting info for [auto.home at ciktrb.ru] > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sysdb_autofs_entries_by_map] > (0x0400): Getting entries for map auto.home > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [lookup_automntmap_step] > (0x0400): setautomntent done for map auto.home > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] > [sss_autofs_cmd_setautomntent_done] (0x0400): setautomntent found data > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_dp_req_destructor] > (0x0400): Deleting request: [0x558ed3ebab90:0:auto.home at ciktrb.ru] > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] > [sss_autofs_cmd_getautomntbyname] (0x0400): Requested data of map auto.home > key afayzullin > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [getautomntbyname_process] > (0x0080): No key named [afayzullin] found > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] > [sss_autofs_cmd_getautomntbyname] (0x0400): Requested data of map auto.home > key / > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [getautomntbyname_process] > (0x0080): No key named [/] found > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] > [sss_autofs_cmd_getautomntbyname] (0x0400): Requested data of map auto.home > key * > (Tue Jun 7 15:59:58 2016) [sssd[autofs]] [sss_autofs_cmd_endautomntent] > (0x0400): endautomntent called > > While manual mount works fine: > # mount -vvv -t nfs4 nfserver.ciktrb.ru:/home/afayzullin /mnt > mount.nfs4: timeout set for Tue Jun 7 17:07:25 2016 > mount.nfs4: trying text-based options > 'vers=4.2,addr=10.254.1.167,clientaddr=10.254.1.168' > [root at nfsclient ~]# echo $? > 0 > [root at nfsclient ~]# mount -l > nfserver.ciktrb.ru:/home/afayzullin on /mnt type nfs4 > (rw,relatime,seclabel,vers=4.2,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=10.254.1.168,local_lock=none,addr=10.254.1.167) > > $ ssh nfsclient > Creating home directory for afayzullin. > Last login: Tue Jun 7 17:34:14 2016 > Could not chdir to home directory /home/afayzullin: No such file or > directory > -bash-4.3$ ll /mnt > ????? 0 > -rw-rw-r--. 1 afayzullin afayzullin 0 ??? 7 17:00 test > > but home is empty > # ll /home/ > ????? 0 > > So what steps should I take next? > > 24.05.2016 18:01, Prasun Gera ?????: > > You can stop the autofs daemon, and run it in foreground with automount > -fvv. Then try to access the mount point in parallel. The logs from the > foreground run should shed some light. Also, does your autofs setup work > without kerberos ? As a first step it to work with non-kerberised nfs. > > On Mon, May 23, 2016 at 11:06 AM, Arthur Fayzullin < > arthur at deus.pro> wrote: > >> Good day, colleagues! >> I am confused about how automount work and howto configure it. I have >> tried to configure it according to >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html >> document (paragraph 9.1.1 and chapter 20). >> I have tried to make it work on 3 servers: >> 1. ipa server; >> 2. nfs server (node00); >> 3. nfs client (postgres). >> >> >> *** so here how it configured on ipa server: >> $ ipa automountlocation-tofiles amantai >> /etc/auto.master: >> /- /etc/auto.direct >> /home /etc/auto.home >> --------------------------- >> /etc/auto.direct: >> --------------------------- >> /etc/auto.home: >> * -sec=kr5i,rw,fstype=nfs4 node00.glavsn.ab:/home/& >> >> maps not connected to /etc/auto.master: >> >> $ ipa service-find nfs >> ------------------ >> 2 services matched >> ------------------ >> ????????: nfs/node00.glavsn.ab at GLAVSN.AB >> Keytab: True >> Managed by: node00.glavsn.ab >> >> ????????: nfs/postgres.glavsn.ab at GLAVSN.AB >> Keytab: True >> Managed by: postgres.glavsn.ab >> >> >> *** here is nfs server config: >> $ sudo klist -k >> ??????: >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 1 host/node00.glavsn.ab at GLAVSN.AB >> 1 host/node00.glavsn.ab at GLAVSN.AB >> 1 host/node00.glavsn.ab at GLAVSN.AB >> 1 host/node00.glavsn.ab at GLAVSN.AB >> 2 nfs/node00.glavsn.ab at GLAVSN.AB >> 2 nfs/node00.glavsn.ab at GLAVSN.AB >> 2 nfs/node00.glavsn.ab at GLAVSN.AB >> 2 nfs/node00.glavsn.ab at GLAVSN.AB >> >> $ cat /etc/exports >> /home *(rw,sec=sys:krb5:krb5i:krb5p) >> >> $ sudo firewall-cmd --list-all >> public (default, active) >> interfaces: bridge0 enp1s0 >> sources: >> services: dhcpv6-client nfs ssh >> ports: 8001/tcp >> masquerade: no >> forward-ports: >> icmp-blocks: >> rich rules: >> >> $ getenforce >> Enforcing >> >> >> *** here nfs client config: >> # klist -k >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 1 host/postgres.glavsn.ab at GLAVSN.AB >> 1 host/postgres.glavsn.ab at GLAVSN.AB >> 1 host/postgres.glavsn.ab at GLAVSN.AB >> 1 host/postgres.glavsn.ab at GLAVSN.AB >> 1 nfs/postgres.glavsn.ab at GLAVSN.AB >> 1 nfs/postgres.glavsn.ab at GLAVSN.AB >> 1 nfs/postgres.glavsn.ab at GLAVSN.AB >> 1 nfs/postgres.glavsn.ab at GLAVSN.AB >> >> # firewall-cmd --list-all >> FedoraServer (default, active) >> interfaces: ens3 >> sources: >> services: cockpit dhcpv6-client ssh >> ports: >> protocols: >> masquerade: no >> forward-ports: >> icmp-blocks: >> rich rules: >> >> # mount -l (contains next string) >> auto.home on /home type autofs >> (rw,relatime,fd=25,pgrp=960,timeout=300,minproto=5,maxproto=5,indirect) >> >> # ll /home/afayzullin >> ls says that it cannot access /home/afayzullin: no such file or directory >> >> I have run >> # ipa-client-automount --location=amantai >> on client and it has completed successfully. >> >> I have tried to disable selinux, drop iptables rules. And now I am >> little confused about what to do next. May if someone has faced with >> automount config can give me some advice, or if there is any howto >> config automount, or some can advise howto debug this situation? >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Tue Jun 7 14:56:34 2016 From: prashant at apigee.com (Prashant Bapat) Date: Tue, 7 Jun 2016 20:26:34 +0530 Subject: [Freeipa-users] FreeOTP In-Reply-To: <20160607141344.a55hvf64n6k3rbht@redhat.com> References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> Message-ID: ?If this is TOTP (time based) you want to double check the time is properly set in both the server (NTP) and the device that is generating the OTP tokens. I have had issues with this with my users couple of times. ? On 7 June 2016 at 19:43, Alexander Bokovoy wrote: > On Tue, 07 Jun 2016, Winfried de Heiden wrote: > >> Hi all, >> I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result. >> > Ok. > > Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): AS_REQ >> (6 etypes {18 17 16 >> 23 25 26}) 192.168.1.251: NEEDED_PREAUTH: >> otpuser at BLABLA.BLA for krbtgt/ >> BLABLA.BLA at BLABLA.BLA, Additional pre-authentication >> required >> Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): closing >> down fd 12 >> Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888](info): preauth >> (otp) verify >> failure: Connection timed out >> >> I just cannot figure out what's going wrong. What is trying >> to connect to >> causing this timeout? (yep, I disabled firewalld for >> this...) >> > What is the output of systemctl status ipa-otpd.socket > ? > > if it is disabled, do > > systemctl enable ipa-otpd.socket > systemctl start ipa-otpd.socket > > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From anthonyclarka2 at gmail.com Tue Jun 7 15:01:12 2016 From: anthonyclarka2 at gmail.com (Anthony Clark) Date: Tue, 7 Jun 2016 11:01:12 -0400 Subject: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI In-Reply-To: References: <20160603204259.GF17518@redhat.com> <20160606091338.GF29312@redhat.com> Message-ID: Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to do this: AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiUseS4U2Proxy on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html WSGIProcessGroup ipa WSGIApplicationGroup ipa Apologies for the post spam. On Tue, Jun 7, 2016 at 9:50 AM, Anthony Clark wrote: > One thing I noticed was that once I had set up the proxy as per the > document from Jan, I was getting access denied to /ipa until I disabled the > Kerberos authentication stuff: > > # Protect /ipa and everything below it in webspace with Apache Kerberos > auth > > # AuthType GSSAPI > # AuthName "Kerberos Login" > # GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab > # GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab > # GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches > # GssapiUseS4U2Proxy on > # Require valid-user > # ErrorDocument 401 /ipa/errors/unauthorized.html > WSGIProcessGroup ipa > WSGIApplicationGroup ipa > > > > > Once that change was made, the following proxy worked: > > Listen 9443 > > > > ErrorLog /etc/httpd/logs/password-error_log > TransferLog /etc/httpd/logs/password-access_log > LogLevel debug > > NSSEngine on > > NSSCipherSuite > +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > NSSNickname Server-Cert > > NSSCertificateDatabase /etc/httpd/alias > > NSSProxyEngine on > NSSProxyCipherSuite > +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha > > ProxyPass / https://ns01.dev.example.net/ > ProxyPassReverse / https://ns01.dev.example.net/ > ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net > RequestHeader edit Referer ^https://password\.example\.net/ > https://ns01.dev.example.net/ > > > I hope this helps someone down the line. > > -Anthony Clark > > > On Mon, Jun 6, 2016 at 7:29 AM, Karl Forner wrote: > >> Thanks a lot Jan. It works perfectly, and it is crystal-clear. >> Best, >> Karl >> >> On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora >> wrote: >> > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote: >> >> >> >> Hope this helps. I will likely do another writeup about this setup. >> > >> > >> https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name >> > >> > -- >> > Jan Pazdziora >> > Senior Principal Software Engineer, Identity Management Engineering, >> Red Hat >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wdh at dds.nl Tue Jun 7 15:07:08 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Tue, 7 Jun 2016 17:07:08 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> Message-ID: <3752f7e7-2d1e-0473-735a-041c45d71f71@dds.nl> An HTML attachment was scrubbed... URL: From prashant at apigee.com Tue Jun 7 15:09:44 2016 From: prashant at apigee.com (Prashant Bapat) Date: Tue, 7 Jun 2016 20:39:44 +0530 Subject: [Freeipa-users] FreeOTP In-Reply-To: <3752f7e7-2d1e-0473-735a-041c45d71f71@dds.nl> References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> <3752f7e7-2d1e-0473-735a-041c45d71f71@dds.nl> Message-ID: Do HOTP tokens work fine ? On 7 June 2016 at 20:37, Winfried de Heiden wrote: > Hi all, > > > Yes I check that one also. The IPA-server is running ntp and is is sync. > The FreeOTP app is running on my phone which is synced by network, all > looks fine.... > > > Forgot to mention; this IPA-server is running on Fedora ARM on a Bananapi. > non-otp logins go well. > > > Winny > > > > > Op 07-06-16 om 16:56 schreef Prashant Bapat: > > ?If this is TOTP (time based) you want to double check the time is > properly set in both the server (NTP) and the device that is generating the > OTP tokens. I have had issues with this with my users couple of times. ? > > On 7 June 2016 at 19:43, Alexander Bokovoy wrote: > >> On Tue, 07 Jun 2016, Winfried de Heiden wrote: >> >>> Hi all, >>> I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result. >>> >> Ok. >> >> Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): AS_REQ >>> (6 etypes {18 17 16 >>> 23 25 26}) 192.168.1.251: NEEDED_PREAUTH: >>> otpuser at BLABLA.BLA for krbtgt/ >>> BLABLA.BLA at BLABLA.BLA, Additional pre-authentication >>> required >>> Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): closing >>> down fd 12 >>> Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888](info): preauth >>> (otp) verify >>> failure: Connection timed out >>> >>> I just cannot figure out what's going wrong. What is trying >>> to connect to >>> causing this timeout? (yep, I disabled firewalld for >>> this...) >>> >> What is the output of systemctl status ipa-otpd.socket >> ? >> >> if it is disabled, do >> >> systemctl enable ipa-otpd.socket >> systemctl start ipa-otpd.socket >> >> >> -- >> / Alexander Bokovoy >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 7 15:17:07 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 7 Jun 2016 11:17:07 -0400 Subject: [Freeipa-users] DNA Ranges In-Reply-To: References: Message-ID: <5756E573.7000203@redhat.com> Michael Rainey (Contractor) wrote: > Greetings Community, > > I have a question about restoring the DNA Ranges on my IPA servers. A > couple of weeks ago I took down one of my servers which involved a few > issues I had created for myself, but luckily I managed to recover. > Today I noticed that the DNA Ranges on the retired server was not > carried over to the new server. After checking my other servers, I also > noticed none of the other servers have any ranges set. So, my primary > question is; if I reset the range values to what they were on the > retired server to the new server, do I run the risk of generating > duplicate UIDs and GIDs, or should I set a new range to prevent > duplicate values? > > At this point, I haven't found anything in my research which matches my > current scenario. You don't mention which version of IPA you have. If you have 4.x+ then you can use ipa-replica-manage to manage the DNA ranges. You shouldn't have any problems setting a new range. Being careful about overlap is good but I'm pretty sure the uniqueness plugin will prevent duplicate UID/GID but I haven't experimented with it. I typically recommend ensuring that there is no overlap when setting a new range. Re-using the range from another server should carry no risk as long as only one master is offering that range. rob From peljasz at yahoo.co.uk Tue Jun 7 15:20:33 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 7 Jun 2016 16:20:33 +0100 Subject: [Freeipa-users] IPA to supply radius with a special user name - how? Message-ID: <8cc99dff-7f91-bbbe-c239-19ed67926c6c@yahoo.co.uk> hi users, some network devices need and look up special type of a user, in my case it's dell powerconnect switch which - when uses radius - needs,eg: $enable5$. I this something that IPA will be ok with? will have no problems if I create such a user? I don't suppose IPA have full support for radius attributes, right? or --addattr=STR is something for that? How does one create radius typical user? many thanks, L. From cal-s at blue-bolt.com Tue Jun 7 15:22:17 2016 From: cal-s at blue-bolt.com (Cal Sawyer) Date: Tue, 7 Jun 2016 16:22:17 +0100 Subject: [Freeipa-users] How to get FreeIPA feature requests ack'd? Message-ID: <5756E6A9.2030808@blue-bolt.com> Hello The RH Bugzilla is pretty much unnavigable by anyone who doesn't know the magic words, so i'm asking here. Apologies in advance if misdirected. The Web UI has a couple of fairly annoying (sorry) deficiencies: - unable to sort on columns, eg: In DNS Zones, the sort is on hostname, making it difficult to locate holes in a network range. This is easy in BIND flat zone files, which by convention are usually organised by IP address - of course, sorting on IP address needs to be done like mySQL's ORDER BY INET_ATON(ip) to prevent what i like to call "Mac-style" ordering of IP addresses (1, 10 100, 2) - record and subtree cloning would be a terrific feature when working with automount maps and sudo objects that are fiddly to edit in the UI. Essentially, what phpldapadmin allows thank you, - cal sawyer From wdh at dds.nl Tue Jun 7 15:23:04 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Tue, 7 Jun 2016 17:23:04 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> <3752f7e7-2d1e-0473-735a-041c45d71f71@dds.nl> Message-ID: <144ff64a-c3b0-acb1-c74e-6aa853ddef17@dds.nl> An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 7 15:28:23 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 7 Jun 2016 11:28:23 -0400 Subject: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates In-Reply-To: <2bcc8777-e17f-b10b-b590-aea566c7ee54@damascusgrp.com> References: <5750416E.3070408@damascusgrp.com> <5750A599.6020305@redhat.com> <09f4573d-d950-4947-bf06-f6168eabc4ad@Spark> <20160602222419.GH4744@dhcp-40-8.bne.redhat.com> <57516BD5.2040700@damascusgrp.com> <57518AAD.4050304@redhat.com> <57519BF7.9060301@redhat.com> <168cf282-1df9-b8e4-7db5-788c80bc98e6@damascusgrp.com> <5751B88F.1080105@redhat.com> <2bcc8777-e17f-b10b-b590-aea566c7ee54@damascusgrp.com> Message-ID: <5756E817.1050804@redhat.com> Bret Wortman wrote: > > > On 06/03/2016 01:04 PM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> >>> >>> On 06/03/2016 11:02 AM, Rob Crittenden wrote: >>>> Bret Wortman wrote: >>>>> I'm not sure I'd call what we have "success" just yet. ;-) >>>>> >>>>> You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and >>>>> see how we go. >>>>> >>>>> Rob, would you have just used the existing "localhost.key" instead of >>>>> generating a new one? >>>> >>>> No, I think you did the right thing, the default keysize was probably >>>> still 1024 in F21. I double-checked the getcert-request man page and >>>> it looks like it will use an existing key if one exists in the key >>>> file passed in so I was wrong about that bit. You just didn't need to >>>> use req to generate a CSR as certmonger will do that for you. >>>> >>> Good to know. >>> >>> I tried the update-ca-trust on both the yum server and on my workstation >>> but nothing changed even after an httpd restart. I did take a peek >>> inside /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and >>> didn't see my /etc/ipa/ca.crt in there (which may not be a problem, but >>> I confess I'm not sure what should be where at this point). >> >> You'd only need to do this on the machine acting as a client. >> >> I'm pretty sure yum uses /etc/pki/nssdb. Is the IPA CA in there and >> trusted? >> >> $ certutil -L -d /etc/pki/nssdb > > It's in there on both the server and client. Hmm, this works for me on an F-21 system. I created an empty repo, added a yum config and was able to fetch it ok. yum uses libcurl under the hood, you might try the same certutil command using sql:/etc/pki/nssdb as the NSS database and add in the IPA CA to see if that helps. Again, it is only needed on the client. rob > >> rob >> >>> >>> >>> Bret >>> >>>> rob >>>> >>>>> >>>>> >>>>> On 06/03/2016 09:48 AM, Rob Crittenden wrote: >>>>>> Bret Wortman wrote: >>>>>>> So for our internal yum server, I created a new key and cert >>>>>>> request (it >>>>>>> had a localhost key and cert but I wanted to start clean): >>>>>>> >>>>>>> # openssl genrsa 2048 > /etc/pki/tls/private/server.key >>>>>>> # openssl req -new -x509 -nodes -sha1 -days 365 -key >>>>>>> /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt >>>>>>> # ipa-getcert request -f /etc/pki/tls/certs/server.crt -k >>>>>>> /etc/pki/tls/private/server.key -r >>>>>> >>>>>> I try not to argue with success but I'd be curious what is actually >>>>>> going on here. You generate a CSR and call it a certificate. It is >>>>>> probably the case that certmonger is ignoring it altogether and >>>>>> generating its own CSR. >>>>>> >>>>>>> ipa-getcert list shows it approved. I set up SSL in apache to use >>>>>>> the >>>>>>> above .key and .crt, but when I try to run yum against this using >>>>>>> ssl: >>>>>>> >>>>>>> # yum search ffmpeg >>>>>>> Loaded plugins: langpacks >>>>>>> https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml: >>>>>>> >>>>>>> >>>>>>> >>>>>>> [Errno 14] curl#60 - "Peer's certificate issuer has been >>>>>>> marked as >>>>>>> not trusted by the user." >>>>>>> : >>>>>>> >>>>>>> Is there a step I need to take on the clients so they'll accept this >>>>>>> cert as trusted? I thought having it be signed by the IPA CA would >>>>>>> have >>>>>>> taken care of that. >>>>>>> >>>>>>> # ls -l /etc/ipa/ca.crt >>>>>>> -rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt >>>>>>> # >>>>>> >>>>>> Pretty much only IPA tools know to use this file. >>>>>> >>>>>> My knowledge is a bit stale on adding the IPA CA to the global trust >>>>>> but I'm pretty sure it is done automatically now and I think it >>>>>> was in >>>>>> the 4.2 timeframe. I'm assuming this is Fedora 21 so it doesn't have >>>>>> this code. >>>>>> >>>>>> Look at this, >>>>>> https://fedoraproject.org/wiki/Features/SharedSystemCertificates >>>>>> >>>>>> The idea is to add the IPA CA to that and then all tools using SSL >>>>>> would "just work". >>>>>> >>>>>> Something like: >>>>>> >>>>>> # cp /etc/ipa/ca.crt >>>>>> /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem >>>>>> # update-ca-trust >>>>>> >>>>>> You'd need to remember to manually undo this if you ever redo your >>>>>> IPA >>>>>> install (and get a new CA): >>>>>> >>>>>> # rm /etc/ipa/ca.crt >>>>>> /usr/share/pki/ca-trust-source/anchors/ipa-ca.pem >>>>>> # update-ca-trust >>>>>> >>>>>> Like I said, I'm pretty sure this is all automatic in some more >>>>>> recent >>>>>> versions of IPA. >>>>>> >>>>>> rob >>>>>> >>>>>>> >>>>>>> --- >>>>>>> Bret >>>>>>> >>>>>>> On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote: >>>>>>>> Cool. I'll give this a go in the morning. >>>>>>>> >>>>>>>> Bret Wortman >>>>>>>> http://wrapbuddies.co/ >>>>>>>> >>>>>>>> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale >>>>>>>> , >>>>>>>> wrote: >>>>>>>>> On Thu, Jun 02, 2016 at 05:35:01PM -0400, >>>>>>>>> bret.wortman at damascusgrp.com wrote: >>>>>>>>>> Sorry, let me back up a step. We need to implement hype >>>>>>>>>> everywhere. All our web services. And clients need to get >>>>>>>>>> keys&certs automatically whether through IPA or Puppet. These >>>>>>>>>> systems use IPA for everything but authentication (to keep most >>>>>>>>>> users off). I'm trying to wuss out the easiest way to make this >>>>>>>>>> happen smoothly. >>>>>>>>>> >>>>>>>>> Hi Bret, >>>>>>>>> >>>>>>>>> You can use the IPA CA to sign service certificates. See >>>>>>>>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. >>>>>>>>> >>>>>>>>> IPA-enrolled machines already have the IPA certificate in their >>>>>>>>> trust store. If the clients are IPA-enrolled, everything should >>>>>>>>> Just Work, otherwise you can distribute the IPA CA certificate to >>>>>>>>> clients via Puppet** or whatever means you prefer. >>>>>>>>> >>>>>>>>> ** you will have to work out how, because I do not know Puppet :) >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> Fraser >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Jun 2, 2016, 5:31 PM -0400, Rob >>>>>>>>>> Crittenden, >>>>>>>>>> wrote: >>>>>>>>>>> Bret Wortman wrote: >>>>>>>>>>>> Is it possible to use our freeipa CA as a trusted CA to sign >>>>>>>>>>>> our >>>>>>>>>>>> internal SSL certificates? Our system runs on a private network >>>>>>>>>>>> and so >>>>>>>>>>>> using the usual trusted sources isn't an option. We've been >>>>>>>>>>>> using >>>>>>>>>>>> self-signed, but that adds some additional complications and we >>>>>>>>>>>> thought >>>>>>>>>>>> this might be a good solution. >>>>>>>>>>>> >>>>>>>>>>>> Is it possible, and, since most online guides defer to "submit >>>>>>>>>>>> the CSR >>>>>>>>>>>> to Verisign" or whomever, how would you go about producing >>>>>>>>>>>> one in >>>>>>>>>>>> this way? >>>>>>>>>>> >>>>>>>>>>> Not sure I understand the question. The IPA CA is also >>>>>>>>>>> self-signed. For >>>>>>>>>>> enrolled systems though at least the CA is pre-distributed so >>>>>>>>>>> maybe >>>>>>>>>>> that >>>>>>>>>>> will help. >>>>>>>>>>> >>>>>>>>>>> rob >>>>>>>>>>> >>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From rcritten at redhat.com Tue Jun 7 15:29:27 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 7 Jun 2016 11:29:27 -0400 Subject: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master In-Reply-To: <1936FD85-01A0-45F0-90D5-E7B5A3A79BC2@high5games.com> References: <5e9b561a-c399-a5fb-b59f-d2ccbbd6791e@dlr.de> <0405D135-74A7-4E5C-AF85-41224767BADC@high5games.com> <5750A53F.2040908@redhat.com> <5751F4CD.5040307@redhat.com> <5751FAD7.6020205@redhat.com> <6B847FD2-8DD0-4640-B6AF-4F8BC0989F42@high5games.com> <57557FFD.3080600@redhat.com> <81E03624-3BDE-45AB-B476-A568F0082561@high5games.com> <57559A53.9020108@redhat.com> <5755F467.2030901@redhat.com> <1936FD85-01A0-45F0-90D5-E7B5A3A79BC2@high5games.com> Message-ID: <5756E857.4070005@redhat.com> Dan.Finkelstein at high5games.com wrote: > This advice has gotten me much further, thanks. We didn't have an HBAC > rule for admin and, now with it in place, connection checks and other > commands appear to be working that haven't worked before. I'm still > getting caught on the CA portion of the replica installation. > Confoundingly, neither the ipa-replica-install or ipa-ca-install > commands will complete (the former with the ?setup-ca option), the > latter producing this output in the last few lines of > pareplica-ca-install.log: > > 2016-06-07T12:44:32Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-06-07T12:44:32Z DEBUG Checking if IPA schema is present in > ldap://ipa-replica.example.com:7389 > > 2016-06-07T12:44:32Z DEBUG retrieving schema for SchemaCache > url=ldap://ipa-replica.example.com:7389 > conn= > > 2016-06-07T12:44:32Z DEBUG Check OK > > 2016-06-07T12:44:32Z DEBUG Destroyed connection context.ldap2_50387920 > > 2016-06-07T12:44:32Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2016-06-07T12:44:32Z DEBUG File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 732, in run_script > > return_value = main_function() > > File "/usr/sbin/ipa-ca-install", line 202, in main > > install_replica(safe_options, options, filename) > > File "/usr/sbin/ipa-ca-install", line 150, in install_replica > > ca.install(True, config, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > 106, in install > > install_step_0(standalone, replica_config, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > 130, in install_step_0 > > ra_p12=getattr(options, 'ra_p12', None)) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 1530, in install_replica_ca > > sys.exit("A CA is already configured on this system.") > > 2016-06-07T12:44:32Z DEBUG The ipa-ca-install command failed, exception: > SystemExit: A CA is already configured on this system. > > This occurs when I run either the replica or ca installer commands a > second time. A second time how? Are you running ipa-server-install --uninstall in between? In any case, when the CA install fails 99 times out of 100 the ipa* install logs will contain nothing useful. You need to dig into the CA logs to see why the install failed. rob > > Best regards, > > Dan > > > > *Daniel Alex Finkelstein*| Senior Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _| 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: *Rob Crittenden > *Date: *Monday, June 6, 2016 at 18:08 > *To: *Daniel Finkestein , > "freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of > FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, > cannot promote to master > > Dan.Finkelstein at high5games.com > wrote: > > By the way, I want to mention the conncheck: if I don't skip it, it > > tries to ssh into the master IPA instance as 'admin@', rather > > than the user (root), and fails. All other parts of the connectivity > > check work, however. Why does it try to access the master as a Kerberos > > principal instead of the process user? > > Because the remote master, being an IPA server, should have an admin > > account, so it's a known. root over ssh is not allowed in some environments. > > There is a ticket open to be able to set the login to be used, right now > > admin is hardcoded. > > As for the install failure you should now have the appropriate logs to > > start diagnosing what was going on in /var/log/pki. > > rob > > Thanks, > > Dan > > > > *Daniel Alex Finkelstein*| Senior Dev Ops Engineer > > _Dan.Finkelstein at h5g.com > _| > 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > > the Sky > > Follow us on: Facebook , Twitter > > , YouTube > > , Linkedin > > > > // > > /This message and any attachments may contain confidential or privileged > > information and are only for the use of the intended recipient of this > > message. If you are not the intended recipient, please notify the sender > > by return email, and delete or destroy this and all copies of this > > message and all attachments. Any unauthorized disclosure, use, > > distribution, or reproduction of this message or any attachments is > > prohibited and may be unlawful./ > > *From: *Rob Crittenden > > > *Date: *Monday, June 6, 2016 at 11:44 > > *To: *Daniel Finkestein >, > > "freeipa-users at redhat.com " > > > > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of > > FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, > > cannot promote to master > > Skipping the conncheck can mask odd problems and should be used > sparingly. > > rob > > > From jstormshak at cccis.com Tue Jun 7 15:37:11 2016 From: jstormshak at cccis.com (Jeffrey Stormshak) Date: Tue, 7 Jun 2016 15:37:11 +0000 Subject: [Freeipa-users] AD one-way trust error --- Message-ID: <6FB63BF8-E5FF-4582-BCC1-370EC515C238@cccis.com> Greetings all ? I?m trying to pinpoint a problem when creating the AD trust using the following command below. The error message and related details provided below. There is a Bugzilla on it, however, I cannot locate any updated versions from RHEL/Oracle Linux channels. That gives me the impression that I?m stuck without a fix or other possible resolution. Thoughts? Creating AD Trust Error Message: [root at ma-ipa-server-p1 ~]# ipa trust-add DOMAIN.COM --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc Software Versions reporting error: ipa-server-trust-ad-4.2.0-15.0.1.el7.x86_64 ipa-server-4.2.0-15.0.1.el7.x86_64 # ipa --version VERSION: 4.2.0, API_VERSION: 2.156 # rpm -qa samba samba-4.2.3-10.el7.x86_64 BugZilla Reported: https://bugzilla.redhat.com/show_bug.cgi?id=1249455 Jeffrey Stormshak, RHCSA | Sr. Linux Engineer Platform Systems | IT Operations Infrastructure CCC Information Services, Inc. Phone: (312) 229-2552 -------------- next part -------------- An HTML attachment was scrubbed... URL: From abrittingham at monetra.com Tue Jun 7 16:17:11 2016 From: abrittingham at monetra.com (Andy Brittingham) Date: Tue, 7 Jun 2016 12:17:11 -0400 Subject: [Freeipa-users] replication - ruv errors Message-ID: <9efd42e2-c817-842c-0ff4-9109ac3f9a1b@monetra.com> Hello, I'm having issues with freeipa replication. Currently we have 4 Freeipa servers, in a master - master relationship with replication agreements between all servers. I noticed the replication failure messages in the logs late last week and upon investigation found stale replication agreements for ipa servers that had been replaced. Eventually I rebuilt 3 of the 4 servers and re-initialized from the good server. This morning my main ipa server had the directory service crash. After we restarted it, ipa-manage-replica --list-ruv showed entries like these: unable to decode: {replica 6} 55e49440000000060000 55e49440000000060000 unable to decode: {replica 4} 550b2d9e000200040000 550b2d9e000200040000 Which a cleanallruv.pl was able to remove. We also noticed these log errors: [07/Jun/2016:07:40:12 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1080 ldap://ipa1.p10jax.auth.monetra.com:389} 57506ee6000004380000 57506f06001604380000] which is present in RUV [database RUV] [07/Jun/2016:07:40:12 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1285 ldap://ipa1.gnv.auth.monetra.com:389} 5734e473000005050000 57361df0000005050000] which is present in RUV [database RUV] [07/Jun/2016:07:40:12 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 1085 ldap://ipa1.p10jax.auth.monetra.com:389} 56d0aa270000043d0000 57489fdd0003043d0000] which is present in RUV [database RUV] [07/Jun/2016:07:40:12 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element The cleanallruv script had no effect on these errors. What is the proper procedure to clean up these stale entries? Is there something that I may be doing that causes this situation? Thanks, Andy From khankin.konstantin at gmail.com Tue Jun 7 17:06:14 2016 From: khankin.konstantin at gmail.com (Konstantin M. Khankin) Date: Tue, 7 Jun 2016 20:06:14 +0300 Subject: [Freeipa-users] FreeIPA 4.2 on CentOS 7.2 restricts an access to krb* attributes In-Reply-To: <20160607140853.u4i3744u3srrzieq@redhat.com> References: <20160607134029.z6a444tnmk3zwezz@redhat.com> <20160607140853.u4i3744u3srrzieq@redhat.com> Message-ID: Thanks a ton Alexander, this permission fixed everything :) 2016-06-07 17:08 GMT+03:00 Alexander Bokovoy : > On Tue, 07 Jun 2016, Konstantin M. Khankin wrote: > >> Hi Alexander! >> >> Here's the config (mostly auto-generated by ipa-client-install): >> >> ------------------------------------------------------------------------------------------------------------------------------------- >> [domain/gsk.loc] >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = gsk.loc >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = garage.gsk.loc >> chpass_provider = ipa >> ipa_server = _srv_, drone.gsk.loc >> ldap_tls_cacert = /etc/ipa/ca.crt >> #ldap_search_base = cn=accounts,dc=gsk,dc=loc >> ldap_user_extra_attrs = uid, krbLastSuccessfulAuth, krbLastFailedAuth >> >> [sssd] >> services = nss, sudo, pam, ssh, ifp >> config_file_version = 2 >> >> domains = gsk.loc >> [nss] >> homedir_substring = /home >> >> [pam] >> >> [sudo] >> >> [autofs] >> >> [ssh] >> >> [pac] >> >> [ifp] >> allowed_uids = apache, root >> user_attributes = +uid, +krbLastSuccessfulAuth, +krbLastFailedAuth >> >> ------------------------------------------------------------------------------------------------------------------------------------- >> > Ok, for these there is a separate permission, 'System: Read User Kerberos > Login Attributes'. > > ipa permission-show 'System: Read User Kerberos Login Attributes' > > It is by default assigned to 'User administrators' role. You can use > 'ipa role-add-member' to add others, like hosts: > > ipa role-add-member 'User Administrator' --hosts=garage.gsk.loc > > -- > / Alexander Bokovoy > -- ?????? ?????????? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 7 18:43:10 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 7 Jun 2016 14:43:10 -0400 Subject: [Freeipa-users] IPA 2.2 Certificate Renewal issue In-Reply-To: References: <57486A9E.2050909@redhat.com> <574DA955.2030004@redhat.com> <574E5CD4.1020108@redhat.com> <574EF307.3090301@redhat.com> <5750A64D.7090807@redhat.com> Message-ID: <575715BE.2050601@redhat.com> Kay Zhou Y wrote: > Hi Rob, > > Actually certmonger service is failed after restart it, but without its active the two 389-ds and apache certs could be renewed as well.. it's weird.. > > root at ecnshlx3039-test2(SH):~ #systemctl status certmonger > certmonger.service - Certificate monitoring and PKI enrollment > Loaded: loaded (/usr/lib/systemd/system/certmonger.service; disabled) > Active: failed (Result: exit-code) since Mon, 23 Jun 2014 00:31:11 +0200; 5s ago > Process: 2198 ExecStart=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n $OPTS (code=exited, status=1/FAILURE) > CGroup: name=systemd:/system/certmonger.service > > Jun 23 00:31:11 ecnshlx3039-test2.sh.cn.ao.ericsson.se certmonger[2198]: 2014-06-23 00:31:11 [2198] Unable to set well-known bus name "org.fedorahosted.certmonger": (2). > Jun 23 00:31:11 ecnshlx3039-test2.sh.cn.ao.ericsson.se certmonger[2198]: Error connecting to D-Bus. I'm not sure why it can't connect to dbus. Is the messagebus service running? > I have already renewed two 389-ds and apache certs to 20160622, however , since there is no enough time for us before expiration. So we try to seek other workarounds, and one solution for us is disable expired certificate according to https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/troubleshooting-servers-and-replicas.html#expired-certs > After test, it could work, but IPA command could not be used. But seems we can still get data from LDAP. > > If there is any other way we could use to disable such expired certs without impact from your side? It's possible but it's hacky and it trains people to disregard bad certificates. rob > > Thanks for your great support again :) > > BR//Kay > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Friday, June 03, 2016 5:34 AM > To: Kay Zhou Y; freeipa-users at redhat.com > Cc: Doris Hongmei; Xionglin Gu > Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue > > Kay Zhou Y wrote: >> Hi Rob, >> >> We are using fedora 17. >> And as you said, when I roll back time to when the CA subsystem and ipaCert are valid. Then restart ipatcl, "pki-cad at pki-ca.service" is active as normal. >> But these five certs could not renewed as before. (actually I always >> restart ipa world after I roll back time, this >> "pki-cad at pki-ca.service" should be active but I just ignore it >> before... ) > > With the time rolled back what I'd do is restart certmonger then run in a loop with a 1 second sleep ipa-getcert list and ensure that the statuses are changing to SUBMITTING, etc., and see what the final state is. certmonger logs to syslog so that might give some clues what is happening, and you can watch the dogtag logs to ensure the requests are being received, etc. > > rob > >> >> Thanks, >> BR//Kay >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Wednesday, June 01, 2016 10:37 PM >> To: Kay Zhou Y; freeipa-users at redhat.com >> Cc: Doris Hongmei; Xionglin Gu >> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue >> >> Kay Zhou Y wrote: >>> Hi Rob, >>> >>> 1. I have made snapshots for this system for test, so NSS databases has been backed up. >>> >>> 2. For the pki-cad service, I can't find it in my system, it shows there is no such service. >>> but there is one service failed as below: >>> >>> root at ecnshlx3039-test2(SH):requests #systemctl status >>> pki-cad at pki-ca.service pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca >>> Loaded: loaded (/lib/systemd/system/pki-cad at .service; enabled) >>> Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 +0200; 23min ago >>> Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, status=1/FAILURE) >>> Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, status=0/SUCCESS) >>> Main PID: 2593 (code=exited, status=0/SUCCESS) >>> CGroup: name=systemd:/system/pki-cad at .service/pki-ca >>> >>> Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: >>> pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun >>> 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: >>> pam_unix(runuser-l:session): session closed for user pkiuser Jun 01 >>> 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: >>> pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun >>> 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: >>> pam_unix(runuser-l:session): session closed for user pkiuser >>> >>> I can't start it normally, even the log just said: >>> Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad at pki-ca.service: >>> control process exited, code=exited status=1 Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit pki-cad at pki-ca.service entered failed state. >>> >>> I will google more to try to start it firstly. >> >> Ok, this is very confusing to me. What distribution are you running? I have the feeling you are running an extremely outdated version of Fedora. >> >> Yes, you need the CA up in order to get the certificates renewed. Look at catalina.out, the log "debug" and the selftests log for clues on why it won't start. You also need the PKI-IPA 389-ds instance running. >> >> And I guess you were just showing me the service name and such, but of course it won't start today with expired certs. >> >>> >>> 3. About the source of the output for getcert list: >>> >>> root at ecnshlx3039-test2(SH):requests #ll total 64 -rw-------. 1 root >>> root 5698 Jun 1 06:06 20120704140859 -rw-------. 1 root root 5695 >>> Jun >>> 1 06:06 20120704140922 -rw-------. 1 root root 5654 Jun 1 06:06 >>> 20120704141150 -rw-------. 1 root root 5107 Jun 1 06:39 >>> 20140605220249 -rw-------. 1 root root 4982 Jun 1 06:39 >>> 20160601043748 -rw-------. 1 root root 5144 Jun 1 06:39 >>> 20160601043749 -rw-------. 1 root root 5186 Jun 1 06:39 >>> 20160601043750 -rw-------. 1 root root 5126 Jun 1 06:39 >>> 20160601043751 root at ecnshlx3039-test2(SH):requests # >>> root at ecnshlx3039-test2(SH):requests #grep post_certsave_command * >>> 20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restar >>> t >>> _dirsrv DRUTT-COM >>> 20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restar >>> t _httpd root at ecnshlx3039-test2(SH):requests #grep >>> pre_certsave_command >>> * root at ecnshlx3039-test2(SH):requests # >>> >>> there are just two statements. >> >> Ok, that is fine then I think. >> >> rob >> > From rcritten at redhat.com Tue Jun 7 18:44:26 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 7 Jun 2016 14:44:26 -0400 Subject: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain In-Reply-To: References: <9c909796-257c-0caa-0c76-5c2c8cf31d80@yahoo.co.uk> <5745A648.8020704@redhat.com> Message-ID: <5757160A.8080903@redhat.com> lejeczek wrote: > > > On 25/05/16 14:19, Rob Crittenden wrote: >> lejeczek wrote: >>> hi there, >>> >>> I'm trying to set up a replica with: --setup-dns --no-forwarders >>> --setup-ca >>> >>> installer fails at: >>> >>> [10/23]: importing CA chain to RA certificate database >>> [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] >>> Connection refused >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> more from log: >>> >>> 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA >>> certificate database >>> 2016-05-25T12:38:31Z DEBUG Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 418, in start_creation >>> run_step(full_msg, method) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 408, in run_step >>> method() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line >>> 1015, in __import_ca_chain >>> chain = self.__get_ca_chain() >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line >>> 997, in __get_ca_chain >>> raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) >>> RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection >>> refused >>> >>> 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to retrieve CA >>> chain: [Errno 111] Connection refused >>> 2016-05-25T12:38:31Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >>> execute >>> >>> what might be the problem? >> >> It is failing getting the CA chain from dogtag. It uses port 8080 by >> default. I'd check your firewall and that the remote CA is up. >> > is 8080 needed only @installation time or all the time? > many thanks, I think it's just needed during install but I didn't pour over the code. Once up the data replicates, depending on version, on 389 or 7389 and all other access should be proxied through 443. rob From Nathan.Peters at globalrelay.net Tue Jun 7 19:08:10 2016 From: Nathan.Peters at globalrelay.net (Nathan Peters) Date: Tue, 7 Jun 2016 19:08:10 +0000 Subject: [Freeipa-users] [FreeIPA 4.3.0] Limits exceeded for this query Message-ID: I get this when doing almost anything on only one of my Fedora 23 FreeIPA 4.3.0 servers. The rest work fine. This server also tends to crash quite a bit and the others do not. Any tips on what I should be looking for or how to fix that ? Some operations failed. Hide details * limits exceeded for this query Nathan Peters -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 7 19:21:42 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 7 Jun 2016 15:21:42 -0400 Subject: [Freeipa-users] [FreeIPA 4.3.0] Limits exceeded for this query In-Reply-To: References: Message-ID: <57571EC6.7080009@redhat.com> Nathan Peters wrote: > I get this when doing almost anything on only one of my Fedora 23 > FreeIPA 4.3.0 servers. The rest work fine. > > This server also tends to crash quite a bit and the others do not. What crashes? > Any tips on what I should be looking for or how to fix that ? I'd look in the 389-ds access log for err=3 or 4 and see what limits were exceeded and potentially why. rob > > Some operations failed. > > Hide details > > ?limits exceeded for this query > > Nathan Peters > > > From Nathan.Peters at globalrelay.net Tue Jun 7 20:21:21 2016 From: Nathan.Peters at globalrelay.net (Nathan Peters) Date: Tue, 7 Jun 2016 20:21:21 +0000 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails Message-ID: I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on Fedora 23. When I try to sudo on this host, it fails. Here are the log entries from /var/log/secure. Note that we have several hundred CentOS 6.5-6.7 machines where this works fine. Is this a new bug in CentOS 6.8? Jun 7 20:14:48 cass1 sudo: pam_unix(sudo:auth): authentication failure; logname=nathan.peters uid=756600344 euid=0 tty=/dev/pts/0 ruser=nathan.peters rhost= user=nathan.peters Jun 7 20:14:48 cass1 sudo: pam_sss(sudo:auth): authentication success; logname=nathan.peters uid=756600344 euid=0 tty=/dev/pts/0 ruser=nathan.peters rhost= user=nathan.peters Jun 7 20:14:48 cass1 sudo: nathan.peters : user NOT authorized on host ; TTY=pts/0 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - Jun 7 20:15:22 cass1 sudo: pam_unix(sudo-i:auth): conversation failed Jun 7 20:15:22 cass1 sudo: pam_unix(sudo-i:auth): auth could not identify password for [nathan.peters] Jun 7 20:15:22 cass1 sudo: pam_sss(sudo-i:auth): authentication failure; logname=nathan.peters uid=756600344 euid=0 tty=/dev/pts/0 ruser=nathan.peters rhost= user=nathan.peters Jun 7 20:15:22 cass1 sudo: pam_sss(sudo-i:auth): received for user nathan.peters: 7 (Authentication failure) Jun 7 20:15:22 cass1 sudo: nathan.peters : user NOT authorized on host ; TTY=pts/0 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/bash -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Jun 7 20:43:27 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 7 Jun 2016 22:43:27 +0200 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: References: Message-ID: <20160607204327.GA6308@hendrix> On Tue, Jun 07, 2016 at 08:21:21PM +0000, Nathan Peters wrote: > I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on Fedora 23. > > When I try to sudo on this host, it fails. Here are the log entries from /var/log/secure. Note that we have several hundred CentOS 6.5-6.7 machines where this works fine. > > Is this a new bug in CentOS 6.8? It's true that in 6.8, the sudo part was changed quite a bit, but we haven't heard about any bugs so far. Could you please follow: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO and also: https://fedorahosted.org/sssd/wiki/Troubleshooting to inspect SSSD logs? For authentication failed you'll probably want to take a look at the domain logs and maybe the krb5_child.log From peljasz at yahoo.co.uk Wed Jun 8 06:19:37 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 8 Jun 2016 07:19:37 +0100 Subject: [Freeipa-users] IPA to supply radius with a special user name - how? In-Reply-To: <8cc99dff-7f91-bbbe-c239-19ed67926c6c@yahoo.co.uk> References: <8cc99dff-7f91-bbbe-c239-19ed67926c6c@yahoo.co.uk> Message-ID: hi users, some network devices need and look up a special type of a user, in my case it's dell powerconnect switch which - when uses radius - needs, eg: $enable5$. I this something that IPA will be ok with? will have no problems if I create such a user? I don't suppose IPA have full support for radius attributes, right? or --addattr=STR is something for that? How does one create radius typical user? many thanks, L. From wdh at dds.nl Wed Jun 8 06:34:37 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Wed, 8 Jun 2016 08:34:37 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: <1465319719.2595.7.camel@redhat.com> References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> Message-ID: An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Wed Jun 8 07:15:33 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 8 Jun 2016 09:15:33 +0200 Subject: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI In-Reply-To: References: <20160603204259.GF17518@redhat.com> <20160606091338.GF29312@redhat.com> Message-ID: <20160608071533.GA13838@redhat.com> On Tue, Jun 07, 2016 at 09:50:07AM -0400, Anthony Clark wrote: > One thing I noticed was that once I had set up the proxy as per the > document from Jan, I was getting access denied to /ipa until I disabled the > Kerberos authentication stuff: > > # Protect /ipa and everything below it in webspace with Apache Kerberos auth > > # AuthType GSSAPI > # AuthName "Kerberos Login" > # GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab > # GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab > # GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches > # GssapiUseS4U2Proxy on > # Require valid-user > # ErrorDocument 401 /ipa/errors/unauthorized.html > WSGIProcessGroup ipa > WSGIApplicationGroup ipa > Could you be more specific about the issue? What actions were you doing and at what point did you see the access denied, perhaps also increase the LogLevel to debug in the FreeIPA's Apache configuration and check the error_log and ssl_error_log. I did not observe the access denied before or after logging in and I'd like to get to the root of this. Thank you, -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From lkrispen at redhat.com Wed Jun 8 07:23:04 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 08 Jun 2016 09:23:04 +0200 Subject: [Freeipa-users] replication - ruv errors In-Reply-To: <9efd42e2-c817-842c-0ff4-9109ac3f9a1b@monetra.com> References: <9efd42e2-c817-842c-0ff4-9109ac3f9a1b@monetra.com> Message-ID: <5757C7D8.3040007@redhat.com> On 06/07/2016 06:17 PM, Andy Brittingham wrote: > Hello, > > I'm having issues with freeipa replication. Currently we have 4 > Freeipa servers, in a master - master relationship with replication > > agreements between all servers. > > I noticed the replication failure messages in the logs late last week > and upon investigation found stale replication agreements for > > ipa servers that had been replaced. Eventually I rebuilt 3 of the 4 > servers and re-initialized from the good server. > > This morning my main ipa server had the directory service crash. After > we restarted it, ipa-manage-replica --list-ruv showed > > entries like these: > > unable to decode: {replica 6} 55e49440000000060000 55e49440000000060000 > unable to decode: {replica 4} 550b2d9e000200040000 550b2d9e000200040000 this happened when the ruv was recreated after a crash and the changelog contained references to cleaned RIDs. This is fixed in recent DS releases, the cleanallruv task now also cleans the changelog. > > Which a cleanallruv.pl was able to remove. > > We also noticed these log errors: > > [07/Jun/2016:07:40:12 -0400] NSMMReplicationPlugin - ruv_compare_ruv: > RUV [changelog max RUV] does not contain element > [{replica 1080 ldap://ipa1.p10jax.auth.monetra.com:389} > 57506ee6000004380000 57506f06001604380000] which is present in > RUV [database RUV] > [07/Jun/2016:07:40:12 -0400] NSMMReplicationPlugin - ruv_compare_ruv: > RUV [changelog max RUV] does not contain element > [{replica 1285 ldap://ipa1.gnv.auth.monetra.com:389} > 5734e473000005050000 57361df0000005050000] which is present in > RUV [database RUV] > [07/Jun/2016:07:40:12 -0400] NSMMReplicationPlugin - ruv_compare_ruv: > RUV [changelog max RUV] does not contain element > [{replica 1085 ldap://ipa1.p10jax.auth.monetra.com:389} > 56d0aa270000043d0000 57489fdd0003043d0000] which is present in > RUV [database RUV] > [07/Jun/2016:07:40:12 -0400] NSMMReplicationPlugin - ruv_compare_ruv: > RUV [changelog max RUV] does not contain element > > The cleanallruv script had no effect on these errors. This are not really errors, it only indicates that the changelog does not (yet) contain chnages for specific RIDs), this could happen if the changelog was recreated, eg if after a crash it no longer matched the database. They should go away once the server has received changes for these RIDs > > What is the proper procedure to clean up these stale entries? Is there > something that I may be doing that causes this situation? > > Thanks, > > Andy > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From mkosek at redhat.com Wed Jun 8 07:29:09 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 8 Jun 2016 09:29:09 +0200 Subject: [Freeipa-users] sessions failing when using different hostname In-Reply-To: References: Message-ID: <7e4e1e47-d14c-fa0a-ef05-1c7101017568@redhat.com> On 06/01/2016 07:48 PM, Anthony Clark wrote: > Hello All, > > I've been asked to allow access to our FreeIPA web UI from a more user friendly > url than I'm currently using. So I've set up a CNAME password.example.com > for ns01.example.com > > At the moment, if I go to the real hostname of the FreeIPA server > (ns01.example.com ), everything works. > > If I go to the new "friendly" url (password.example.com > ) then upon login I get a "your session has expired > please re-login" message. > > Setting debug to true in /etc/ipa/server.conf shows me that the server keeps > using new session IDs. (Host and user names changed to protect the innocent) > > ----- /var/log/httpd/error_log ----- > [Wed Jun 01 17:11:06.237363 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > [Wed Jun 01 17:11:06.237533 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > jsonserver_session.__call__: > [Wed Jun 01 17:11:06.237944 2016] [:error] [pid 31491] ipa: DEBUG: no session > cookie found > [Wed Jun 01 17:11:06.239009 2016] [:error] [pid 31491] ipa: DEBUG: no session id > in request, generating empty session data with id=d5bc1c4cab8d3bfaee63b84805147995 > [Wed Jun 01 17:11:06.239466 2016] [:error] [pid 31491] ipa: DEBUG: store > session: session_id=d5bc1c4cab8d3bfaee63b84805147995 > start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 > expiration_timestamp=1970-01-01T00:00:00 > [Wed Jun 01 17:11:06.241052 2016] [:error] [pid 31491] ipa: DEBUG: > jsonserver_session.__call__: session_id=d5bc1c4cab8d3bfaee63b84805147995 > start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 > expiration_timestamp=1970-01-01T00:00:00 > [Wed Jun 01 17:11:06.241186 2016] [:error] [pid 31491] ipa: DEBUG: no ccache, > need login > [Wed Jun 01 17:11:06.241294 2016] [:error] [pid 31491] ipa: DEBUG: > jsonserver_session: 401 Unauthorized need login > [Wed Jun 01 17:11:24.956791 2016] [:error] [pid 31492] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > [Wed Jun 01 17:11:24.956992 2016] [:error] [pid 31492] ipa: DEBUG: WSGI > login_password.__call__: > [Wed Jun 01 17:11:24.957381 2016] [:error] [pid 31492] ipa: DEBUG: Obtaining > armor ccache: principal=HTTP/ns01.example.com at EXAMPLE.COM > keytab=/etc/httpd/conf/ipa.keytab > ccache=/var/run/ipa_memcached/krbcc_A_aclark > [Wed Jun 01 17:11:24.957519 2016] [:error] [pid 31492] ipa: DEBUG: Initializing > principal HTTP/ns01.example.com at EXAMPLE.COM > using keytab /etc/httpd/conf/ipa.keytab > [Wed Jun 01 17:11:24.957633 2016] [:error] [pid 31492] ipa: DEBUG: using ccache > /var/run/ipa_memcached/krbcc_A_aclark > [Wed Jun 01 17:11:24.998328 2016] [:error] [pid 31492] ipa: DEBUG: Attempt 1/1: > success > [Wed Jun 01 17:11:24.998531 2016] [:error] [pid 31492] ipa: DEBUG: Initializing > principal aclark at EXAMPLE.COM using password > [Wed Jun 01 17:11:24.998684 2016] [:error] [pid 31492] ipa: DEBUG: Using armor > ccache /var/run/ipa_memcached/krbcc_A_aclark for FAST webauth > [Wed Jun 01 17:11:24.998865 2016] [:error] [pid 31492] ipa: DEBUG: Starting > external process > [Wed Jun 01 17:11:24.998984 2016] [:error] [pid 31492] ipa: DEBUG: > args='/usr/bin/kinit' 'aclark at EXAMPLE.COM ' '-c' > 'FILE:/var/run/ipa_memcached/krbcc_31492' '-T' > '/var/run/ipa_memcached/krbcc_A_aclark' > [Wed Jun 01 17:11:26.079200 2016] [:error] [pid 31492] ipa: DEBUG: Process > finished, return code=0 > [Wed Jun 01 17:11:26.079384 2016] [:error] [pid 31492] ipa: DEBUG: > stdout=Password for aclark at EXAMPLE.COM : > [Wed Jun 01 17:11:26.079399 2016] [:error] [pid 31492] > [Wed Jun 01 17:11:26.079483 2016] [:error] [pid 31492] ipa: DEBUG: stderr= > [Wed Jun 01 17:11:26.079680 2016] [:error] [pid 31492] ipa: DEBUG: Cleanup the > armor ccache > [Wed Jun 01 17:11:26.079871 2016] [:error] [pid 31492] ipa: DEBUG: Starting > external process > [Wed Jun 01 17:11:26.079983 2016] [:error] [pid 31492] ipa: DEBUG: > args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_aclark' > [Wed Jun 01 17:11:26.093954 2016] [:error] [pid 31492] ipa: DEBUG: Process > finished, return code=0 > [Wed Jun 01 17:11:26.094113 2016] [:error] [pid 31492] ipa: DEBUG: stdout= > [Wed Jun 01 17:11:26.094210 2016] [:error] [pid 31492] ipa: DEBUG: stderr= > [Wed Jun 01 17:11:26.094809 2016] [:error] [pid 31492] ipa: DEBUG: no session > cookie found > [Wed Jun 01 17:11:26.095877 2016] [:error] [pid 31492] ipa: DEBUG: no session id > in request, generating empty session data with id=7ab08ba17d30883cff480af9e923cf82 > [Wed Jun 01 17:11:26.096132 2016] [:error] [pid 31492] ipa: DEBUG: store > session: session_id=7ab08ba17d30883cff480af9e923cf82 > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 > expiration_timestamp=1970-01-01T00:00:00 > [Wed Jun 01 17:11:26.096596 2016] [:error] [pid 31492] ipa: DEBUG: > finalize_kerberos_acquisition: login_password > ccache_name="FILE:/var/run/ipa_memcached/krbcc_31492" > session_id="7ab08ba17d30883cff480af9e923cf82" > [Wed Jun 01 17:11:26.096774 2016] [:error] [pid 31492] ipa: DEBUG: reading > ccache data from file "/var/run/ipa_memcached/krbcc_31492" > [Wed Jun 01 17:11:26.097937 2016] [:error] [pid 31492] ipa: DEBUG: > get_credential_times: principal=krbtgt/EXAMPLE.COM at EXAMPLE.COM > , authtime=06/01/16 17:11:26, starttime=06/01/16 > 17:11:26, endtime=06/02/16 17:11:26, renew_till=01/01/70 00:00:00 > [Wed Jun 01 17:11:26.098111 2016] [:error] [pid 31492] ipa: DEBUG: KRB5_CCache > FILE:/var/run/ipa_memcached/krbcc_31492 endtime=1464887486 (06/02/16 17:11:26) > [Wed Jun 01 17:11:26.098361 2016] [:error] [pid 31492] ipa: DEBUG: > set_session_expiration_time: duration_type=inactivity_timeout duration=3600 > max_age=1464887186 expiration=1464804686.1 (2016-06-01T18:11:26) > [Wed Jun 01 17:11:26.098526 2016] [:error] [pid 31492] ipa: DEBUG: store > session: session_id=7ab08ba17d30883cff480af9e923cf82 > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 > expiration_timestamp=2016-06-01T18:11:26 > [Wed Jun 01 17:11:26.099871 2016] [:error] [pid 31492] ipa: ERROR: > release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_31492) != > KRB5CCNAME environment variable (/var/run/httpd/ipa/krbcache/krb5ccache) > [Wed Jun 01 17:11:26.163524 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > [Wed Jun 01 17:11:26.163708 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > jsonserver_session.__call__: > [Wed Jun 01 17:11:26.163974 2016] [:error] [pid 31491] ipa: DEBUG: no session > cookie found > [Wed Jun 01 17:11:26.164464 2016] [:error] [pid 31491] ipa: DEBUG: no session id > in request, generating empty session data with id=433125db49c7ca9eb286c3ecf605d55d > [Wed Jun 01 17:11:26.164713 2016] [:error] [pid 31491] ipa: DEBUG: store > session: session_id=433125db49c7ca9eb286c3ecf605d55d > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 > expiration_timestamp=1970-01-01T00:00:00 > [Wed Jun 01 17:11:26.165181 2016] [:error] [pid 31491] ipa: DEBUG: > jsonserver_session.__call__: session_id=433125db49c7ca9eb286c3ecf605d55d > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 > expiration_timestamp=1970-01-01T00:00:00 > [Wed Jun 01 17:11:26.165301 2016] [:error] [pid 31491] ipa: DEBUG: no ccache, > need login > [Wed Jun 01 17:11:26.165401 2016] [:error] [pid 31491] ipa: DEBUG: > jsonserver_session: 401 Unauthorized need login > ----- /var/log/httpd/error_log ----- > > I'm somewhat at a loss to debug this further. I was wondering if the session > storage is somehow bound to the original host name. Is there a way to check > and/or configure this? > > Alternatively is there a guide out there for enabling additional host names for > the web UI in FreeIPA? Good question. I see there was no reply for this thread (note that most of the developers are finishing FreeIPA 4.4 release) yet, CCing Petr to advise. Martin From wdh at dds.nl Wed Jun 8 07:35:27 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Wed, 8 Jun 2016 09:35:27 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> Message-ID: An HTML attachment was scrubbed... URL: From jpazdziora at redhat.com Wed Jun 8 07:42:42 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 8 Jun 2016 09:42:42 +0200 Subject: [Freeipa-users] sessions failing when using different hostname In-Reply-To: <7e4e1e47-d14c-fa0a-ef05-1c7101017568@redhat.com> References: <7e4e1e47-d14c-fa0a-ef05-1c7101017568@redhat.com> Message-ID: <20160608074242.GA14558@redhat.com> On Wed, Jun 08, 2016 at 09:29:09AM +0200, Martin Kosek wrote: > On 06/01/2016 07:48 PM, Anthony Clark wrote: > > > > I'm somewhat at a loss to debug this further. I was wondering if the session > > storage is somehow bound to the original host name. Is there a way to check > > and/or configure this? > > > > Alternatively is there a guide out there for enabling additional host names for > > the web UI in FreeIPA? > > Good question. I see there was no reply for this thread (note that most of the > developers are finishing FreeIPA 4.4 release) yet, CCing Petr to advise. Karl F. asked similar question a day later and I've provided description for this requirement at https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name The setup does not work all that well for Anthony as mentioned in the other thread but we will debug it from here. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From jpazdziora at redhat.com Wed Jun 8 08:01:44 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 8 Jun 2016 10:01:44 +0200 Subject: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI In-Reply-To: References: <20160603204259.GF17518@redhat.com> <20160606091338.GF29312@redhat.com> Message-ID: <20160608080144.GB14558@redhat.com> On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote: > Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to > do this: > > > > AuthType GSSAPI This feels strange. The %{HTTP_HOST} is the value of the Host: header of the HTTP request. And on my setup, with httpd-2.4.18-1.fc23.x86_64 on the proxy, the Host: header is the hostname to which the request is forwarded to (it would be ns01.dev.example.net in your case). After all, the HTTP proxy is creating completely new HTTP request. Could you try to minimize the setup (outside of IPA) to figure out why your Host: request header seems strange? > > Once that change was made, the following proxy worked: > > > > Listen 9443 > > > > [...] > > ProxyPass / https://ns01.dev.example.net/ > > ProxyPassReverse / https://ns01.dev.example.net/ > > ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net > > RequestHeader edit Referer ^https://password\.example\.net/ > > https://ns01.dev.example.net/ I would have expected this needs to be RequestHeader edit Referer ^https://password\.example\.net:9443/ https://ns01.dev.example.net/ -- with the nonstandard port specified. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From mkosek at redhat.com Wed Jun 8 08:23:09 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 8 Jun 2016 10:23:09 +0200 Subject: [Freeipa-users] Replica without CA: implications? In-Reply-To: <5756D5C4.3070407@blue-bolt.com> References: <56E0484B.4080006@blue-bolt.com> <1457540024.8257.279.camel@redhat.com> <57504068.5010003@blue-bolt.com> <5750A4DE.1090206@redhat.com> <5756D5C4.3070407@blue-bolt.com> Message-ID: <7286a785-ee93-0ef3-cd55-bdc782ec7064@redhat.com> On 06/07/2016 04:10 PM, Cal Sawyer wrote: ... > I found that installing a replica with firewalld enabled would consistently fail > during initial replication. Disabling firewalld always allowed replication and > later stages to complete > > [24/38]: setting up initial replication > Starting replication, please wait until this has completed. > > [ipa.localdomain.local] reports: Update failed! Status: [-1 - LDAP error: > Can't contact LDAP server] This is strange. ipa-replica-install should have run the conncheck to exactly prevent issues like this. Did you by any chance run ipa-replica-install with --skip-conncheck option? > The first master and all replicas are all CentOS Linux release 7.2.1511 (Core) > with ipa-server-4.2.0-15.0.1.el7 > > > One other thing. if, during ipa-replica-install,+ you choose the default answer > to the following: > > Existing BIND configuration detected, overwrite? [no]: > ipa.ipapython.install.cli.install_tool(Replica): ERROR Aborting installation. > > Not sure if that is intended? Which BIND configuration is being detected? This should be only trigged if you install replica with DNS (--setup-dns) > Anyhow, up and running with 4 replicas, 2 of which will be split off to a > failover instance of ESXi in the future. When it works, it's a joy > > Now back to getting these Mac clients to play nicely with IPA ... > > thanks for the help and advice Thanks for sharing the results. Martin From abokovoy at redhat.com Wed Jun 8 08:23:55 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 8 Jun 2016 11:23:55 +0300 Subject: [Freeipa-users] samba kerberized with autofs In-Reply-To: <9135101baa1e2f086a863261e31f1a77@ville-kourou.fr> References: <9135101baa1e2f086a863261e31f1a77@ville-kourou.fr> Message-ID: <20160608082355.z73g5hdo55tdfzpe@redhat.com> On Thu, 02 Jun 2016, Bello Florent wrote: > > >Hi, > >I configured a samba with freeipa in kerberized mode. It work >fine for normaly mounting but with autofs it work only if root has a >kerberos ticket (example : kinit admin). > >When root haven't ticket, >other users can't go in automount folder, but when root has ticket, it >works fine for every users. > >There is a workaround for this ? > >this my >mount information in freeipa automount map : >-fstype=cifs,sec=krb5,username=$USER ://smb.example.com If you have multiple users, with cifs.ko you should use 'multiuser' option. See man for mount.cifs for details. -- / Alexander Bokovoy From jpazdziora at redhat.com Wed Jun 8 08:38:54 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 8 Jun 2016 10:38:54 +0200 Subject: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI In-Reply-To: <20160608080144.GB14558@redhat.com> References: <20160603204259.GF17518@redhat.com> <20160606091338.GF29312@redhat.com> <20160608080144.GB14558@redhat.com> Message-ID: <20160608083854.GL25104@redhat.com> On Wed, Jun 08, 2016 at 10:01:44AM +0200, Jan Pazdziora wrote: > On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote: > > Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to > > do this: > > > > > > > > AuthType GSSAPI > > This feels strange. The %{HTTP_HOST} is the value of the Host: header > of the HTTP request. And on my setup, with httpd-2.4.18-1.fc23.x86_64 > on the proxy, the Host: header is the hostname to which the request is > forwarded to (it would be ns01.dev.example.net in your case). After > all, the HTTP proxy is creating completely new HTTP request. > > Could you try to minimize the setup (outside of IPA) to figure out > why your Host: request header seems strange? Seeing you use mod_nss on the proxy instead of mod_ssl, I've also verified the setup with mod_nss-1.0.12-4.fc23.x86_64 on the proxy. Still, the HTTP_HOST as seen on the FreeIPA server is the FreeIPA server's hostname, not the proxy hostname. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From mkosek at redhat.com Wed Jun 8 08:43:04 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 8 Jun 2016 10:43:04 +0200 Subject: [Freeipa-users] How to get FreeIPA feature requests ack'd? In-Reply-To: <5756E6A9.2030808@blue-bolt.com> References: <5756E6A9.2030808@blue-bolt.com> Message-ID: <57e7e77e-4fe2-93e9-07da-1ac73d06f97b@redhat.com> On 06/07/2016 05:22 PM, Cal Sawyer wrote: > Hello > > The RH Bugzilla is pretty much unnavigable by anyone who doesn't know the magic > words, so i'm asking here. Apologies in advance if misdirected. Hi Cal, I updated FreeIPA Trac front page, to help you (and others) more with filing bugs against FreeIPA, whether it is about downstream (RHEL, Fedora) bugs or upstream tickets: https://fedorahosted.org/freeipa/wiki Bugzilla links already contain direct links with product a component specified to make your job easier. But if you do not have RHEL subscription or bug is Fedora specific, filing Trac ticket is the best first step to do. > The Web UI has a couple of fairly annoying (sorry) deficiencies: > > - unable to sort on columns, eg: In DNS Zones, the sort is on hostname, making > it difficult to locate holes in a network range. This is easy in BIND flat zone > files, which by convention are usually organised by IP address > - of course, sorting on IP address needs to be done like mySQL's ORDER BY > INET_ATON(ip) to prevent what i like to call "Mac-style" ordering of IP > addresses (1, 10 100, 2) > - record and subtree cloning would be a terrific feature when working with > automount maps and sudo objects that are fiddly to edit in the UI. Essentially, > what phpldapadmin allows Please file upstream ticket(s) for these. If you want to speed up resolution of the feature requests or bug reports, the most effective way is to provide patches or other help as there are thousands of requests filed against FreeIPA, but only limited number of developers working on them. Thanks, Martin From mkosek at redhat.com Wed Jun 8 08:45:41 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 8 Jun 2016 10:45:41 +0200 Subject: [Freeipa-users] [FreeIPA 4.3.0] Limits exceeded for this query In-Reply-To: References: Message-ID: On 06/07/2016 09:08 PM, Nathan Peters wrote: > I get this when doing almost anything on only one of my Fedora 23 FreeIPA 4.3.0 > servers. The rest work fine. > > This server also tends to crash quite a bit and the others do not. > > Any tips on what I should be looking for or how to fix that ? > > Some operations failed. > > Hide details > > ?limits exceeded for this query > > Nathan Peters CCing Petr. I wonder if this is related to https://fedorahosted.org/freeipa/ticket/5833 Martin From mkosek at redhat.com Wed Jun 8 08:49:38 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 8 Jun 2016 10:49:38 +0200 Subject: [Freeipa-users] sessions failing when using different hostname In-Reply-To: <20160608074242.GA14558@redhat.com> References: <7e4e1e47-d14c-fa0a-ef05-1c7101017568@redhat.com> <20160608074242.GA14558@redhat.com> Message-ID: <3bcbe3df-6c20-4115-7c73-54b45477df39@redhat.com> On 06/08/2016 09:42 AM, Jan Pazdziora wrote: > On Wed, Jun 08, 2016 at 09:29:09AM +0200, Martin Kosek wrote: >> On 06/01/2016 07:48 PM, Anthony Clark wrote: >>> >>> I'm somewhat at a loss to debug this further. I was wondering if the session >>> storage is somehow bound to the original host name. Is there a way to check >>> and/or configure this? >>> >>> Alternatively is there a guide out there for enabling additional host names for >>> the web UI in FreeIPA? >> >> Good question. I see there was no reply for this thread (note that most of the >> developers are finishing FreeIPA 4.4 release) yet, CCing Petr to advise. > > Karl F. asked similar question a day later and I've provided description > for this requirement at > > https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name > > The setup does not work all that well for Anthony as mentioned in the > other thread but we will debug it from here. Great, thanks! Added the links to http://www.freeipa.org/page/HowTos#Web_Infrastructure Martin From pvoborni at redhat.com Wed Jun 8 08:51:39 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jun 2016 10:51:39 +0200 Subject: [Freeipa-users] [FreeIPA 4.3.0] Limits exceeded for this query In-Reply-To: References: Message-ID: <5757DC9B.6000700@redhat.com> On 8.6.2016 10:45, Martin Kosek wrote: > On 06/07/2016 09:08 PM, Nathan Peters wrote: >> I get this when doing almost anything on only one of my Fedora 23 FreeIPA 4.3.0 >> servers. The rest work fine. >> >> This server also tends to crash quite a bit and the others do not. >> >> Any tips on what I should be looking for or how to fix that ? >> >> Some operations failed. >> >> Hide details >> >> ?limits exceeded for this query >> >> Nathan Peters > > CCing Petr. I wonder if this is related to > https://fedorahosted.org/freeipa/ticket/5833 > It is most likely something else. #5833 happens after 30s. Limits Exceeded error indicates that some query hit LDAP size or time limit. More info will be visible on the server in httpd/error_log and dirsrv/$instance/access log. We need to know: - which operation fails - does it internally query bigger number of data - what is the size and time limit configured -- Petr Vobornik From cal-s at blue-bolt.com Wed Jun 8 09:05:52 2016 From: cal-s at blue-bolt.com (Cal Sawyer) Date: Wed, 8 Jun 2016 10:05:52 +0100 Subject: [Freeipa-users] Replica without CA: implications? In-Reply-To: <7286a785-ee93-0ef3-cd55-bdc782ec7064@redhat.com> References: <56E0484B.4080006@blue-bolt.com> <1457540024.8257.279.camel@redhat.com> <57504068.5010003@blue-bolt.com> <5750A4DE.1090206@redhat.com> <5756D5C4.3070407@blue-bolt.com> <7286a785-ee93-0ef3-cd55-bdc782ec7064@redhat.com> Message-ID: <5757DFF0.1050005@blue-bolt.com> On 08/06/16 09:23, Martin Kosek wrote: > On 06/07/2016 04:10 PM, Cal Sawyer wrote: > ... >> I found that installing a replica with firewalld enabled would consistently fail >> during initial replication. Disabling firewalld always allowed replication and >> later stages to complete >> >> [24/38]: setting up initial replication >> Starting replication, please wait until this has completed. >> >> [ipa.localdomain.local] reports: Update failed! Status: [-1 - LDAP error: >> Can't contact LDAP server] > This is strange. ipa-replica-install should have run the conncheck to exactly > prevent issues like this. Did you by any chance run ipa-replica-install with > --skip-conncheck option? > Yes, i did. Why i can't recall now but i just started using it. Once i'd discovered firewalld was causing the connection problem, i neglected to stop using it Of course, once a replica is installed and working, there's little cause to want to redo it to test conncheck's effectiveness. Might throw together another, though, just to put my mind at ease >> The first master and all replicas are all CentOS Linux release 7.2.1511 (Core) >> with ipa-server-4.2.0-15.0.1.el7 >> >> >> One other thing. if, during ipa-replica-install,+ you choose the default answer >> to the following: >> >> Existing BIND configuration detected, overwrite? [no]: >> ipa.ipapython.install.cli.install_tool(Replica): ERROR Aborting installation. >> >> Not sure if that is intended? Which BIND configuration is being detected? > This should be only trigged if you install replica with DNS (--setup-dns) > Sorry - yes, i did use --setup-dns . I might have bothered to include the ipa-replica-install command line i used. Still, that is what i got if i answered No to the question. Seems like it's the wrong default answer to the question in a --setup-dns scenario? >> Anyhow, up and running with 4 replicas, 2 of which will be split off to a >> failover instance of ESXi in the future. When it works, it's a joy >> >> Now back to getting these Mac clients to play nicely with IPA ... >> >> thanks for the help and advice > Thanks for sharing the results. > Martin > From cal-s at blue-bolt.com Wed Jun 8 09:15:25 2016 From: cal-s at blue-bolt.com (Cal Sawyer) Date: Wed, 8 Jun 2016 10:15:25 +0100 Subject: [Freeipa-users] Replica without CA: implications? In-Reply-To: <5757DFF0.1050005@blue-bolt.com> References: <56E0484B.4080006@blue-bolt.com> <1457540024.8257.279.camel@redhat.com> <57504068.5010003@blue-bolt.com> <5750A4DE.1090206@redhat.com> <5756D5C4.3070407@blue-bolt.com> <7286a785-ee93-0ef3-cd55-bdc782ec7064@redhat.com> <5757DFF0.1050005@blue-bolt.com> Message-ID: <5757E22D.4060003@blue-bolt.com> In /var/log/dirsrv/slapd-LOCALDOMAIN-LOCAL/errors on all IPA master/replicas:, there's a multitude of these messages. There are no other error messages and replication, from viewing access log, appears to be working [08/Jun/2016:10:06:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa.localdomain.local:389/dc%3Dlocaldomain%2Cdc%3Dlocal) failed. > ipa-replica-manage list-ruv ipa.localdomain.local:389: 4 ipa4.localdomain.local:389: 28 ipa2.localdomain.local:389: 17 ipa3.localdomain.local:389: 29 ipa2.localdomain.local:389: 8 This is correct, yes? - c sawyer From mkosek at redhat.com Wed Jun 8 10:07:24 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 8 Jun 2016 12:07:24 +0200 Subject: [Freeipa-users] Replica without CA: implications? In-Reply-To: <5757DFF0.1050005@blue-bolt.com> References: <56E0484B.4080006@blue-bolt.com> <1457540024.8257.279.camel@redhat.com> <57504068.5010003@blue-bolt.com> <5750A4DE.1090206@redhat.com> <5756D5C4.3070407@blue-bolt.com> <7286a785-ee93-0ef3-cd55-bdc782ec7064@redhat.com> <5757DFF0.1050005@blue-bolt.com> Message-ID: On 06/08/2016 11:05 AM, Cal Sawyer wrote: > > On 08/06/16 09:23, Martin Kosek wrote: >> On 06/07/2016 04:10 PM, Cal Sawyer wrote: >> ... >>> I found that installing a replica with firewalld enabled would consistently >>> fail >>> during initial replication. Disabling firewalld always allowed replication and >>> later stages to complete >>> >>> [24/38]: setting up initial replication >>> Starting replication, please wait until this has completed. >>> >>> [ipa.localdomain.local] reports: Update failed! Status: [-1 - LDAP error: >>> Can't contact LDAP server] >> This is strange. ipa-replica-install should have run the conncheck to exactly >> prevent issues like this. Did you by any chance run ipa-replica-install with >> --skip-conncheck option? >> > Yes, i did. There you go - pure PEBKAC :-) > Why i can't recall now but i just started using it. Once i'd > discovered firewalld was causing the connection problem, i neglected to stop > using it > Of course, once a replica is installed and working, there's little cause to > want to redo it to test conncheck's effectiveness. Might throw together > another, though, just to put my mind at ease For the record, you can also run ipa-replica-conncheck outside ipa-replica-install. > >>> The first master and all replicas are all CentOS Linux release 7.2.1511 (Core) >>> with ipa-server-4.2.0-15.0.1.el7 >>> >>> >>> One other thing. if, during ipa-replica-install,+ you choose the default >>> answer >>> to the following: >>> >>> Existing BIND configuration detected, overwrite? [no]: >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Aborting >>> installation. >>> >>> Not sure if that is intended? Which BIND configuration is being detected? >> This should be only trigged if you install replica with DNS (--setup-dns) >> > Sorry - yes, i did use --setup-dns . I might have bothered to include the > ipa-replica-install command line i used. Still, that is what i got if i > answered No to the question. > Seems like it's the wrong default answer to the question in a --setup-dns > scenario? Yes. This means you do not want installer to modify and update named.conf for FreeIPA, i.e. it cannot install FreeIPA DNS module and has to abort. >>> Anyhow, up and running with 4 replicas, 2 of which will be split off to a >>> failover instance of ESXi in the future. When it works, it's a joy >>> >>> Now back to getting these Mac clients to play nicely with IPA ... >>> >>> thanks for the help and advice >> Thanks for sharing the results. >> Martin >> > From wdh at dds.nl Wed Jun 8 10:18:50 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Wed, 8 Jun 2016 12:18:50 +0200 Subject: [Freeipa-users] FreeIPA 4.4 In-Reply-To: References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> Message-ID: An HTML attachment was scrubbed... URL: From krnrdb at gmail.com Wed Jun 8 10:28:07 2016 From: krnrdb at gmail.com (krnrd b) Date: Wed, 8 Jun 2016 15:58:07 +0530 Subject: [Freeipa-users] how to integrate freeipa (LDAP) with sonatype nexus Message-ID: Hi All, I am not able to login to sonatype nexus gui after configuring ldap details on nexus. can any one provide me nexus ldap configuration details. Please find the attached screen shot which i have configured. [image: Inline image 1] [image: Inline image 2] [image: Inline image 3] Thanks and Regards, Kiran -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 29882 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 33006 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 37633 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 8 10:55:09 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jun 2016 12:55:09 +0200 Subject: [Freeipa-users] Replica without CA: implications? In-Reply-To: <5757E22D.4060003@blue-bolt.com> References: <56E0484B.4080006@blue-bolt.com> <1457540024.8257.279.camel@redhat.com> <57504068.5010003@blue-bolt.com> <5750A4DE.1090206@redhat.com> <5756D5C4.3070407@blue-bolt.com> <7286a785-ee93-0ef3-cd55-bdc782ec7064@redhat.com> <5757DFF0.1050005@blue-bolt.com> <5757E22D.4060003@blue-bolt.com> Message-ID: <0d383250-0cc2-29fe-d7ce-9cfa90ca74b0@redhat.com> On 06/08/2016 11:15 AM, Cal Sawyer wrote: > In /var/log/dirsrv/slapd-LOCALDOMAIN-LOCAL/errors on all IPA > master/replicas:, there's a multitude of these messages. There are no > other error messages and replication, from viewing access log, appears > to be working > > [08/Jun/2016:10:06:08 +0100] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ipa.localdomain.local:389/dc%3Dlocaldomain%2Cdc%3Dlocal) failed. > >> ipa-replica-manage list-ruv > > ipa.localdomain.local:389: 4 > ipa4.localdomain.local:389: 28 > ipa2.localdomain.local:389: 17 > ipa3.localdomain.local:389: 29 > ipa2.localdomain.local:389: 8 > > This is correct, yes? > > - c sawyer > one of(probably 8): ipa2.localdomain.local:389: 17 ipa2.localdomain.local:389: 8 is incorrect. https://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records You need to identify which one is INCORRECT and then run ipa-replica-manage clean-ruv $incorrect command. The CORRECT one can identified with: ldapsearch -ZZ -h ipa2.localdomain.local -D "cn=Directory Manager" -W -b "dc=localdomain,dc=local" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsDS5ReplicaId" -- Petr Vobornik From detlev.habicht at ims.uni-hannover.de Wed Jun 8 11:00:20 2016 From: detlev.habicht at ims.uni-hannover.de (Detlev Habicht) Date: Wed, 8 Jun 2016 13:00:20 +0200 Subject: [Freeipa-users] Dynamic DNS Questions Message-ID: Hi all, well, i am really a beginner with IPA and just trying to setup some test systems. In the moment one IPA server, one NFS/Samba server and a fedora CLient. I am running IPA 4.2, Scientific Linux 7.2 and Fedora 23. The most important things are running now. But i have a problem with DNS entries left. Maybe while installing IPA i make mistakes with the NFS Server. On this NFS server i have 5 interfaces. 4 of them now as bond interface. So i am running two IPs now: nn.16 and nn.33. But while installing IPA (with DNS) it takes the wrong one (16): 2016-05-26T14:08:12Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2016-05-26T14:08:12Z DEBUG debug update delete nnnix.nnn.intern. IN A show send update delete nnnix.nnn.intern. IN AAAA show send update add nnnix.nnn.intern. 1200 IN A nnn.nn.nn.16 show send 2016-05-26T14:08:12Z DEBUG Starting external process 2016-05-26T14:08:12Z DEBUG args='/usr/bin/nsupdate' '-g' '/etc/ipa/.dns_update.txt' I can change the DNS entry on the IPA server to nn.33 at runtime. Then everything is ok. But when i boot the NFS server, it is changing the DNS entry on the IPA Server to nn.16. What can i do so the IPA client (here my NFS Server) is using the right IP? I don?t find any conf-File ? Is there any point where i can change this IP? Thanx for any help! Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jun 8 11:23:45 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 8 Jun 2016 13:23:45 +0200 Subject: [Freeipa-users] Dynamic DNS Questions In-Reply-To: References: Message-ID: <01ac9e93-b53d-7cb1-6d8a-5b96fceba2df@redhat.com> On 08.06.2016 13:00, Detlev Habicht wrote: > Hi all, > > well, i am really a beginner with IPA and just trying to setup some > test systems. In the moment one IPA server, one NFS/Samba server and a > fedora CLient. I am running IPA 4.2, Scientific Linux 7.2 and Fedora 23. > > The most important things are running now. > > But i have a problem with DNS entries left. Maybe while installing > IPA i make mistakes with the NFS Server. On this NFS server i have 5 > interfaces. 4 > of them now as bond interface. So i am running two IPs now: nn.16 and > nn.33. > > But while installing IPA (with DNS) it takes the wrong one (16): > > 2016-05-26T14:08:12Z DEBUG Writing nsupdate commands to > /etc/ipa/.dns_update.txt: > 2016-05-26T14:08:12Z DEBUG debug > update delete nnnix.nnn.intern. IN A > show > send > update delete nnnix.nnn.intern. IN AAAA > show > send > update add nnnix.nnn.intern. 1200 IN A nnn.nn.nn.16 > show > send > 2016-05-26T14:08:12Z DEBUG Starting external process > 2016-05-26T14:08:12Z DEBUG args='/usr/bin/nsupdate' '-g' > '/etc/ipa/.dns_update.txt' > > > I can change the DNS entry on the IPA server to nn.33 at runtime. Then > everything > is ok. But when i boot the NFS server, it is changing the DNS entry on > the IPA Server to nn.16. > > What can i do so the IPA client (here my NFS Server) is using the > right IP? > I don?t find any conf-File ? Is there any point where i can change > this IP? > > Thanx for any help! > > Detlev > > > -- > Detlev | Institut fuer Mikroelektronische Systeme > Habicht | D-30167 Hannover +49 511 76219662 > habicht at ims.uni-hannover.de > --------+-------- Handy +49 172 5415752 --------------------------- > > > > > Hello, DNS updates are done by sssd daemon on the client, you may want to disable dynamic updates or set interfaces which should be used man sssd-ipa find for dyndns_update and dyndns_iface Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin at stefany.eu Wed Jun 8 11:17:55 2016 From: martin at stefany.eu (=?UTF-8?Q?Martin_=c5=a0tefany?=) Date: Wed, 8 Jun 2016 13:17:55 +0200 Subject: [Freeipa-users] Dynamic DNS Questions In-Reply-To: References: Message-ID: <47fa5379-cdfb-2c26-2278-ac6dec6116f7@stefany.eu> Hello Detlev, FreeIPA/SSSD client use IP address of interface/vlan/subnet which is use to communicate (LDAP) with FreeIPA server. However, if you have dyndns_update set to True in sssd.conf, you can also set dyndns_iface to point to correct interface which IP addresses will be dynamically updated in DNS, see: $ man sssd-ipa [stripped] dyndns_iface (string) Optional. Applicable only when dyndns_update is true. Choose the interface or a list of interfaces whose IP addresses should be used for dynamic DNS updates. Special value ?*? implies that IPs from all interfaces should be used. NOTE: While it is still possible to use the old ipa_dyndns_iface option, users should migrate to using dyndns_iface in their config file. Default: Use the IP addresses of the interface which is used for IPA LDAP connection Example: dyndns_iface = em1, vnet1, vnet2 [stripped] Kind regards, Martin On 6/8/2016 1:00 PM, Detlev Habicht wrote: > Hi all, > > well, i am really a beginner with IPA and just trying to setup some > test systems. In the moment one IPA server, one NFS/Samba server and a > fedora CLient. I am running IPA 4.2, Scientific Linux 7.2 and Fedora 23. > > The most important things are running now. > > But i have a problem with DNS entries left. Maybe while installing > IPA i make mistakes with the NFS Server. On this NFS server i have 5 > interfaces. 4 > of them now as bond interface. So i am running two IPs now: nn.16 and > nn.33. > > But while installing IPA (with DNS) it takes the wrong one (16): > > 2016-05-26T14:08:12Z DEBUG Writing nsupdate commands to > /etc/ipa/.dns_update.txt: > 2016-05-26T14:08:12Z DEBUG debug > update delete nnnix.nnn.intern. IN A > show > send > update delete nnnix.nnn.intern. IN AAAA > show > send > update add nnnix.nnn.intern. 1200 IN A nnn.nn.nn.16 > show > send > 2016-05-26T14:08:12Z DEBUG Starting external process > 2016-05-26T14:08:12Z DEBUG args='/usr/bin/nsupdate' '-g' > '/etc/ipa/.dns_update.txt' > > > I can change the DNS entry on the IPA server to nn.33 at runtime. Then > everything > is ok. But when i boot the NFS server, it is changing the DNS entry on > the IPA Server to nn.16. > > What can i do so the IPA client (here my NFS Server) is using the right IP? > I don?t find any conf-File ? Is there any point where i can change this IP? > > Thanx for any help! > > Detlev > > > -- > Detlev | Institut fuer Mikroelektronische Systeme > Habicht | D-30167 Hannover +49 511 > 76219662 habicht at ims.uni-hannover.de > --------+-------- Handy +49 172 5415752 --------------------------- > > > > > -- -- Martin From cal-s at blue-bolt.com Wed Jun 8 11:36:53 2016 From: cal-s at blue-bolt.com (Cal Sawyer) Date: Wed, 8 Jun 2016 12:36:53 +0100 Subject: [Freeipa-users] Replica without CA: implications? In-Reply-To: <0d383250-0cc2-29fe-d7ce-9cfa90ca74b0@redhat.com> References: <56E0484B.4080006@blue-bolt.com> <1457540024.8257.279.camel@redhat.com> <57504068.5010003@blue-bolt.com> <5750A4DE.1090206@redhat.com> <5756D5C4.3070407@blue-bolt.com> <7286a785-ee93-0ef3-cd55-bdc782ec7064@redhat.com> <5757DFF0.1050005@blue-bolt.com> <5757E22D.4060003@blue-bolt.com> <0d383250-0cc2-29fe-d7ce-9cfa90ca74b0@redhat.com> Message-ID: <57580355.8050002@blue-bolt.com> Thanks very much for this, Petr. [08/Jun/2016:12:28:42 +0100] NSMMReplicationPlugin - CleanAllRUV Task (rid 8): Successfully cleaned rid(8). on master and all replicas. Voila - all error logs are now quiet Cal Sawyer | Systems Engineer | BlueBolt Ltd 15-16 Margaret Street | London W1W 8RW +44 (0)20 7637 5575 | www.blue-bolt.com On 08/06/16 11:55, Petr Vobornik wrote: > On 06/08/2016 11:15 AM, Cal Sawyer wrote: >> In /var/log/dirsrv/slapd-LOCALDOMAIN-LOCAL/errors on all IPA >> master/replicas:, there's a multitude of these messages. There are no >> other error messages and replication, from viewing access log, appears >> to be working >> >> [08/Jun/2016:10:06:08 +0100] attrlist_replace - attr_replace >> (nsslapd-referral, >> ldap://ipa.localdomain.local:389/dc%3Dlocaldomain%2Cdc%3Dlocal) failed. >> >>> ipa-replica-manage list-ruv >> ipa.localdomain.local:389: 4 >> ipa4.localdomain.local:389: 28 >> ipa2.localdomain.local:389: 17 >> ipa3.localdomain.local:389: 29 >> ipa2.localdomain.local:389: 8 >> >> This is correct, yes? >> >> - c sawyer >> > one of(probably 8): > ipa2.localdomain.local:389: 17 > ipa2.localdomain.local:389: 8 > > is incorrect. > > https://www.freeipa.org/page/Troubleshooting#Obsolete_RUV_records > > You need to identify which one is INCORRECT and then run > ipa-replica-manage clean-ruv $incorrect command. > > The CORRECT one can identified with: > > ldapsearch -ZZ -h ipa2.localdomain.local -D "cn=Directory Manager" -W -b > "dc=localdomain,dc=local" > "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" > | grep "nsDS5ReplicaId" > > From eivind at aminor.no Wed Jun 8 11:34:48 2016 From: eivind at aminor.no (Eivind Olsen) Date: Wed, 08 Jun 2016 13:34:48 +0200 Subject: [Freeipa-users] How to implement password expiration notifications? Message-ID: <91441e8e8d388a702ed4dc825ed36d6a@aminor.no> We have previously used a script to send "password expiration" reminders to our users. The script did this by doing LDAP search and checking krbLastPwdChange and krbPasswordExpiration. This seems to have stopped working, possibly a while ago. It now looks like the script is unable to match anything with the following filter: "(&(!(nsAccountLock=TRUE))(krbLastPwdChange<=$(date +%Y%m%d --date='-1 week')000000Z)(krbPasswordExpiration<=$(date +%Y%m%d --date='+1 week')000000Z))" ...that is, unless I run it manually and tell ldapsearch I want to use GSSAPI. What's the best / proper way of implementing something like this on a more recent IPA (say, running on RHEL 7.2 with IPA 4.2.0) ? I see some possible methods but none of these feel "right": * I can hardcode an admin user + password in the script, and have it run "kinit" * I can create a keytab file for a user and use that * I can modify ACL/ACIs in 389ds Am I overlooking a nice and obvious solution? :) Regards Eivind Olsen From abokovoy at redhat.com Wed Jun 8 12:00:14 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 8 Jun 2016 15:00:14 +0300 Subject: [Freeipa-users] How to implement password expiration notifications? In-Reply-To: <91441e8e8d388a702ed4dc825ed36d6a@aminor.no> References: <91441e8e8d388a702ed4dc825ed36d6a@aminor.no> Message-ID: <20160608120014.sz742mvppmmsvzdu@redhat.com> On Wed, 08 Jun 2016, Eivind Olsen wrote: >We have previously used a script to send "password expiration" >reminders to our users. The script did this by doing LDAP search and >checking krbLastPwdChange and krbPasswordExpiration. >This seems to have stopped working, possibly a while ago. It now looks >like the script is unable to match anything with the following filter: > >"(&(!(nsAccountLock=TRUE))(krbLastPwdChange<=$(date +%Y%m%d --date='-1 >week')000000Z)(krbPasswordExpiration<=$(date +%Y%m%d --date='+1 >week')000000Z))" > >...that is, unless I run it manually and tell ldapsearch I want to use >GSSAPI. No, you need to be authenticated, no matter how. Anonymous connections don't have access to majority of attributes in FreeIPA 4.x+. >What's the best / proper way of implementing something like this on a >more recent IPA (say, running on RHEL 7.2 with IPA 4.2.0) ? I see some >possible methods but none of these feel "right": Make a service (ipa service-add), download a keytab with the key for this service and use gss-proxy to provide refreshing credentials based on the keytab to a script that runs periodically. > >* I can hardcode an admin user + password in the script, and have it >run "kinit" >* I can create a keytab file for a user and use that >* I can modify ACL/ACIs in 389ds > >Am I overlooking a nice and obvious solution? :) Your 'keytab' solution should be OK but I strongly suggest you to use service, not user here. -- / Alexander Bokovoy From detlev.habicht at ims.uni-hannover.de Wed Jun 8 13:07:03 2016 From: detlev.habicht at ims.uni-hannover.de (Detlev Habicht) Date: Wed, 8 Jun 2016 15:07:03 +0200 Subject: [Freeipa-users] Dynamic DNS Questions In-Reply-To: <47fa5379-cdfb-2c26-2278-ac6dec6116f7@stefany.eu> References: <47fa5379-cdfb-2c26-2278-ac6dec6116f7@stefany.eu> Message-ID: <6434B43C-B0A7-4C41-8252-F5A0637DCA8A@ims.uni-hannover.de> Thank you, this is it. This entry was already in sssd.conf (with the wrong interface). But i was looking for an IP number ? Ignoring interfaces. Stupid, my fault. Thank you again Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- Am 08.06.2016 um 13:17 schrieb Martin ?tefany : > Hello Detlev, > > FreeIPA/SSSD client use IP address of interface/vlan/subnet which is use to communicate (LDAP) with FreeIPA server. > > However, if you have dyndns_update set to True in sssd.conf, you can also set dyndns_iface to point to correct interface which IP addresses will be dynamically updated in DNS, see: > > $ man sssd-ipa > [stripped] > dyndns_iface (string) > Optional. Applicable only when dyndns_update is true. Choose the interface or a list of interfaces whose IP addresses should be used for dynamic DNS updates. Special value ?*? implies that IPs from all interfaces > should be used. > > NOTE: While it is still possible to use the old ipa_dyndns_iface option, users should migrate to using dyndns_iface in their config file. > > Default: Use the IP addresses of the interface which is used for IPA LDAP connection > > Example: dyndns_iface = em1, vnet1, vnet2 > [stripped] > > Kind regards, > Martin > > > > On 6/8/2016 1:00 PM, Detlev Habicht wrote: >> Hi all, >> >> well, i am really a beginner with IPA and just trying to setup some >> test systems. In the moment one IPA server, one NFS/Samba server and a >> fedora CLient. I am running IPA 4.2, Scientific Linux 7.2 and Fedora 23. >> >> The most important things are running now. >> >> But i have a problem with DNS entries left. Maybe while installing >> IPA i make mistakes with the NFS Server. On this NFS server i have 5 >> interfaces. 4 >> of them now as bond interface. So i am running two IPs now: nn.16 and >> nn.33. >> >> But while installing IPA (with DNS) it takes the wrong one (16): >> >> 2016-05-26T14:08:12Z DEBUG Writing nsupdate commands to >> /etc/ipa/.dns_update.txt: >> 2016-05-26T14:08:12Z DEBUG debug >> update delete nnnix.nnn.intern. IN A >> show >> send >> update delete nnnix.nnn.intern. IN AAAA >> show >> send >> update add nnnix.nnn.intern. 1200 IN A nnn.nn.nn.16 >> show >> send >> 2016-05-26T14:08:12Z DEBUG Starting external process >> 2016-05-26T14:08:12Z DEBUG args='/usr/bin/nsupdate' '-g' >> '/etc/ipa/.dns_update.txt' >> >> >> I can change the DNS entry on the IPA server to nn.33 at runtime. Then >> everything >> is ok. But when i boot the NFS server, it is changing the DNS entry on >> the IPA Server to nn.16. >> >> What can i do so the IPA client (here my NFS Server) is using the right IP? >> I don?t find any conf-File ? Is there any point where i can change this IP? >> >> Thanx for any help! >> >> Detlev >> >> >> -- >> Detlev | Institut fuer Mikroelektronische Systeme >> Habicht | D-30167 Hannover +49 511 >> 76219662 habicht at ims.uni-hannover.de >> --------+-------- Handy +49 172 5415752 --------------------------- >> >> >> >> >> > > -- > -- > Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From eivind at aminor.no Wed Jun 8 13:17:28 2016 From: eivind at aminor.no (Eivind Olsen) Date: Wed, 08 Jun 2016 15:17:28 +0200 Subject: [Freeipa-users] How to implement password expiration notifications? In-Reply-To: <20160608120014.sz742mvppmmsvzdu@redhat.com> References: <91441e8e8d388a702ed4dc825ed36d6a@aminor.no> <20160608120014.sz742mvppmmsvzdu@redhat.com> Message-ID: Den 2016-06-08 14:00, skrev Alexander Bokovoy: > Make a service (ipa service-add), download a keytab with the key for > this service and use gss-proxy to provide refreshing credentials based > on the keytab to a script that runs periodically. Hm. I like that idea, now I just need to actually make it work here :) I have done: ipa service-add PWDREMIND/script.host.fqdn ipa-getkeytab -s script.host.fqdn -k /etc/gssproxy/pwdremind.keytab -p PWDREMIND/script.host.fqdn ...and I have a file /etc/gssproxy/pwdremind.keytab I added a section to /etc/gssproxy/gssproxy.conf : [service/PWDREMIND] mechs = krb5 cred_store = keytab:/etc/gssproxy/pwdremind.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = 0 I guess I could run the password reminder script as another user in cron and change the euid line above accordingly. Now I guess the next step is figuring out how to tell "ldapsearch" to work with gssproxy (unless I've made some other glaring mistake already). Regards Eivind Olsen From npmccallum at redhat.com Wed Jun 8 13:53:37 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 08 Jun 2016 09:53:37 -0400 Subject: [Freeipa-users] FreeOTP In-Reply-To: References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> Message-ID: <1465394017.2599.3.camel@redhat.com> No, we need to know what libverto *backend* you are using. Please provide the output from this command: rpm -qa 'libverto*' 'krb5*' On Wed, 2016-06-08 at 08:34 +0200, Winfried de Heiden wrote: > Hi all, > > > Well, the libverto is there some time allready (yep, it's running on > a Bananapi!), doesn't feel like a recent update, so a? > > > Name??????? : libverto > Version???? : 0.2.6 > Release???? : 5.fc23 > Architecture: armv7hl > Install Date: Thu Jan? 1 01:08:24 1970 > Group?????? : Unspecified > Size??????? : 21896 > License???? : MIT > Signature?? : RSA/SHA256, Sun Jun 21 06:24:46 2015, Key ID > 32474cf834ec9cba > Source RPM? : libverto-0.2.6-5.fc23.src.rpm > Build Date? : Wed Jun 17 20:37:05 2015 > Build Host? : arm04-builder19.arm.fedoraproject.org > > No, no previous build available... > > [root at ipa boot]# dnf downgrade libverto > Last metadata expiration check: 0:10:21 ago on Wed Jun? 8 08:19:53 > 2016. > Package libverto of lowest version already installed, cannot > downgrade it. > Error: Nothing to do. > > > My first guess is that you are hitting this bug: https://github.com/k > rb5/krb5/commit/051a31aac553defb2ef0ed4354b799090899904e > > What to do about it...?? From rcritten at redhat.com Wed Jun 8 14:04:41 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 8 Jun 2016 10:04:41 -0400 Subject: [Freeipa-users] how to integrate freeipa (LDAP) with sonatype nexus In-Reply-To: References: Message-ID: <575825F9.1010300@redhat.com> krnrd b wrote: > Hi All, > > I am not able to login to sonatype nexus gui after configuring ldap > details on nexus. > > can any one provide me nexus ldap configuration details. > > Please find the attached screen shot which i have configured. > > Inline image 1 > > Inline image 2 > > Inline image 3 > > Thanks and Regards, > Kiran I don't know if your app will combine the search base with the base DN for users and groups. You'd have to check the 389-ds access logs to see for sure. But in either case, users are in cn=users,cn=accounts[,$BASE] and groups are in cn=groups,cn=accounts[,$BASE]. I don't know what the user/group subtree checkbox means. For user objectclass I'd use posixAccount If you want only the POSIX groups I'd use posixGroup for the objectclass, otherwise use groupofnames. Also change the group member attribute to member. Watching the 389-ds access log will help determine what is being asked for (vs what is available). Note that this log is buffered by default for 30 seconds so patience is needed. rob From przemek.orzechowski at makolab.pl Wed Jun 8 14:54:44 2016 From: przemek.orzechowski at makolab.pl (=?UTF-8?Q?Przemys=c5=82aw_Orzechowski?=) Date: Wed, 8 Jun 2016 16:54:44 +0200 Subject: [Freeipa-users] after a server reebot no more login for korora users Message-ID: <575831B4.7000003@makolab.pl> Hi i enroled Centos 7 box into IPA (also stock centos 7 server) for some time everything was working ok but now i can't ssh to the client after client reboot On every ssh login attempt i get such lines in sshd.log on the client (Wed Jun 8 14:05:03 2016) [sssd[be[korora.mydomain]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Wed Jun 8 14:05:03 2016) [sssd[be[korora.mydomain]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. any suggestion how to debug this problem would be greatly appreciated From sbose at redhat.com Wed Jun 8 15:05:24 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 8 Jun 2016 17:05:24 +0200 Subject: [Freeipa-users] after a server reebot no more login for korora users In-Reply-To: <575831B4.7000003@makolab.pl> References: <575831B4.7000003@makolab.pl> Message-ID: <20160608150524.GP24380@p.Speedport_W_724V_Typ_A_05011603_00_009> On Wed, Jun 08, 2016 at 04:54:44PM +0200, Przemys?aw Orzechowski wrote: > Hi i enroled > Centos 7 box into IPA (also stock centos 7 server) > for some time everything was working ok but now i can't ssh to the client > after client reboot > On every ssh login attempt i get such lines in sshd.log on the client > > (Wed Jun 8 14:05:03 2016) [sssd[be[korora.mydomain]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. > (Wed Jun 8 14:05:03 2016) [sssd[be[korora.mydomain]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. This messages does not indicate an error and is already fixed in the latest version. > > any suggestion how to debug this problem would be greatly appreciated Maybe the krb5_client.log has some details why the authentication failed? HTH bye, Sumit > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From Dan.Finkelstein at high5games.com Wed Jun 8 15:09:50 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Wed, 8 Jun 2016 15:09:50 +0000 Subject: [Freeipa-users] Replica without CA: implications? In-Reply-To: <0d383250-0cc2-29fe-d7ce-9cfa90ca74b0@redhat.com> References: <56E0484B.4080006@blue-bolt.com> <1457540024.8257.279.camel@redhat.com> <57504068.5010003@blue-bolt.com> <5750A4DE.1090206@redhat.com> <5756D5C4.3070407@blue-bolt.com> <7286a785-ee93-0ef3-cd55-bdc782ec7064@redhat.com> <5757DFF0.1050005@blue-bolt.com> <5757E22D.4060003@blue-bolt.com> <0d383250-0cc2-29fe-d7ce-9cfa90ca74b0@redhat.com> Message-ID: <3DB6A5AA-1CC7-48CD-8A00-28586932A27E@high5games.com> If, after identifying the dangling RUVs and attempting to clean them, you see this: [root at ipa-replica ~]# ipa-replica-manage clean-ruv 104 Clean the Replication Update Vector for ipa.example.com:389 Cleaning the wrong replica ID will cause that server to no longer replicate so it may miss updates while the process is running. It would need to be re-initialized to maintain consistency. Be very careful. Continue to clean? [no]: yes CLEANALLRUV task for replica id 104 already exists. This may be safely interrupted with Ctrl+C Does one have to use ldapmodify instead? Thanks, Dan [cid:image001.jpg at 01D1C176.45C64B20] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: on behalf of Petr Vobornik Date: Wednesday, June 8, 2016 at 06:55 To: Cal Sawyer , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] Replica without CA: implications? You need to identify which one is INCORRECT and then run ipa-replica-manage clean-ruv $incorrect command. The CORRECT one can identified with: ldapsearch -ZZ -h ipa2.localdomain.local -D "cn=Directory Manager" -W -b "dc=localdomain,dc=local" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsDS5ReplicaId" -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4331 bytes Desc: image001.jpg URL: From peljasz at yahoo.co.uk Wed Jun 8 16:07:10 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 8 Jun 2016 17:07:10 +0100 Subject: [Freeipa-users] IPA stack startup time - expected values? Message-ID: hi users I wonder if on a very minimal installation, still fresh with only ~20 test users and no other app/services using IPA we have a time in mind that IPA stack should take no longer than, to start? I know it varies and may depend on quite a few variables. Reason I wonder is because I have three replicas run on a similar, modern hardware and on one of them freeRadius fails(unless I tell it to start after IPA) whereas on the others there is no problem. In other words one IPA takes longer, so it appears - unless it's freeRadius that should have no problem starting even if one of its backend is not available? many thanks, L From wdh at dds.nl Wed Jun 8 16:30:12 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Wed, 8 Jun 2016 18:30:12 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: <1465394017.2599.3.camel@redhat.com> References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> <1465394017.2599.3.camel@redhat.com> Message-ID: An HTML attachment was scrubbed... URL: From npmccallum at redhat.com Wed Jun 8 17:15:13 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 08 Jun 2016 13:15:13 -0400 Subject: [Freeipa-users] FreeOTP In-Reply-To: References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> <1465394017.2599.3.camel@redhat.com> Message-ID: <1465406113.2599.25.camel@redhat.com> Can you please try: ? # dnf install libverto-libev ? # dnf remove libverto-tevent ? # ipactl restart On Wed, 2016-06-08 at 18:30 +0200, Winfried de Heiden wrote: > Well, here your are: > rpm -qa 'libverto*' 'krb5*' > krb5-pkinit-1.14.1-6.fc23.armv7hl > libverto-tevent-0.2.6-5.fc23.armv7hl > krb5-libs-1.14.1-6.fc23.armv7hl > krb5-workstation-1.14.1-6.fc23.armv7hl > libverto-0.2.6-5.fc23.armv7hl > krb5-server-1.14.1-6.fc23.armv7hlfedora > I'm wondering if this is a Fedora ARM issue, I can't reproduce it on > Fedora x86_64... > > Winny > > > Op 08-06-16 om 15:53 schreef Nathaniel McCallum: > > No, we need to know what libverto *backend* you are using. Please > > provide the output from this command: rpm -qa 'libverto*' 'krb5*' > > > > On Wed, 2016-06-08 at 08:34 +0200, Winfried de Heiden wrote: > > > Hi all, > > > > > > > > > Well, the libverto is there some time allready (yep, it's running > > > on > > > a Bananapi!), doesn't feel like a recent update, so a? > > > > > > > > > Name??????? : libverto > > > Version???? : 0.2.6 > > > Release???? : 5.fc23 > > > Architecture: armv7hl > > > Install Date: Thu Jan? 1 01:08:24 1970 > > > Group?????? : Unspecified > > > Size??????? : 21896 > > > License???? : MIT > > > Signature?? : RSA/SHA256, Sun Jun 21 06:24:46 2015, Key ID > > > 32474cf834ec9cba > > > Source RPM? : libverto-0.2.6-5.fc23.src.rpm > > > Build Date? : Wed Jun 17 20:37:05 2015 > > > Build Host? : arm04-builder19.arm.fedoraproject.org > > > > > > No, no previous build available... > > > > > > [root at ipa boot]# dnf downgrade libverto > > > Last metadata expiration check: 0:10:21 ago on Wed Jun? 8 > > > 08:19:53 > > > 2016. > > > Package libverto of lowest version already installed, cannot > > > downgrade it. > > > Error: Nothing to do. > > > > > > > > > My first guess is that you are hitting this bug: https://github.c > > > om/k > > > rb5/krb5/commit/051a31aac553defb2ef0ed4354b799090899904e > > > > > > What to do about it...?? > ? From Nathan.Peters at globalrelay.net Wed Jun 8 18:14:04 2016 From: Nathan.Peters at globalrelay.net (Nathan Peters) Date: Wed, 8 Jun 2016 18:14:04 +0000 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: <20160607204327.GA6308@hendrix> References: <20160607204327.GA6308@hendrix> Message-ID: I'm pretty lost here. I tried following the directions on that page but the results still make no sense to me. From what I can see, the account is successfully authorized, and the groups that I am part of are found and some sudo rules are found, but then I am denied access for no reason. This is not working on any CentOS 6.8 server, and working properly on all previous versions of CentOS. I have tried several steps including deleting and re-creating the 6.8 hosts, and unjoining them and re-joining them to the domain. Nothing helps ========== /var/log/sudo_debug ====================== Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ ./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ ./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ ./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ ./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> log_denial @ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> audit_failure @ ./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ ./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ ./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ ./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277] -> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- new_logline @ ./logging.c:867 := user NOT authorized on host ; TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - Jun 8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 sudo[7277] -> mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <- mysyslog @ ./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ ./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ ./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ ./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ ./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ ./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: [756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, 756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ ./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ ./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ ./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ ./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ ./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ ./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ ./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ ./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ ./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ ./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ ./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 sudo[7277] policy plugin returns 0 ============== /var/log/sssd/sssd_sudo.log ===================== (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit ============= /var/log/sssd/sssd_mydomain.log ============== (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=deployment_engineer] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! ===== output of ldap query manually copied from the sssd_sudo.log first search returns nothing second search returns 2 rules ================== [root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' asq: Unable to register control with rootdse! # returned 0 records # 0 entries # 0 referrals [root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' asq: Unable to register control with rootdse! # record 1 dn: name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb cn: s_allow_deployment_engineer_to_all dataExpireTimestamp: 1465412946 name: s_allow_deployment_engineer_to_all objectClass: sudoRule sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoRunAsGroup: ALL sudoRunAsUser: ALL sudoUser: %deployment_engineer distinguishedName: name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus tom,cn=dev-mydomain.net,cn=sysdb # record 2 dn: name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb cn: s_allow_sysadmins_to_all dataExpireTimestamp: 1465412946 name: s_allow_sysadmins_to_all objectClass: sudoRule sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoRunAsGroup: ALL sudoRunAsUser: ALL sudoUser: %sysadmins distinguishedName: name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev -mydomain.net,cn=sysdb # returned 2 records # 2 entries # 0 referrals ====== output of ldap query against directory for search used in the sssd_domain.log =========== [root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 [root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek Sent: Tuesday, June 7, 2016 1:43 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails On Tue, Jun 07, 2016 at 08:21:21PM +0000, Nathan Peters wrote: > I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on Fedora 23. > > When I try to sudo on this host, it fails. Here are the log entries from /var/log/secure. Note that we have several hundred CentOS 6.5-6.7 machines where this works fine. > > Is this a new bug in CentOS 6.8? It's true that in 6.8, the sudo part was changed quite a bit, but we haven't heard about any bugs so far. Could you please follow: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO and also: https://fedorahosted.org/sssd/wiki/Troubleshooting to inspect SSSD logs? For authentication failed you'll probably want to take a look at the domain logs and maybe the krb5_child.log -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From anthonyclarka2 at gmail.com Wed Jun 8 18:35:45 2016 From: anthonyclarka2 at gmail.com (Anthony Clark) Date: Wed, 8 Jun 2016 14:35:45 -0400 Subject: [Freeipa-users] sessions failing when using different hostname In-Reply-To: <7e4e1e47-d14c-fa0a-ef05-1c7101017568@redhat.com> References: <7e4e1e47-d14c-fa0a-ef05-1c7101017568@redhat.com> Message-ID: I think I introduced a red herring by accident, I'm deeply embarrassed to say. Our new FreeIPA instance lives in ns01.dev.example.net. The alternative hostname is password.example.net I think that the different domain there was causing some of the problems. I removed mention of the different domain by accident as part of a search and replace to remove the company name. However, by following Jan's directions I've been able to get this to work using an Apache proxy that rewrites the cookie and referer hostnames. On Wed, Jun 8, 2016 at 3:29 AM, Martin Kosek wrote: > On 06/01/2016 07:48 PM, Anthony Clark wrote: > > Hello All, > > > > I've been asked to allow access to our FreeIPA web UI from a more user > friendly > > url than I'm currently using. So I've set up a CNAME > password.example.com > > for ns01.example.com < > http://ns01.example.com> > > > > At the moment, if I go to the real hostname of the FreeIPA server > > (ns01.example.com ), everything works. > > > > If I go to the new "friendly" url (password.example.com > > ) then upon login I get a "your session > has expired > > please re-login" message. > > > > Setting debug to true in /etc/ipa/server.conf shows me that the server > keeps > > using new session IDs. (Host and user names changed to protect the > innocent) > > > > ----- /var/log/httpd/error_log ----- > > [Wed Jun 01 17:11:06.237363 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > > wsgi_dispatch.__call__: > > [Wed Jun 01 17:11:06.237533 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > > jsonserver_session.__call__: > > [Wed Jun 01 17:11:06.237944 2016] [:error] [pid 31491] ipa: DEBUG: no > session > > cookie found > > [Wed Jun 01 17:11:06.239009 2016] [:error] [pid 31491] ipa: DEBUG: no > session id > > in request, generating empty session data with > id=d5bc1c4cab8d3bfaee63b84805147995 > > [Wed Jun 01 17:11:06.239466 2016] [:error] [pid 31491] ipa: DEBUG: store > > session: session_id=d5bc1c4cab8d3bfaee63b84805147995 > > start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 > > expiration_timestamp=1970-01-01T00:00:00 > > [Wed Jun 01 17:11:06.241052 2016] [:error] [pid 31491] ipa: DEBUG: > > jsonserver_session.__call__: session_id=d5bc1c4cab8d3bfaee63b84805147995 > > start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 > > expiration_timestamp=1970-01-01T00:00:00 > > [Wed Jun 01 17:11:06.241186 2016] [:error] [pid 31491] ipa: DEBUG: no > ccache, > > need login > > [Wed Jun 01 17:11:06.241294 2016] [:error] [pid 31491] ipa: DEBUG: > > jsonserver_session: 401 Unauthorized need login > > [Wed Jun 01 17:11:24.956791 2016] [:error] [pid 31492] ipa: DEBUG: WSGI > > wsgi_dispatch.__call__: > > [Wed Jun 01 17:11:24.956992 2016] [:error] [pid 31492] ipa: DEBUG: WSGI > > login_password.__call__: > > [Wed Jun 01 17:11:24.957381 2016] [:error] [pid 31492] ipa: DEBUG: > Obtaining > > armor ccache: principal=HTTP/ns01.example.com at EXAMPLE.COM > > keytab=/etc/httpd/conf/ipa.keytab > > ccache=/var/run/ipa_memcached/krbcc_A_aclark > > [Wed Jun 01 17:11:24.957519 2016] [:error] [pid 31492] ipa: DEBUG: > Initializing > > principal HTTP/ns01.example.com at EXAMPLE.COM > > using keytab > /etc/httpd/conf/ipa.keytab > > [Wed Jun 01 17:11:24.957633 2016] [:error] [pid 31492] ipa: DEBUG: using > ccache > > /var/run/ipa_memcached/krbcc_A_aclark > > [Wed Jun 01 17:11:24.998328 2016] [:error] [pid 31492] ipa: DEBUG: > Attempt 1/1: > > success > > [Wed Jun 01 17:11:24.998531 2016] [:error] [pid 31492] ipa: DEBUG: > Initializing > > principal aclark at EXAMPLE.COM using password > > [Wed Jun 01 17:11:24.998684 2016] [:error] [pid 31492] ipa: DEBUG: Using > armor > > ccache /var/run/ipa_memcached/krbcc_A_aclark for FAST webauth > > [Wed Jun 01 17:11:24.998865 2016] [:error] [pid 31492] ipa: DEBUG: > Starting > > external process > > [Wed Jun 01 17:11:24.998984 2016] [:error] [pid 31492] ipa: DEBUG: > > args='/usr/bin/kinit' 'aclark at EXAMPLE.COM ' > '-c' > > 'FILE:/var/run/ipa_memcached/krbcc_31492' '-T' > > '/var/run/ipa_memcached/krbcc_A_aclark' > > [Wed Jun 01 17:11:26.079200 2016] [:error] [pid 31492] ipa: DEBUG: > Process > > finished, return code=0 > > [Wed Jun 01 17:11:26.079384 2016] [:error] [pid 31492] ipa: DEBUG: > > stdout=Password for aclark at EXAMPLE.COM : > > [Wed Jun 01 17:11:26.079399 2016] [:error] [pid 31492] > > [Wed Jun 01 17:11:26.079483 2016] [:error] [pid 31492] ipa: DEBUG: > stderr= > > [Wed Jun 01 17:11:26.079680 2016] [:error] [pid 31492] ipa: DEBUG: > Cleanup the > > armor ccache > > [Wed Jun 01 17:11:26.079871 2016] [:error] [pid 31492] ipa: DEBUG: > Starting > > external process > > [Wed Jun 01 17:11:26.079983 2016] [:error] [pid 31492] ipa: DEBUG: > > args='/usr/bin/kdestroy' '-A' '-c' > '/var/run/ipa_memcached/krbcc_A_aclark' > > [Wed Jun 01 17:11:26.093954 2016] [:error] [pid 31492] ipa: DEBUG: > Process > > finished, return code=0 > > [Wed Jun 01 17:11:26.094113 2016] [:error] [pid 31492] ipa: DEBUG: > stdout= > > [Wed Jun 01 17:11:26.094210 2016] [:error] [pid 31492] ipa: DEBUG: > stderr= > > [Wed Jun 01 17:11:26.094809 2016] [:error] [pid 31492] ipa: DEBUG: no > session > > cookie found > > [Wed Jun 01 17:11:26.095877 2016] [:error] [pid 31492] ipa: DEBUG: no > session id > > in request, generating empty session data with > id=7ab08ba17d30883cff480af9e923cf82 > > [Wed Jun 01 17:11:26.096132 2016] [:error] [pid 31492] ipa: DEBUG: store > > session: session_id=7ab08ba17d30883cff480af9e923cf82 > > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 > > expiration_timestamp=1970-01-01T00:00:00 > > [Wed Jun 01 17:11:26.096596 2016] [:error] [pid 31492] ipa: DEBUG: > > finalize_kerberos_acquisition: login_password > > ccache_name="FILE:/var/run/ipa_memcached/krbcc_31492" > > session_id="7ab08ba17d30883cff480af9e923cf82" > > [Wed Jun 01 17:11:26.096774 2016] [:error] [pid 31492] ipa: DEBUG: > reading > > ccache data from file "/var/run/ipa_memcached/krbcc_31492" > > [Wed Jun 01 17:11:26.097937 2016] [:error] [pid 31492] ipa: DEBUG: > > get_credential_times: principal=krbtgt/EXAMPLE.COM at EXAMPLE.COM > > , authtime=06/01/16 17:11:26, > starttime=06/01/16 > > 17:11:26, endtime=06/02/16 17:11:26, renew_till=01/01/70 00:00:00 > > [Wed Jun 01 17:11:26.098111 2016] [:error] [pid 31492] ipa: DEBUG: > KRB5_CCache > > FILE:/var/run/ipa_memcached/krbcc_31492 endtime=1464887486 (06/02/16 > 17:11:26) > > [Wed Jun 01 17:11:26.098361 2016] [:error] [pid 31492] ipa: DEBUG: > > set_session_expiration_time: duration_type=inactivity_timeout > duration=3600 > > max_age=1464887186 expiration=1464804686.1 (2016-06-01T18:11:26) > > [Wed Jun 01 17:11:26.098526 2016] [:error] [pid 31492] ipa: DEBUG: store > > session: session_id=7ab08ba17d30883cff480af9e923cf82 > > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 > > expiration_timestamp=2016-06-01T18:11:26 > > [Wed Jun 01 17:11:26.099871 2016] [:error] [pid 31492] ipa: ERROR: > > release_ipa_ccache: ccache_name > (FILE:/var/run/ipa_memcached/krbcc_31492) != > > KRB5CCNAME environment variable (/var/run/httpd/ipa/krbcache/krb5ccache) > > [Wed Jun 01 17:11:26.163524 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > > wsgi_dispatch.__call__: > > [Wed Jun 01 17:11:26.163708 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > > jsonserver_session.__call__: > > [Wed Jun 01 17:11:26.163974 2016] [:error] [pid 31491] ipa: DEBUG: no > session > > cookie found > > [Wed Jun 01 17:11:26.164464 2016] [:error] [pid 31491] ipa: DEBUG: no > session id > > in request, generating empty session data with > id=433125db49c7ca9eb286c3ecf605d55d > > [Wed Jun 01 17:11:26.164713 2016] [:error] [pid 31491] ipa: DEBUG: store > > session: session_id=433125db49c7ca9eb286c3ecf605d55d > > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 > > expiration_timestamp=1970-01-01T00:00:00 > > [Wed Jun 01 17:11:26.165181 2016] [:error] [pid 31491] ipa: DEBUG: > > jsonserver_session.__call__: session_id=433125db49c7ca9eb286c3ecf605d55d > > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 > > expiration_timestamp=1970-01-01T00:00:00 > > [Wed Jun 01 17:11:26.165301 2016] [:error] [pid 31491] ipa: DEBUG: no > ccache, > > need login > > [Wed Jun 01 17:11:26.165401 2016] [:error] [pid 31491] ipa: DEBUG: > > jsonserver_session: 401 Unauthorized need login > > ----- /var/log/httpd/error_log ----- > > > > I'm somewhat at a loss to debug this further. I was wondering if the > session > > storage is somehow bound to the original host name. Is there a way to > check > > and/or configure this? > > > > Alternatively is there a guide out there for enabling additional host > names for > > the web UI in FreeIPA? > > Good question. I see there was no reply for this thread (note that most of > the > developers are finishing FreeIPA 4.4 release) yet, CCing Petr to advise. > > Martin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dan.Finkelstein at high5games.com Wed Jun 8 21:11:11 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Wed, 8 Jun 2016 21:11:11 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) Message-ID: <8776E3A1-A1DE-42FA-9C11-B32BDFC88D48@high5games.com> I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that emits this error in the httpd logs whenever the WebUI tries to see the certificates page: [Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR: ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS ([Errno 111] Connection refused) [Wed Jun 08 16:56:27.052401 2016] [:error] [pid 2863] ipa: INFO: [jsonserver_session] dfinkelstein at EXAMPLE.COM: cert_find(version=u'2.156'): CertificateOperationError The certificates appear as follows: [root at ipa httpd]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u auditSigningCert cert-pki-ca u,u,u EXAMPLE.COM IPA CA CTu,u,Cu ipaCert u,u,u ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Upon reboot, httpd fails to start with the error: Failed to start Identity, Policy, Audit. But it can be started later with `ipactl restart`. Finally, the two last IPA services don't appear to start: [root at ipa]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful I'd appreciate any guidance or suggestions. Thanks, Dan [cid:image001.jpg at 01D1C1A8.C0D33A30] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4331 bytes Desc: image001.jpg URL: From michael.rainey.ctr at nrlssc.navy.mil Wed Jun 8 21:47:48 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Wed, 8 Jun 2016 16:47:48 -0500 Subject: [Freeipa-users] Yet another question about smartcard login... this time Ubuntu. Message-ID: <3VuMJ0QWWelEwbVLpm2p6ZKBsHAtTTrhRxoraQT8H1ibGpzxeLrl9t-UpfBYPza1o0lyvjO-uVY@cipher.nrlssc.navy.mil> Hello, I have system running Ubuntu 16.04 running the ipa client 4.3. I am trying to enable smartcard logins through lightdm. I have implemented some of my previous configurations on my Centos 7.2 systems. Obviously, there are differences between the two distros, so the big question is what are these differences. Has anyone had success using a smartcard to log into an Ubuntu system using freeIPA IdM. I have verified the cert_auth is set to true in the sssd.conf file. My certificates are installed, and the machine does recognize my card while inserted into the reader. Thanks in advance. -- *Michael* -------------- next part -------------- An HTML attachment was scrubbed... URL: From wdh at dds.nl Thu Jun 9 06:16:13 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Thu, 9 Jun 2016 08:16:13 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: <1465406113.2599.25.camel@redhat.com> References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> <1465394017.2599.3.camel@redhat.com> <1465406113.2599.25.camel@redhat.com> Message-ID: <6fc25458-745c-51a5-0d1a-c28d3e18331b@dds.nl> An HTML attachment was scrubbed... URL: From sbose at redhat.com Thu Jun 9 08:46:45 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 9 Jun 2016 10:46:45 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: <6fc25458-745c-51a5-0d1a-c28d3e18331b@dds.nl> References: <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> <1465394017.2599.3.camel@redhat.com> <1465406113.2599.25.camel@redhat.com> <6fc25458-745c-51a5-0d1a-c28d3e18331b@dds.nl> Message-ID: <20160609084645.GB15524@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote: > Hi all, > > I can install libvert-libev but removing libverto-tevent will remove 123 > dependencies also. (wget, tomcat and much more...) > > Hence, I installed libverto-libev, but dit not remove libverto-tevent to give > it a try. After ipactl restart still the same problem: fyi, I think I can reproduce the issue on 32bit Fedora. I tried libverto-libev as well but I removed libverto-tevent after installing libverto-libev with 'rpm -e --nodeps ....' to make sure libverto has no other chance. So it looks a bit like a libverto 32bit issue. I used libverto-0.2.6-4.fc22. Since I knew that is was working before on 32bits I tried libverto-0.2.5 and libverto-0.2.4 as well with no lock. Nathaniel, do you have any suggestions what to check with gdb? bye, Sumit > > root at ipa ~]# systemctl --failed; journalctl -l -u ipa-otpd at 5-2998-0.service -xe > ? UNIT????????????????????? LOAD?? ACTIVE SUB??? DESCRIPTION > * ipa-otpd at 5-2998-0.service loaded failed failed ipa-otpd service (PID 2998/UID > 0) > > LOAD?? = Reflects whether the unit definition was properly loaded. > ACTIVE = The high-level unit activation state, i.e. generalization of SUB. > SUB??? = The low-level unit activation state, values depend on unit type. > > 1 loaded units listed. Pass --all to see loaded but inactive units, too. > ~Unit ipa-otpd at 5-2998-0.service has begun starting up. > Jun 09 08:12:40 ipa.blabla.bla ipa-otpd[3558]: LDAP: ldapi:// > %2fvar%2frun%2fslapd-BLABLA-BLA.socket > Jun 09 08:12:41 ipa.blabla.bla ipa-otpd[3558]: otpuser at BLABLA.BLA: request > received > Jun 09 08:12:41 ipa.blabla.bla ipa-otpd[3558]: otpuser at BLABLA.BLA: user query > start > Jun 09 08:12:41 ipa.blabla.bla ipa-otpd[3558]: otpuser at BLABLA.BLA: user query > end: uid=otpuser,cn=users,cn=accounts,dc=blabla,dc=bla > Jun 09 08:12:41 ipa.blabla.bla ipa-otpd[3558]: otpuser at BLABLA.BLA: bind start: > uid=otpuser,cn=users,cn=accounts,dc=blabla,dc=bla > Jun 09 08:12:41 ipa.blabla.bla ipa-otpd[3558]: otpuser at BLABLA.BLA: bind end: > success > Jun 09 08:12:41 ipa.blabla.bla ipa-otpd[3558]: otpuser at BLABLA.BLA: response > sent: Access-Accept > Jun 09 08:12:41 ipa.blabla.bla ipa-otpd[3558]: stdio.c:073: Connection reset by > peer: Error receiving packet > Jun 09 08:12:41 ipa.blabla.bla systemd[1]: ipa-otpd at 5-2998-0.service: Main > process exited, code=exited, status=1/FAILURE > Jun 09 08:12:41 ipa.blabla.bla systemd[1]: ipa-otpd at 5-2998-0.service: Unit > entered failed state. > Jun 09 08:12:41 ipa.blabla.bla systemd[1]: ipa-otpd at 5-2998-0.service: Failed > with result 'exit-code'. > > :( > > > Winny > > > > > Op 08-06-16 om 19:15 schreef Nathaniel McCallum: > > Can you please try: > ? # dnf install libverto-libev > ? # dnf remove libverto-tevent > ? # ipactl restart > > On Wed, 2016-06-08 at 18:30 +0200, Winfried de Heiden wrote: > > Well, here your are: > rpm -qa 'libverto*' 'krb5*' > krb5-pkinit-1.14.1-6.fc23.armv7hl > libverto-tevent-0.2.6-5.fc23.armv7hl > krb5-libs-1.14.1-6.fc23.armv7hl > krb5-workstation-1.14.1-6.fc23.armv7hl > libverto-0.2.6-5.fc23.armv7hl > krb5-server-1.14.1-6.fc23.armv7hlfedora > I'm wondering if this is a Fedora ARM issue, I can't reproduce it on > Fedora x86_64... > > Winny > > > Op 08-06-16 om 15:53 schreef Nathaniel McCallum: > > No, we need to know what libverto *backend* you are using. Please > provide the output from this command: rpm -qa 'libverto*' 'krb5*' > > On Wed, 2016-06-08 at 08:34 +0200, Winfried de Heiden wrote: > > Hi all, > > > Well, the libverto is there some time allready (yep, it's running > on > a Bananapi!), doesn't feel like a recent update, so a? > > > Name??????? : libverto > Version???? : 0.2.6 > Release???? : 5.fc23 > Architecture: armv7hl > Install Date: Thu Jan? 1 01:08:24 1970 > Group?????? : Unspecified > Size??????? : 21896 > License???? : MIT > Signature?? : RSA/SHA256, Sun Jun 21 06:24:46 2015, Key ID > 32474cf834ec9cba > Source RPM? : libverto-0.2.6-5.fc23.src.rpm > Build Date? : Wed Jun 17 20:37:05 2015 > Build Host? : arm04-builder19.arm.fedoraproject.org > > No, no previous build available... > > [root at ipa boot]# dnf downgrade libverto > Last metadata expiration check: 0:10:21 ago on Wed Jun? 8 > 08:19:53 > 2016. > Package libverto of lowest version already installed, cannot > downgrade it. > Error: Nothing to do. > > > My first guess is that you are hitting this bug: https://github.c > om/k > rb5/krb5/commit/051a31aac553defb2ef0ed4354b799090899904e > > What to do about it...?? > > ? > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From ppicka at redhat.com Thu Jun 9 11:18:19 2016 From: ppicka at redhat.com (Pavel Picka) Date: Thu, 9 Jun 2016 07:18:19 -0400 (EDT) Subject: [Freeipa-users] SSH login to client In-Reply-To: <1140477001.49992677.1465470916702.JavaMail.zimbra@redhat.com> Message-ID: <1206790841.49995630.1465471099689.JavaMail.zimbra@redhat.com> Hi, Have anyone experience, when create user on ipa-server, and want to login on client with this user I get : Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). (with kinit [1st time change] was password changed to new one) even with another change with ipa user-mod --password I am getting same result and on client in /var/log/messages found : Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed -- Pavel Picka From jhrozek at redhat.com Thu Jun 9 11:40:53 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 9 Jun 2016 13:40:53 +0200 Subject: [Freeipa-users] SSH login to client In-Reply-To: <1206790841.49995630.1465471099689.JavaMail.zimbra@redhat.com> References: <1140477001.49992677.1465470916702.JavaMail.zimbra@redhat.com> <1206790841.49995630.1465471099689.JavaMail.zimbra@redhat.com> Message-ID: <20160609114053.GE3271@hendrix> On Thu, Jun 09, 2016 at 07:18:19AM -0400, Pavel Picka wrote: > Hi, > > Have anyone experience, when create user on ipa-server, and want to login on client with this user I get : > > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > > (with kinit [1st time change] was password changed to new one) > even with another change with ipa user-mod --password I am getting same result > > and on client in /var/log/messages found : > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed This normally means wrong password. Does this happen only with the initial expired password or even after you reset the password and kinit? Can you send more verbose krb5_child.log? From sbose at redhat.com Thu Jun 9 11:42:32 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 9 Jun 2016 13:42:32 +0200 Subject: [Freeipa-users] SSH login to client In-Reply-To: <1206790841.49995630.1465471099689.JavaMail.zimbra@redhat.com> References: <1140477001.49992677.1465470916702.JavaMail.zimbra@redhat.com> <1206790841.49995630.1465471099689.JavaMail.zimbra@redhat.com> Message-ID: <20160609114232.GI3302@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, Jun 09, 2016 at 07:18:19AM -0400, Pavel Picka wrote: > Hi, > > Have anyone experience, when create user on ipa-server, and want to login on client with this user I get : > > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > > (with kinit [1st time change] was password changed to new one) > even with another change with ipa user-mod --password I am getting same result > > and on client in /var/log/messages found : > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed Can you send the full debug_level=10 content of krb5_child.log for a single attempt (same pid in [sssd[krb5_child[xxxx]]]. The error might not be related to the user password but e.g. to an old keytab and krb5_child fails to establish the FAST tunnel. bye, Sumit > > > > -- > Pavel Picka > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From dkupka at redhat.com Thu Jun 9 11:45:26 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 9 Jun 2016 13:45:26 +0200 Subject: [Freeipa-users] SSH login to client In-Reply-To: <1206790841.49995630.1465471099689.JavaMail.zimbra@redhat.com> References: <1206790841.49995630.1465471099689.JavaMail.zimbra@redhat.com> Message-ID: On 09/06/16 13:18, Pavel Picka wrote: > Hi, > > Have anyone experience, when create user on ipa-server, and want to login on client with this user I get : > > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > > (with kinit [1st time change] was password changed to new one) > even with another change with ipa user-mod --password I am getting same result > > and on client in /var/log/messages found : > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed > > > > -- > Pavel Picka > Hi Pavel! I have few questions that may help locating the issue: Are you able to kinit as the user on server and client? Are you able to ssh to the client as the admin? What is the output of "id user" on client? -- David Kupka From npmccallum at redhat.com Thu Jun 9 12:42:59 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Thu, 09 Jun 2016 08:42:59 -0400 Subject: [Freeipa-users] FreeOTP In-Reply-To: <20160609084645.GB15524@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> <1465394017.2599.3.camel@redhat.com> <1465406113.2599.25.camel@redhat.com> <6fc25458-745c-51a5-0d1a-c28d3e18331b@dds.nl> <20160609084645.GB15524@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <1465476179.2969.8.camel@redhat.com> On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote: > On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote: > > Hi all, > > > > I can install libvert-libev but removing libverto-tevent will > > remove 123 > > dependencies also. (wget, tomcat and much more...) > > > > Hence, I installed libverto-libev, but dit not remove libverto- > > tevent to give > > it a try. After ipactl restart still the same problem: > > fyi, I think I can reproduce the issue on 32bit Fedora. I tried > libverto-libev as well but I removed libverto-tevent after installing > libverto-libev with 'rpm -e --nodeps ....' to make sure libverto has > no > other chance. > > So it looks a bit like a libverto 32bit issue. I used > libverto-0.2.6-4.fc22. Since I knew that is was working before on > 32bits > I tried libverto-0.2.5 and libverto-0.2.4 as well with no lock. > > Nathaniel, do you have any suggestions what to check with gdb? It may not be a libverto issue at all. Just to summarize, krb5kdc sends the otp request to ipa-otpd using RADIUS-over-UNIX-socket. It appears that ipa-otpd receives the request and sends the appropriate response. However, krb5kdc never appears to receive the request and times out. Once it times out, it closes the socket and ipa-otpd exits. The question is: why? This could be a bug in krb5kdc, libkrad or libverto. Does the event actually fire from libverto? Does libkrad process it correctly? Does krb5kdc process it correctly? There are lots of places to attach gdb. I would probably start here: https://github.com/krb5/krb5/blob/master/src/lib/krad/client.c#L193 From ppicka at redhat.com Thu Jun 9 12:43:57 2016 From: ppicka at redhat.com (Pavel Picka) Date: Thu, 9 Jun 2016 08:43:57 -0400 (EDT) Subject: [Freeipa-users] SSH login to client In-Reply-To: References: <1206790841.49995630.1465471099689.JavaMail.zimbra@redhat.com> Message-ID: <1515677548.50055048.1465476237570.JavaMail.zimbra@redhat.com> ----- Original Message ----- From: "David Kupka" To: "Pavel Picka" , freeipa-users at redhat.com Sent: Thursday, June 9, 2016 1:45:26 PM Subject: Re: [Freeipa-users] SSH login to client On 09/06/16 13:18, Pavel Picka wrote: > Hi, > > Have anyone experience, when create user on ipa-server, and want to login on client with this user I get : > > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > > (with kinit [1st time change] was password changed to new one) > even with another change with ipa user-mod --password I am getting same result > > and on client in /var/log/messages found : > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed > > > > -- > Pavel Picka > Hi Pavel! I have few questions that may help locating the issue: Are you able to kinit as the user on server and client? - kinit is ok on both Are you able to ssh to the client as the admin? - no I am not able to use 'admin' to ssh to client What is the output of "id user" on client? [root at rhel04 ~]# id tuser uid=418200001(tuser) gid=418200001(tuser) groups=418200001(tuser) I have noticed I am able ssh when 'kinit user' is active For detailed logs here is ssh -vvv http://pastebin.test.redhat.com/382140 @Sumit I found /var/log/sssd/krb5_child.log empty, but didn't set log level to 10, is it done by krb5.conf or else? -- David Kupka From lslebodn at redhat.com Thu Jun 9 12:59:46 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 9 Jun 2016 14:59:46 +0200 Subject: [Freeipa-users] SSH login to client In-Reply-To: <1515677548.50055048.1465476237570.JavaMail.zimbra@redhat.com> References: <1206790841.49995630.1465471099689.JavaMail.zimbra@redhat.com> <1515677548.50055048.1465476237570.JavaMail.zimbra@redhat.com> Message-ID: <20160609125946.GA29980@10.4.128.1> On (09/06/16 08:43), Pavel Picka wrote: > > >----- Original Message ----- >From: "David Kupka" >To: "Pavel Picka" , freeipa-users at redhat.com >Sent: Thursday, June 9, 2016 1:45:26 PM >Subject: Re: [Freeipa-users] SSH login to client > >On 09/06/16 13:18, Pavel Picka wrote: >> Hi, >> >> Have anyone experience, when create user on ipa-server, and want to login on client with this user I get : >> >> Permission denied, please try again. >> Permission denied, please try again. >> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). >> >> (with kinit [1st time change] was password changed to new one) >> even with another change with ipa user-mod --password I am getting same result >> >> and on client in /var/log/messages found : >> >> Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed >> Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed >> Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed >> Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed >> Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed >> Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed >> >> >> >> -- >> Pavel Picka >> >Hi Pavel! > >I have few questions that may help locating the issue: > >Are you able to kinit as the user on server and client? >- kinit is ok on both >Are you able to ssh to the client as the admin? >- no I am not able to use 'admin' to ssh to client >What is the output of "id user" on client? >[root at rhel04 ~]# id tuser >uid=418200001(tuser) gid=418200001(tuser) groups=418200001(tuser) > > >I have noticed I am able ssh when 'kinit user' is active > >For detailed logs here is ssh -vvv > >http://pastebin.test.redhat.com/382140 > >@Sumit > >I found /var/log/sssd/krb5_child.log empty, but didn't set log level to 10, is it done by krb5.conf or else? /ets/sssd/sssd.conf and domian section. You might find useful following wiki. https://fedorahosted.org/sssd/wiki/Troubleshooting LS From harald.dunkel at aixigo.de Thu Jun 9 13:16:11 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Thu, 9 Jun 2016 15:16:11 +0200 Subject: [Freeipa-users] ldapsearch in cron job woes about no credentials Message-ID: <5c3574d0-a2a8-b792-bf82-5476d700b0f2@aixigo.de> Hi folks, Platform: freeipa 4.2 (Centos7) Problem: My cron job needs a ticket to run ldapsearch. The error message is: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Google pointed me to this solution http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#kerbcron I wonder what is the "freeipa way" to handle this scenario, esp. how to generate the additional kerberos entry without confusing FreeIPA? Maybe I am too blind to see, but I haven't found this problem in the FAQs. Every helpful comment is highly appreciated. Harri From sbose at redhat.com Thu Jun 9 13:29:03 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 9 Jun 2016 15:29:03 +0200 Subject: [Freeipa-users] SSH login to client In-Reply-To: <1515677548.50055048.1465476237570.JavaMail.zimbra@redhat.com> References: <1206790841.49995630.1465471099689.JavaMail.zimbra@redhat.com> <1515677548.50055048.1465476237570.JavaMail.zimbra@redhat.com> Message-ID: <20160609132903.GK3302@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, Jun 09, 2016 at 08:43:57AM -0400, Pavel Picka wrote: > > > ----- Original Message ----- > From: "David Kupka" > To: "Pavel Picka" , freeipa-users at redhat.com > Sent: Thursday, June 9, 2016 1:45:26 PM > Subject: Re: [Freeipa-users] SSH login to client > > On 09/06/16 13:18, Pavel Picka wrote: > > Hi, > > > > Have anyone experience, when create user on ipa-server, and want to login on client with this user I get : > > > > Permission denied, please try again. > > Permission denied, please try again. > > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > > > > (with kinit [1st time change] was password changed to new one) > > even with another change with ipa user-mod --password I am getting same result > > > > and on client in /var/log/messages found : > > > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed > > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed > > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed > > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed > > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed > > > > > > > > -- > > Pavel Picka > > > Hi Pavel! > > I have few questions that may help locating the issue: > > Are you able to kinit as the user on server and client? > - kinit is ok on both > Are you able to ssh to the client as the admin? > - no I am not able to use 'admin' to ssh to client > What is the output of "id user" on client? > [root at rhel04 ~]# id tuser > uid=418200001(tuser) gid=418200001(tuser) groups=418200001(tuser) > > > I have noticed I am able ssh when 'kinit user' is active > > For detailed logs here is ssh -vvv > > http://pastebin.test.redhat.com/382140 This makes sense, GSSAPI authentication would be used in this case and SSSD is not involved in the authentication at all. But your paste ends with 'Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).' Are you sure you pasted the right test? > > @Sumit > > I found /var/log/sssd/krb5_child.log empty, but didn't set log level to 10, is it done by krb5.conf or else? Please add 'debug_level=10' to the [domain/....] section of /etc/sssd/sssd.conf. bye, Sumit > > -- > David Kupka From mkosek at redhat.com Thu Jun 9 14:41:33 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 9 Jun 2016 16:41:33 +0200 Subject: [Freeipa-users] FreeIPA 4.4 In-Reply-To: References: <20160607130203.zyms26vj3bhztozz@redhat.com> <0c6db22f-6727-b538-e262-c84ecfd96e95@dds.nl> <20160607141344.a55hvf64n6k3rbht@redhat.com> <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> Message-ID: <0a508b48-3282-9c37-a7f6-d29ac03a5934@redhat.com> On 06/08/2016 12:18 PM, Winfried de Heiden wrote: > Hi all, > > Any news/progress about FreeIPA 4.4? > > On http://www.freeipa.org/page/Roadmap: *FreeIPA 4.4*: feature release. Release > planned for end of May 2016. > > Any updated release date...? The new estimate is rather June, there was more development needed than expected to deliver some of the planned features like the FreeIPA Thin Client refactoring (required for API versioning). I updated the Roadmap page to reflect the state better. Thanks! Martin From sbose at redhat.com Thu Jun 9 16:51:09 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 9 Jun 2016 18:51:09 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: <1465476179.2969.8.camel@redhat.com> References: <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> <1465394017.2599.3.camel@redhat.com> <1465406113.2599.25.camel@redhat.com> <6fc25458-745c-51a5-0d1a-c28d3e18331b@dds.nl> <20160609084645.GB15524@p.Speedport_W_724V_Typ_A_05011603_00_009> <1465476179.2969.8.camel@redhat.com> Message-ID: <20160609165109.GN3302@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum wrote: > On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote: > > On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote: > > > Hi all, > > > > > > I can install libvert-libev but removing libverto-tevent will > > > remove 123 > > > dependencies also. (wget, tomcat and much more...) > > > > > > Hence, I installed libverto-libev, but dit not remove libverto- > > > tevent to give > > > it a try. After ipactl restart still the same problem: > > > > fyi, I think I can reproduce the issue on 32bit Fedora. I tried > > libverto-libev as well but I removed libverto-tevent after installing > > libverto-libev with 'rpm -e --nodeps ....' to make sure libverto has > > no > > other chance. > > > > So it looks a bit like a libverto 32bit issue. I used > > libverto-0.2.6-4.fc22. Since I knew that is was working before on > > 32bits > > I tried libverto-0.2.5 and libverto-0.2.4 as well with no lock. > > > > Nathaniel, do you have any suggestions what to check with gdb? > > It may not be a libverto issue at all. Just to summarize, krb5kdc sends > the otp request to ipa-otpd using RADIUS-over-UNIX-socket. > > It appears that ipa-otpd receives the request and sends the appropriate > response. However, krb5kdc never appears to receive the request and > times out. Once it times out, it closes the socket and ipa-otpd exits. > > The question is: why? > > This could be a bug in krb5kdc, libkrad or libverto. Does the event > actually fire from libverto? Does libkrad process it correctly? Does > krb5kdc process it correctly? > > There are lots of places to attach gdb. I would probably start here: > https://github.com/krb5/krb5/blob/master/src/lib/krad/client.c#L193 It looks like the 3rd argument of recv(), the buffer length, becomes negative aka very big in on_io_read() i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length, pktlen - rr->buffer.length, 0); because pktlen is 4 and rr->buffer.length is 16 on my 32bit system. I wonder if pktlen isn't sufficient here because it already is the result of 'len - buffer->length' which is calculated in krad_packet_bytes_needed() ? bye, Sumit From pgb205 at yahoo.com Thu Jun 9 20:22:49 2016 From: pgb205 at yahoo.com (pgb205) Date: Thu, 9 Jun 2016 20:22:49 +0000 (UTC) Subject: [Freeipa-users] Can't establish trust with 2008 AD References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> The setup is:AD 2008 domain,Latest version of FreeIpa with integrated DNS,As the AD domain is not known to any DNS servers on the network I have created a stub zone in Freeipa integrated dns server addomain.com,and created A-record for DC.addomain.comas well as _ldap.tcp.addomain.com and _kerberos.udp.addomain.comand checked with dig that they resolve correctly,?138/139/145/389 are opened between the servers on both tcp and udp portsipv6 enabled on the FreeIpa server.?I am using pre-shared secret to establish the trust Run:ipa trust-add --type=ad addomain.com --trust-secret ? and receive: ipa: ERROR: CIFS server communication error: code "None",? ? ? ? ? ? ? ? ? message "NT_STATUS_IO_TIMEOUT" (both may be "None") I've enabled the logs as described in debugging section (I would be glad to forward the whole thing if needed)However, relevant error that I see is : finddcs: DNS SRV response 0 at ''finddcs: performing CLDAP query on s4_tevent: Added timed event "tevent_req_timedout": 0x7f21302a8b10s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f2130025090s4_tevent: Run immediate event "tevent_req_trigger": 0x7f2130025090s4_tevent: Added timed event "tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f2130045b50s4_tevent: Ending timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event "tevent_req_trigger": 0x7f2130045b50s4_tevent: Added timed event "tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f213001d230s4_tevent: Ending timer event 0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event "tevent_req_trigger": 0x7f213001d230s4_tevent: Added timed event "tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event 0x7f21302a8b10 "tevent_req_timedout"s4_tevent: Destroying timer event 0x7f213025cb90 "tevent_req_timedout"finddcs: No matching CLDAP server founds4_tevent: Ending timer event 0x7f21302a8b10 "tevent_req_timedout"[Thu Jun 09 20:39:38.703506 2016] [:error] [pid 2503] ipa: INFO: [jsonserver_session] admin@: trust_add(u'addomain.com', trust_type=u'ad', trust_secret=u'********', all=False, raw=False, version=u'2.156'): RemoteRetrieveError Once again I would be glad to provide entire logs if needed. But would be grateful for suggestions on how to resolve the above error. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Jun 9 20:30:48 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Jun 2016 23:30:48 +0300 Subject: [Freeipa-users] Can't establish trust with 2008 AD In-Reply-To: <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160609203048.bn3fvbjk5ctifvyy@redhat.com> On Thu, 09 Jun 2016, pgb205 wrote: >The setup is:AD 2008 domain,Latest version of FreeIpa with integrated >DNS,As the AD domain is not known to any DNS servers on the network I >have created a stub zone in Freeipa integrated dns server >addomain.com,and created A-record for DC.addomain.comas well as >_ldap.tcp.addomain.com and _kerberos.udp.addomain.comand checked with >dig that they resolve correctly,?138/139/145/389 are opened between the >servers on both tcp and udp portsipv6 enabled on the FreeIpa server.?I >am using pre-shared secret to establish the trust >Run:ipa trust-add --type=ad addomain.com --trust-secret ? >and receive: >ipa: ERROR: CIFS server communication error: code "None",? ? ? ? ? ? ? ? ? message "NT_STATUS_IO_TIMEOUT" (both may be "None") > >I've enabled the logs as described in debugging section (I would be glad to forward the whole thing if needed)However, relevant error that I see is : >finddcs: DNS SRV response 0 at ''finddcs: performing CLDAP >query on s4_tevent: Added timed event "tevent_req_timedout": >0x7f21302a8b10s4_tevent: Schedule immediate event "tevent_req_trigger": >0x7f2130025090s4_tevent: Run immediate event "tevent_req_trigger": >0x7f2130025090s4_tevent: Added timed event "tevent_req_timedout": >0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90 >"tevent_req_timedout"s4_tevent: Schedule immediate event >"tevent_req_trigger": 0x7f2130045b50s4_tevent: Ending timer event >0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event >"tevent_req_trigger": 0x7f2130045b50s4_tevent: Added timed event >"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event >0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event >"tevent_req_trigger": 0x7f213001d230s4_tevent: Ending timer event >0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event >"tevent_req_trigger": 0x7f213001d230s4_tevent: Added timed event >"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event >0x7f21302a8b10 "tevent_req_timedout"s4_tevent: Destroying timer event >0x7f213025cb90 "tevent_req_timedout"finddcs: No matching CLDAP server >founds4_tevent: Ending timer event 0x7f21302a8b10 >"tevent_req_timedout"[Thu Jun 09 20:39:38.703506 2016] [:error] [pid >2503] ipa: INFO: [jsonserver_session] admin@: >trust_add(u'addomain.com', trust_type=u'ad', trust_secret=u'********', >all=False, raw=False, version=u'2.156'): RemoteRetrieveError Once again >I would be glad to provide entire logs if needed. But would be grateful >for suggestions on how to resolve the above error. Do you have IPv6 disabled? www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage -- / Alexander Bokovoy From david at cazena.com Thu Jun 9 20:36:38 2016 From: david at cazena.com (David Zabner) Date: Thu, 9 Jun 2016 20:36:38 +0000 Subject: [Freeipa-users] ipa-client-install Message-ID: <083E242B-C77A-47E3-ADF4-3A0CAD3D6443@cazena.com> Occassionally in our system we will see a failure in ipa-client-install script and the cleanup will leave around the host in ipa. This means that all future client installs fail because the host already exists. Is there any way to make sure that failure?s cause the host to be cleaned up? Is there a command I can run that will delete the host that does not require the client to be installed? Thanks for the assistance, David From joshua at azariah.com Thu Jun 9 23:59:52 2016 From: joshua at azariah.com (Joshua J. Kugler) Date: Thu, 09 Jun 2016 15:59:52 -0800 Subject: [Freeipa-users] Password sync settings not working Message-ID: <1711638.VYOPI54qdq@hosanna> Howdy! We are trying to set up password sync. I have read this: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#password-sync I have added that attribute: echo -e 'dn: cn=ipa_pwd_extop,cn=plugins,cn=config\nchangetype: modify\nadd: passSyncManagersDNs\npassSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com' | ldapmodify -x -D 'cn=Directory Manager' -w {{ ipaserver_dir_admin_password }} -h localhost -p 389 However, when I reset a password as the 'admin' user, the user's password is still set to expired. This is CentOS 7 with the latest FreeIPA there. What might I be missing? Thanks! j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design joshua at azariah.com - Jabber: pedahzur at gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A From amessina at messinet.com Fri Jun 10 00:27:16 2016 From: amessina at messinet.com (Anthony Messina) Date: Thu, 09 Jun 2016 19:27:16 -0500 Subject: [Freeipa-users] How to implement password expiration notifications? In-Reply-To: References: <91441e8e8d388a702ed4dc825ed36d6a@aminor.no> <20160608120014.sz742mvppmmsvzdu@redhat.com> Message-ID: <2317923.6uX5L16XZg@linux-ws1.messinet.com> On Wednesday, June 08, 2016 03:17:28 PM Eivind Olsen wrote: > Now I guess the next step is figuring out how to tell "ldapsearch" to > work with gssproxy (unless I've made some other glaring mistake In your script... export GSS_USE_PROXY="yes" ldapsearch -Y GSSAPI ... -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From abokovoy at redhat.com Fri Jun 10 03:34:01 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jun 2016 06:34:01 +0300 Subject: [Freeipa-users] How to implement password expiration notifications? In-Reply-To: <2317923.6uX5L16XZg@linux-ws1.messinet.com> References: <91441e8e8d388a702ed4dc825ed36d6a@aminor.no> <20160608120014.sz742mvppmmsvzdu@redhat.com> <2317923.6uX5L16XZg@linux-ws1.messinet.com> Message-ID: <20160610033401.q7b775zka3spdgfq@redhat.com> On Thu, 09 Jun 2016, Anthony Messina wrote: >On Wednesday, June 08, 2016 03:17:28 PM Eivind Olsen wrote: > > > >> Now I guess the next step is figuring out how to tell "ldapsearch" to >> work with gssproxy (unless I've made some other glaring mistake > >In your script... >export GSS_USE_PROXY="yes" >ldapsearch -Y GSSAPI ... And it should be client_keytab, not just keytab in gssproxy config, I think. -- / Alexander Bokovoy From abokovoy at redhat.com Fri Jun 10 04:14:28 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jun 2016 07:14:28 +0300 Subject: [Freeipa-users] Can't establish trust with 2008 AD In-Reply-To: <1893386531.399624.1465508657306.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <20160609203048.bn3fvbjk5ctifvyy@redhat.com> <1893386531.399624.1465508657306.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160610041428.gdumaw6cvp2yonzx@redhat.com> Please don't answer directly, use mailing list. On Thu, 09 Jun 2016, pgb205 wrote: >Alexander, > >As far as I can say ipv6 is enabled in the kernel, as the tutorial >suggests, although none of the interfaces have ipv6 addresses. > >For example, >?ip a | grep inet6 >? ? inet6 ::1/128 scope host > >and >ip -6 address show > 1: lo: mtu 65536 >? ? inet6 ::1/128 scope host > >root@:~# cat /proc/sys/net/ipv6/conf/all/disable_ipv6 >0 >root@:~# cat /proc/sys/net/ipv6/conf/default/disable_ipv6 >0 Does any of your DNS servers respond with IPv6 addresses for AD DCs? glibc DNS resolver prefers IPv6 over IPv4 in the default configuration and if that happens, without IPv6 routes it becomes unreachable. You can control how DNS resolver works with /etc/gai.conf (does not exist by default, see man page gai.conf for details) and can set IPv4 preference over IPv6 there, either globally or per host. > > > From: Alexander Bokovoy > To: pgb205 >Cc: "Freeipa-users at redhat.com" > Sent: Thursday, June 9, 2016 4:30 PM > Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD > >On Thu, 09 Jun 2016, pgb205 wrote: >>The setup is:AD 2008 domain,Latest version of FreeIpa with integrated >>DNS,As the AD domain is not known to any DNS servers on the network I >>have created a stub zone in Freeipa integrated dns server >>addomain.com,and created A-record for DC.addomain.comas well as >>_ldap.tcp.addomain.com and _kerberos.udp.addomain.comand checked with >>dig that they resolve correctly,?138/139/145/389 are opened between the >>servers on both tcp and udp portsipv6 enabled on the FreeIpa server.?I >>am using pre-shared secret to establish the trust >>Run:ipa trust-add --type=ad addomain.com --trust-secret ? >>and receive: >>ipa: ERROR: CIFS server communication error: code "None",? ? ? ? ? ? ? ? ? message "NT_STATUS_IO_TIMEOUT" (both may be "None") >> >>I've enabled the logs as described in debugging section (I would be glad to forward the whole thing if needed)However, relevant error that I see is : >>finddcs: DNS SRV response 0 at ''finddcs: performing CLDAP >>query on s4_tevent: Added timed event "tevent_req_timedout": >>0x7f21302a8b10s4_tevent: Schedule immediate event "tevent_req_trigger": >>0x7f2130025090s4_tevent: Run immediate event "tevent_req_trigger": >>0x7f2130025090s4_tevent: Added timed event "tevent_req_timedout": >>0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90 >>"tevent_req_timedout"s4_tevent: Schedule immediate event >>"tevent_req_trigger": 0x7f2130045b50s4_tevent: Ending timer event >>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event >>"tevent_req_trigger": 0x7f2130045b50s4_tevent: Added timed event >>"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event >>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event >>"tevent_req_trigger": 0x7f213001d230s4_tevent: Ending timer event >>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event >>"tevent_req_trigger": 0x7f213001d230s4_tevent: Added timed event >>"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event >>0x7f21302a8b10 "tevent_req_timedout"s4_tevent: Destroying timer event >>0x7f213025cb90 "tevent_req_timedout"finddcs: No matching CLDAP server >>founds4_tevent: Ending timer event 0x7f21302a8b10 >>"tevent_req_timedout"[Thu Jun 09 20:39:38.703506 2016] [:error] [pid >>2503] ipa: INFO: [jsonserver_session] admin@: >>trust_add(u'addomain.com', trust_type=u'ad', trust_secret=u'********', >>all=False, raw=False, version=u'2.156'): RemoteRetrieveError Once again >>I would be glad to provide entire logs if needed. But would be grateful >>for suggestions on how to resolve the above error. >Do you have IPv6 disabled? >www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage >-- >/ Alexander Bokovoy > > > -- / Alexander Bokovoy From pgb205 at yahoo.com Fri Jun 10 04:35:56 2016 From: pgb205 at yahoo.com (pgb205) Date: Fri, 10 Jun 2016 04:35:56 +0000 (UTC) Subject: [Freeipa-users] Can't establish trust with 2008 AD In-Reply-To: <20160610041428.gdumaw6cvp2yonzx@redhat.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <20160609203048.bn3fvbjk5ctifvyy@redhat.com> <1893386531.399624.1465508657306.JavaMail.yahoo@mail.yahoo.com> <20160610041428.gdumaw6cvp2yonzx@redhat.com> Message-ID: <459591492.524111.1465533356241.JavaMail.yahoo@mail.yahoo.com> Sorry about replying privately. dig provides ipv4 addresses as expected. For example : root at ipaserver.ipadomain.com:~# ?dig SRV _ldap._tcp.addomain.com#this is run on the FreeIPA where idm is installed as well as integrated DNS with the addomain.com stub zone that points to #dc.addomain.com;; QUESTION SECTION: ;_ldap._tcp.addomain.com. ? ?IN ? ? ?SRV ;; ANSWER SECTION:_ldap._tcp.addomain.com. 86400 IN ? ?SRV ? ? 0 100 389 dc.addomain.com. ;; AUTHORITY SECTION:addomain.com. ? ? ? ?86400 ? IN ? ? ?NS ? ? ?ipadomain.com But just in case I have edited /etc/gai.conf with the following label ? ? ? ::1/128 ? ? ? ?0label ? ? ? ::/0 ? ? ? ? ? 1label ? ? ? 2002::/16 ? ? ?2label ? ? ? ::/96 ? ? ? ? ?3label ? ? ? ::ffff:0:0/96 ?4precedence ?::1/128 ? ? ? ?50precedence ?::/0 ? ? ? ? ? 40precedence ?2002::/16 ? ? ?30precedence ?::/96 ? ? ? ? ?20precedence ?::ffff:0:0/96 ?100 and restarted ipa and dns ipactl stop/start and rndc reload The trust setup still results in Shared secret for the trust:: ERROR: CIFS server communication error: code "None",? ? ? ? ? ? ? ? ? message "NT_STATUS_IO_TIMEOUT" (both may be "None") If you want I can provide with logs. thanks for the help From: Alexander Bokovoy To: pgb205 Cc: freeipa-users at redhat.com Sent: Friday, June 10, 2016 12:14 AM Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD Please don't answer directly, use mailing list. On Thu, 09 Jun 2016, pgb205 wrote: >Alexander, > >As far as I can say ipv6 is enabled in the kernel, as the tutorial >suggests, although none of the interfaces have ipv6 addresses. > >For example, >?ip a | grep inet6 >? ? inet6 ::1/128 scope host > >and >ip -6 address show > 1: lo: mtu 65536 >? ? inet6 ::1/128 scope host > >root@:~# cat /proc/sys/net/ipv6/conf/all/disable_ipv6 >0 >root@:~# cat /proc/sys/net/ipv6/conf/default/disable_ipv6 >0 Does any of your DNS servers respond with IPv6 addresses for AD DCs? glibc DNS resolver prefers IPv6 over IPv4 in the default configuration and if that happens, without IPv6 routes it becomes unreachable. You can control how DNS resolver works with /etc/gai.conf (does not exist by default, see man page gai.conf for details) and can set IPv4 preference over IPv6 there, either globally or per host. > > >? ? ? From: Alexander Bokovoy > To: pgb205 >Cc: "Freeipa-users at redhat.com" > Sent: Thursday, June 9, 2016 4:30 PM > Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD > >On Thu, 09 Jun 2016, pgb205 wrote: >>The setup is:AD 2008 domain,Latest version of FreeIpa with integrated >>DNS,As the AD domain is not known to any DNS servers on the network I >>have created a stub zone in Freeipa integrated dns server >>addomain.com,and created A-record for DC.addomain.comas well as >>_ldap.tcp.addomain.com and _kerberos.udp.addomain.comand checked with >>dig that they resolve correctly,?138/139/145/389 are opened between the >>servers on both tcp and udp portsipv6 enabled on the FreeIpa server.?I >>am using pre-shared secret to establish the trust >>Run:ipa trust-add --type=ad addomain.com --trust-secret ? >>and receive: >>ipa: ERROR: CIFS server communication error: code "None",? ? ? ? ? ? ? ? ? message "NT_STATUS_IO_TIMEOUT" (both may be "None") >> >>I've enabled the logs as described in debugging section (I would be glad to forward the whole thing if needed)However, relevant error that I see is : >>finddcs: DNS SRV response 0 at ''finddcs: performing CLDAP >>query on s4_tevent: Added timed event "tevent_req_timedout": >>0x7f21302a8b10s4_tevent: Schedule immediate event "tevent_req_trigger": >>0x7f2130025090s4_tevent: Run immediate event "tevent_req_trigger": >>0x7f2130025090s4_tevent: Added timed event "tevent_req_timedout": >>0x7f213025cb90s4_tevent: Running timer event 0x7f213025cb90 >>"tevent_req_timedout"s4_tevent: Schedule immediate event >>"tevent_req_trigger": 0x7f2130045b50s4_tevent: Ending timer event >>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event >>"tevent_req_trigger": 0x7f2130045b50s4_tevent: Added timed event >>"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event >>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Schedule immediate event >>"tevent_req_trigger": 0x7f213001d230s4_tevent: Ending timer event >>0x7f213025cb90 "tevent_req_timedout"s4_tevent: Run immediate event >>"tevent_req_trigger": 0x7f213001d230s4_tevent: Added timed event >>"tevent_req_timedout": 0x7f213025cb90s4_tevent: Running timer event >>0x7f21302a8b10 "tevent_req_timedout"s4_tevent: Destroying timer event >>0x7f213025cb90 "tevent_req_timedout"finddcs: No matching CLDAP server >>founds4_tevent: Ending timer event 0x7f21302a8b10 >>"tevent_req_timedout"[Thu Jun 09 20:39:38.703506 2016] [:error] [pid >>2503] ipa: INFO: [jsonserver_session] admin@: >>trust_add(u'addomain.com', trust_type=u'ad', trust_secret=u'********', >>all=False, raw=False, version=u'2.156'): RemoteRetrieveError Once again >>I would be glad to provide entire logs if needed. But would be grateful >>for suggestions on how to resolve the above error. >Do you have IPv6 disabled? >www.freeipa.org/page/Active_Directory_trust_setup#IPv6_stack_usage >-- >/ Alexander Bokovoy > > > -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jun 10 05:58:25 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jun 2016 08:58:25 +0300 Subject: [Freeipa-users] Can't establish trust with 2008 AD In-Reply-To: <459591492.524111.1465533356241.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <20160609203048.bn3fvbjk5ctifvyy@redhat.com> <1893386531.399624.1465508657306.JavaMail.yahoo@mail.yahoo.com> <20160610041428.gdumaw6cvp2yonzx@redhat.com> <459591492.524111.1465533356241.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160610055825.kfovvvuc7j6kzgq7@redhat.com> On Fri, 10 Jun 2016, pgb205 wrote: >The trust setup still results in >Shared secret for the trust:: ERROR: CIFS server communication error: code "None",? ? ? ? ? ? ? ? ? message "NT_STATUS_IO_TIMEOUT" (both may be "None") >If you want I can provide with logs. Can you show output of net ads lookup -d 10 -S dc.addomain.com -- / Alexander Bokovoy From gjn at gjn.priv.at Fri Jun 10 07:09:53 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 10 Jun 2016 09:09:53 +0200 Subject: [Freeipa-users] DNSSEC A, AAAA Records Message-ID: <2449798.RXz9XgO01f@techz> Hello, can any help me to clear a question for DNSSEC, NSEC3 I have a domain created with bind and DNSSEC and NSEC3 I test this Domain and other, not my Domain with http://dnsviz.net/d/esslmaier.at/dnssec/ This site from Verisign tell me, I have all Secure and also the A, AAAA Records FreeIPA 4.3.1 Centos 7.2 But when I test my IPA created domain http://dnsviz.net/d/4gjn.com/dnssec/ I miss the A, AAAA Records can this be correct ? Thanks for a answer -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From mbasti at redhat.com Fri Jun 10 08:12:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jun 2016 10:12:50 +0200 Subject: [Freeipa-users] DNSSEC A, AAAA Records In-Reply-To: <2449798.RXz9XgO01f@techz> References: <2449798.RXz9XgO01f@techz> Message-ID: <646abc30-5ac4-1349-411a-a84c755ef9ff@redhat.com> On 10.06.2016 09:09, G?nther J. Niederwimmer wrote: > Hello, > > can any help me to clear a question for DNSSEC, NSEC3 > > I have a domain created with bind and DNSSEC and NSEC3 I test this Domain and > other, not my Domain with > > http://dnsviz.net/d/esslmaier.at/dnssec/ > > This site from Verisign tell me, I have all Secure and also the A, AAAA > Records > > FreeIPA 4.3.1 Centos 7.2 > > But when I test my IPA created domain > http://dnsviz.net/d/4gjn.com/dnssec/ > > I miss the A, AAAA Records > > can this be correct ? > > Thanks for a answer Hello, do you have configured A and AAAA records in zone apex of '4gjn.com'? I can `dig +dnssec ipa.4gjn.com. A` with DNSSEC results but for `dig +dnssec 4gjn.com. A` , it looks like there is no A/AAAA records. Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ? Martin From mbasti at redhat.com Fri Jun 10 08:15:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jun 2016 10:15:54 +0200 Subject: [Freeipa-users] DNSSEC A, AAAA Records In-Reply-To: <646abc30-5ac4-1349-411a-a84c755ef9ff@redhat.com> References: <2449798.RXz9XgO01f@techz> <646abc30-5ac4-1349-411a-a84c755ef9ff@redhat.com> Message-ID: <3e0e503d-8d5b-c736-2152-2d4d41a5ec61@redhat.com> On 10.06.2016 10:12, Martin Basti wrote: > > > On 10.06.2016 09:09, G?nther J. Niederwimmer wrote: >> Hello, >> >> can any help me to clear a question for DNSSEC, NSEC3 >> >> I have a domain created with bind and DNSSEC and NSEC3 I test this >> Domain and >> other, not my Domain with >> >> http://dnsviz.net/d/esslmaier.at/dnssec/ >> >> This site from Verisign tell me, I have all Secure and also the A, AAAA >> Records >> >> FreeIPA 4.3.1 Centos 7.2 >> >> But when I test my IPA created domain >> http://dnsviz.net/d/4gjn.com/dnssec/ >> >> I miss the A, AAAA Records >> >> can this be correct ? >> >> Thanks for a answer > > Hello, > do you have configured A and AAAA records in zone apex of '4gjn.com'? > > I can `dig +dnssec ipa.4gjn.com. A` with DNSSEC results but for `dig > +dnssec 4gjn.com. A` , it looks like there is no A/AAAA records. > > Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ? > > Martin > http://dnsviz.net/d/ipa.4gjn.com/dnssec/ Visualized here, thank you for page I didn't know about it before, I like it :) . Martin From mbasti at redhat.com Fri Jun 10 08:53:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jun 2016 10:53:12 +0200 Subject: [Freeipa-users] ipa-client-install In-Reply-To: <083E242B-C77A-47E3-ADF4-3A0CAD3D6443@cazena.com> References: <083E242B-C77A-47E3-ADF4-3A0CAD3D6443@cazena.com> Message-ID: <1cc2fb50-02b9-4cd7-9431-ff63218f446b@redhat.com> On 09.06.2016 22:36, David Zabner wrote: > Occassionally in our system we will see a failure in ipa-client-install script and the cleanup will leave around the host in ipa. > This means that all future client installs fail because the host already exists. > Is there any way to make sure that failure?s cause the host to be cleaned up? > Is there a command I can run that will delete the host that does not require the client to be installed? > > Thanks for the assistance, > David > Hello, you can use ipa host-del to remove client that failed to do cleanup properly. or you can use ipa-client-install --force-join Martin From peljasz at yahoo.co.uk Fri Jun 10 08:54:19 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 10 Jun 2016 09:54:19 +0100 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? Message-ID: hi everyone there is a master IPA which in some weird way puts AD users into its ldap catalog. I say weird cause there is no trust nor other sync established, there was a trust agreement, one way type, but now 'trust-find' shows nothing, that trust was removed. but still when I create a user @AD DS a second later I see it in IPA's ldap, eg. dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c cnr,dc=aaa,dc=private,dc=dom how to trace the culprit config responsible for this? and funny(?) thing is that these users do not get replicated to IPA replicas. many thanks, L From jhrozek at redhat.com Fri Jun 10 09:01:42 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 10 Jun 2016 11:01:42 +0200 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: References: Message-ID: <20160610090142.GS3271@hendrix> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > hi everyone > > there is a master IPA which in some weird way puts AD users into its ldap > catalog. I say weird cause there is no trust nor other sync established, > there was a trust agreement, one way type, but now 'trust-find' shows > nothing, that trust was removed. > > but still when I create a user @AD DS a second later I see it in IPA's ldap, > eg. > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c > cnr,dc=aaa,dc=private,dc=dom > > how to trace the culprit config responsible for this? Check the DN, this is not the IPA tree (cn=account), but the compat tree (cn=compat) populated by the slapi-nis plugin. The intent is to make the AD users available to non-SSSD clients that can only use LDAP as an interface. From sbose at redhat.com Fri Jun 10 09:08:06 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 10 Jun 2016 11:08:06 +0200 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: References: Message-ID: <20160610090806.GR3302@p.Speedport_W_724V_Typ_A_05011603_00_009> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > hi everyone > > there is a master IPA which in some weird way puts AD users into its ldap > catalog. I say weird cause there is no trust nor other sync established, > there was a trust agreement, one way type, but now 'trust-find' shows > nothing, that trust was removed. > > but still when I create a user @AD DS a second later I see it in IPA's ldap, > eg. > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c > cnr,dc=aaa,dc=private,dc=dom > > how to trace the culprit config responsible for this? > > and funny(?) thing is that these users do not get replicated to IPA > replicas. Did you remove the trust on the AD side as well. If not SSSD running on the IPA server might still have valid credentials in a keytab in /var/lib/sss/db and is able to read the user data from AD. HTH bye, Sumit > > many thanks, > > L > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From wdh at dds.nl Fri Jun 10 09:08:33 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Fri, 10 Jun 2016 11:08:33 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: <20160609165109.GN3302@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> <1465394017.2599.3.camel@redhat.com> <1465406113.2599.25.camel@redhat.com> <6fc25458-745c-51a5-0d1a-c28d3e18331b@dds.nl> <20160609084645.GB15524@p.Speedport_W_724V_Typ_A_05011603_00_009> <1465476179.2969.8.camel@redhat.com> <20160609165109.GN3302@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <7c71fb2b-a651-78e8-153f-5ece7a786b5c@dds.nl> An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jun 10 09:12:46 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jun 2016 12:12:46 +0300 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: <20160610090142.GS3271@hendrix> References: <20160610090142.GS3271@hendrix> Message-ID: <20160610091246.npcsba6fx3ufdplc@redhat.com> On Fri, 10 Jun 2016, Jakub Hrozek wrote: >On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: >> hi everyone >> >> there is a master IPA which in some weird way puts AD users into its ldap >> catalog. I say weird cause there is no trust nor other sync established, >> there was a trust agreement, one way type, but now 'trust-find' shows >> nothing, that trust was removed. >> >> but still when I create a user @AD DS a second later I see it in IPA's ldap, >> eg. >> >> dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c >> cnr,dc=aaa,dc=private,dc=dom >> >> how to trace the culprit config responsible for this? > >Check the DN, this is not the IPA tree (cn=account), but the compat tree >(cn=compat) populated by the slapi-nis plugin. The intent is to make the >AD users available to non-SSSD clients that can only use LDAP as an >interface. Yes. If you enabled slapi-nis on IPA master but didn't establish actual trust to AD and instead added an SSSD configuration to lookup AD users directly, then slapi-nis will happily ask SSSD for whatever users with @ in the name were requested by the LDAP clients and SSSD would look them up in AD. Not sure how useful is that at all but yes, this is a side-effect of slapi-nis features. -- / Alexander Bokovoy From peljasz at yahoo.co.uk Fri Jun 10 09:51:41 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 10 Jun 2016 10:51:41 +0100 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: <20160610090142.GS3271@hendrix> References: <20160610090142.GS3271@hendrix> Message-ID: <1465552301.19234.2.camel@yahoo.co.uk> On Fri, 2016-06-10 at 11:01 +0200, Jakub Hrozek wrote: > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > hi everyone > > > > there is a master IPA which in some weird way puts AD users into > > its ldap > > catalog. I say weird cause there is no trust nor other sync > > established, > > there was a trust agreement, one way type, but now 'trust-find' > > shows > > nothing, that trust was removed. > > > > but still when I create a user @AD DS a second later I see it in > > IPA's ldap, > > eg. > > > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private > > ,dc=c > > ?cnr,dc=aaa,dc=private,dc=dom > > > > how to trace the culprit config responsible for this? > > Check the DN, this is not the IPA tree (cn=account), but the compat > tree > (cn=compat) populated by the slapi-nis plugin. The intent is to make > the > AD users available to non-SSSD clients that can only use LDAP as an > interface. > any chance this plugin gets included without user/admin intention, eg. during migrate-ds ? is ipa toolkit or I have to go directly to ldap to de/activate plugin(s) ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Fri Jun 10 09:53:45 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 10 Jun 2016 10:53:45 +0100 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: <20160610091246.npcsba6fx3ufdplc@redhat.com> References: <20160610090142.GS3271@hendrix> <20160610091246.npcsba6fx3ufdplc@redhat.com> Message-ID: <1465552425.19234.4.camel@yahoo.co.uk> On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, Jakub Hrozek wrote: > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > > hi everyone > > > > > > there is a master IPA which in some weird way puts AD users into > > > its ldap > > > catalog. I say weird cause there is no trust nor other sync > > > established, > > > there was a trust agreement, one way type, but now 'trust-find' > > > shows > > > nothing, that trust was removed. > > > > > > but still when I create a user @AD DS a second later I see it in > > > IPA's ldap, > > > eg. > > > > > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva > > > te,dc=c > > > ?cnr,dc=aaa,dc=private,dc=dom > > > > > > how to trace the culprit config responsible for this? > > > > Check the DN, this is not the IPA tree (cn=account), but the compat > > tree > > (cn=compat) populated by the slapi-nis plugin. The intent is to > > make the > > AD users available to non-SSSD clients that can only use LDAP as an > > interface. > > Yes. If you enabled slapi-nis on IPA master but didn't establish > actual > trust to AD and instead added an SSSD configuration to lookup AD > users > directly, then slapi-nis will happily ask SSSD for whatever users > with @ > in the name were requested by the LDAP clients and SSSD would look > them > up in AD. > > Not sure how useful is that at all but yes, this is a side-effect of > slapi-nis features. > this is very freaking useful :) I was wondering how to get my radius there... and, ups, just like that, it was there, so thanks! > -- > / Alexander Bokovoy > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jun 10 10:23:46 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jun 2016 13:23:46 +0300 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: <1465552301.19234.2.camel@yahoo.co.uk> References: <20160610090142.GS3271@hendrix> <1465552301.19234.2.camel@yahoo.co.uk> Message-ID: <20160610102346.6hr2caf5mh6x7d3w@redhat.com> On Fri, 10 Jun 2016, lejeczek wrote: >On Fri, 2016-06-10 at 11:01 +0200, Jakub Hrozek wrote: >> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: >> > hi everyone >> > >> > there is a master IPA which in some weird way puts AD users into >> > its ldap >> > catalog. I say weird cause there is no trust nor other sync >> > established, >> > there was a trust agreement, one way type, but now 'trust-find' >> > shows >> > nothing, that trust was removed. >> > >> > but still when I create a user @AD DS a second later I see it in >> > IPA's ldap, >> > eg. >> > >> > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private >> > ,dc=c >> > ?cnr,dc=aaa,dc=private,dc=dom >> > >> > how to trace the culprit config responsible for this? >> >> Check the DN, this is not the IPA tree (cn=account), but the compat >> tree >> (cn=compat) populated by the slapi-nis plugin. The intent is to make >> the >> AD users available to non-SSSD clients that can only use LDAP as an >> interface. >> >any chance this plugin gets included without user/admin intention, eg. >during migrate-ds ? The slapi-nis plugin is enabled by default when IPA is installed because ou=sudoers tree is emulated by the slapi-nis. >is ipa toolkit or I have to go directly to ldap to de/activate >plugin(s) ? See ipa-compat-manage -- / Alexander Bokovoy From abokovoy at redhat.com Fri Jun 10 10:24:09 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jun 2016 13:24:09 +0300 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: <1465552425.19234.4.camel@yahoo.co.uk> References: <20160610090142.GS3271@hendrix> <20160610091246.npcsba6fx3ufdplc@redhat.com> <1465552425.19234.4.camel@yahoo.co.uk> Message-ID: <20160610102409.cj5x6oxm4aotk42f@redhat.com> On Fri, 10 Jun 2016, lejeczek wrote: >On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote: >> On Fri, 10 Jun 2016, Jakub Hrozek wrote: >> > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: >> > > hi everyone >> > > >> > > there is a master IPA which in some weird way puts AD users into >> > > its ldap >> > > catalog. I say weird cause there is no trust nor other sync >> > > established, >> > > there was a trust agreement, one way type, but now 'trust-find' >> > > shows >> > > nothing, that trust was removed. >> > > >> > > but still when I create a user @AD DS a second later I see it in >> > > IPA's ldap, >> > > eg. >> > > >> > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva >> > > te,dc=c >> > > ?cnr,dc=aaa,dc=private,dc=dom >> > > >> > > how to trace the culprit config responsible for this? >> > >> > Check the DN, this is not the IPA tree (cn=account), but the compat >> > tree >> > (cn=compat) populated by the slapi-nis plugin. The intent is to >> > make the >> > AD users available to non-SSSD clients that can only use LDAP as an >> > interface. >> >> Yes. If you enabled slapi-nis on IPA master but didn't establish >> actual >> trust to AD and instead added an SSSD configuration to lookup AD >> users >> directly, then slapi-nis will happily ask SSSD for whatever users >> with @ >> in the name were requested by the LDAP clients and SSSD would look >> them >> up in AD. >> >> Not sure how useful is that at all but yes, this is a side-effect of >> slapi-nis features. >> >this is very freaking useful :) I was wondering how to get my radius >there... and, ups, just like that, it was there, so thanks! There are no passwords in that tree. -- / Alexander Bokovoy From peljasz at yahoo.co.uk Fri Jun 10 11:05:50 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 10 Jun 2016 12:05:50 +0100 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: <20160610102409.cj5x6oxm4aotk42f@redhat.com> References: <20160610090142.GS3271@hendrix> <20160610091246.npcsba6fx3ufdplc@redhat.com> <1465552425.19234.4.camel@yahoo.co.uk> <20160610102409.cj5x6oxm4aotk42f@redhat.com> Message-ID: <1465556750.19234.14.camel@yahoo.co.uk> On Fri, 2016-06-10 at 13:24 +0300, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, lejeczek wrote: > > On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote: > > > On Fri, 10 Jun 2016, Jakub Hrozek wrote: > > > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > > > > hi everyone > > > > > > > > > > there is a master IPA which in some weird way puts AD users > > > > > into > > > > > its ldap > > > > > catalog. I say weird cause there is no trust nor other sync > > > > > established, > > > > > there was a trust agreement, one way type, but now 'trust- > > > > > find' > > > > > shows > > > > > nothing, that trust was removed. > > > > > > > > > > but still when I create a user @AD DS a second later I see it > > > > > in > > > > > IPA's ldap, > > > > > eg. > > > > > > > > > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=p > > > > > riva > > > > > te,dc=c > > > > > ?cnr,dc=aaa,dc=private,dc=dom > > > > > > > > > > how to trace the culprit config responsible for this? > > > > > > > > Check the DN, this is not the IPA tree (cn=account), but the > > > > compat > > > > tree > > > > (cn=compat) populated by the slapi-nis plugin. The intent is to > > > > make the > > > > AD users available to non-SSSD clients that can only use LDAP > > > > as an > > > > interface. > > > > > > Yes. If you enabled slapi-nis on IPA master but didn't establish > > > actual > > > trust to AD and instead added an SSSD configuration to lookup AD > > > users > > > directly, then slapi-nis will happily ask SSSD for whatever users > > > with @ > > > in the name were requested by the LDAP clients and SSSD would > > > look > > > them > > > up in AD. > > > > > > Not sure how useful is that at all but yes, this is a side-effect > > > of > > > slapi-nis features. > > > > > this is very freaking useful :) I was wondering how to get my > > radius > > there... and, ups, just like that, it was there, so thanks! > There are no passwords in that tree. maybe it's not slapi-nis then? radius definitely works and checks/validates passwords. I'm looking at?https://docs.fedoraproject.org/en-US/Fedora/17/html/Free IPA_Guide/migrating-from-nis.html?trying to have this working on a replica now and I think it could have not been nis plugin. Having it enabled first IPA fails to start for 587 is already in use and master IPA also uses that port, also master does not show ypserv in rpcinfo. How to be 100% sure it's slapi-nis ? And if it is not then what else gets those AD users? many thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Fri Jun 10 12:15:45 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 10 Jun 2016 13:15:45 +0100 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: <20160610091246.npcsba6fx3ufdplc@redhat.com> References: <20160610090142.GS3271@hendrix> <20160610091246.npcsba6fx3ufdplc@redhat.com> Message-ID: <1465560945.19234.18.camel@yahoo.co.uk> On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, Jakub Hrozek wrote: > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > > hi everyone > > > > > > there is a master IPA which in some weird way puts AD users into > > > its ldap > > > catalog. I say weird cause there is no trust nor other sync > > > established, > > > there was a trust agreement, one way type, but now 'trust-find' > > > shows > > > nothing, that trust was removed. > > > > > > but still when I create a user @AD DS a second later I see it in > > > IPA's ldap, > > > eg. > > > > > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva > > > te,dc=c > > > ?cnr,dc=aaa,dc=private,dc=dom > > > > > > how to trace the culprit config responsible for this? > > > > Check the DN, this is not the IPA tree (cn=account), but the compat > > tree > > (cn=compat) populated by the slapi-nis plugin. The intent is to > > make the > > AD users available to non-SSSD clients that can only use LDAP as an > > interface. > > Yes. If you enabled slapi-nis on IPA master but didn't establish > actual > trust to AD and instead added an SSSD configuration to lookup AD > users > directly, then slapi-nis will happily ask SSSD for whatever users > with @ > in the name were requested by the LDAP clients and SSSD would look > them > up in AD. but would entries from AD wound up in IPA's ldap? I'm poking around and still am puzzled, I believe I've enabled nis on a replica but it's not doing it there, those AD users are not in IPA replica ldap whereas they exist on the master. > Not sure how useful is that at all but yes, this is a side-effect of > slapi-nis features. > > -- > / Alexander Bokovoy > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Fri Jun 10 12:21:07 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 10 Jun 2016 14:21:07 +0200 Subject: [Freeipa-users] DNSSEC A, AAAA Records In-Reply-To: <646abc30-5ac4-1349-411a-a84c755ef9ff@redhat.com> References: <2449798.RXz9XgO01f@techz> <646abc30-5ac4-1349-411a-a84c755ef9ff@redhat.com> Message-ID: <1515597.fHlFGLGvaR@techz> Hello, Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti: > On 10.06.2016 09:09, G?nther J. Niederwimmer wrote: > > Hello, > > > > can any help me to clear a question for DNSSEC, NSEC3 > > > > I have a domain created with bind and DNSSEC and NSEC3 I test this Domain > > and other, not my Domain with > > > > http://dnsviz.net/d/esslmaier.at/dnssec/ > > > > This site from Verisign tell me, I have all Secure and also the A, AAAA > > Records > > > > FreeIPA 4.3.1 Centos 7.2 I mean with the FreeIPA 4.2 I have A or AAAA Records but one from the list tell me 4.3.1 is the better version for DNSSEC ? > > But when I test my IPA created domain > > http://dnsviz.net/d/4gjn.com/dnssec/ > > > > I miss the A, AAAA Records > > > > can this be correct ? > > > > Thanks for a answer > > Hello, > do you have configured A and AAAA records in zone apex of '4gjn.com'? Yes I have configured A AAAA Records, but something is wrong with the Zone File ? when I look on my secondary DNS this is a PDNS then I found total different entry for esslmaier.at and my 4gjn.com. > I can `dig +dnssec ipa.4gjn.com. A` with DNSSEC results but for `dig > +dnssec 4gjn.com. A` , it looks like there is no A/AAAA records. Yes I wrote this before but I have no answer, what I can do :-(. > Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ? this is all !!! [root at ipa ~]# ipa dnsrecord-show 4gjn.com. @ Datensatzname: @ MX record: 10 smtp.4gjn.com. NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net., ns1.gratisdns.dk. TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 ip6:2001:470:6f: 8f1::223 ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all" ipa dnsrecord-show 4gjn.com. AAAA ipa: ERROR: AAAA: DNS resource record nicht gefunden Is this a LDAP Problem ? -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From abokovoy at redhat.com Fri Jun 10 12:34:17 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jun 2016 15:34:17 +0300 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: <1465560945.19234.18.camel@yahoo.co.uk> References: <20160610090142.GS3271@hendrix> <20160610091246.npcsba6fx3ufdplc@redhat.com> <1465560945.19234.18.camel@yahoo.co.uk> Message-ID: <20160610123417.wnzenrhlhcdubmol@redhat.com> On Fri, 10 Jun 2016, lejeczek wrote: >On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote: >> On Fri, 10 Jun 2016, Jakub Hrozek wrote: >> > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: >> > > hi everyone >> > > >> > > there is a master IPA which in some weird way puts AD users into >> > > its ldap >> > > catalog. I say weird cause there is no trust nor other sync >> > > established, >> > > there was a trust agreement, one way type, but now 'trust-find' >> > > shows >> > > nothing, that trust was removed. >> > > >> > > but still when I create a user @AD DS a second later I see it in >> > > IPA's ldap, >> > > eg. >> > > >> > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva >> > > te,dc=c >> > > ?cnr,dc=aaa,dc=private,dc=dom >> > > >> > > how to trace the culprit config responsible for this? >> > >> > Check the DN, this is not the IPA tree (cn=account), but the compat >> > tree >> > (cn=compat) populated by the slapi-nis plugin. The intent is to >> > make the >> > AD users available to non-SSSD clients that can only use LDAP as an >> > interface. >> >> Yes. If you enabled slapi-nis on IPA master but didn't establish >> actual >> trust to AD and instead added an SSSD configuration to lookup AD >> users >> directly, then slapi-nis will happily ask SSSD for whatever users >> with @ >> in the name were requested by the LDAP clients and SSSD would look >> them >> up in AD. >but would entries from AD wound up in IPA's ldap? >I'm poking around and still am puzzled, I believe I've enabled nis on a >replica but it's not doing it there, those AD users are not in IPA >replica ldap whereas they exist on the master. They wouldn't be in LDAP tree. cn=compat is purely virtual and is not replicated. The tree is populated on demand and if your replica is configured differently to the master w.r.t. AD trust or SSSD, you'll get different results. -- / Alexander Bokovoy From jan.karasek at elostech.cz Fri Jun 10 13:02:02 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Fri, 10 Jun 2016 15:02:02 +0200 (CEST) Subject: [Freeipa-users] IPA trust external DNS Default-First-Site-Name records In-Reply-To: References: Message-ID: <805028398.419851.1465563722543.JavaMail.zimbra@elostech.cz> Hi, I am trying to setup external DNS for IPA with AD trust. I have set all records in DNS according doc but in the internal IPA DNS I can see 3 more DNS records which are not mentioned in doc. They were set automatically during ipa trust-add commnad I guess: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs Could you please explained what are they good for and if they should be added to the external DNS as well ? Thanks, Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jun 10 13:20:59 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jun 2016 16:20:59 +0300 Subject: [Freeipa-users] IPA trust external DNS Default-First-Site-Name records In-Reply-To: <805028398.419851.1465563722543.JavaMail.zimbra@elostech.cz> References: <805028398.419851.1465563722543.JavaMail.zimbra@elostech.cz> Message-ID: <20160610132059.l7lazmznk7voxoy2@redhat.com> On Fri, 10 Jun 2016, Jan Kar?sek wrote: >Hi, > >I am trying to setup external DNS for IPA with AD trust. >I have set all records in DNS according doc but in the internal IPA DNS I can see 3 more DNS records which are not mentioned in doc. They were set automatically during ipa trust-add commnad I guess: > >_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs >_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs >_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs > >Could you please explained what are they good for and if they should be added to the external DNS as well ? Active Directory uses them to discover default site of IPA. This is standard behavior of Active Directory regarding any Active Directory. -- / Alexander Bokovoy From pspacek at redhat.com Fri Jun 10 13:26:39 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 10 Jun 2016 15:26:39 +0200 Subject: [Freeipa-users] DNSSEC A, AAAA Records In-Reply-To: <1515597.fHlFGLGvaR@techz> References: <2449798.RXz9XgO01f@techz> <646abc30-5ac4-1349-411a-a84c755ef9ff@redhat.com> <1515597.fHlFGLGvaR@techz> Message-ID: On 10.6.2016 14:21, G?nther J. Niederwimmer wrote: > Hello, > > Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti: >> On 10.06.2016 09:09, G?nther J. Niederwimmer wrote: >>> Hello, >>> >>> can any help me to clear a question for DNSSEC, NSEC3 >>> >>> I have a domain created with bind and DNSSEC and NSEC3 I test this Domain >>> and other, not my Domain with >>> >>> http://dnsviz.net/d/esslmaier.at/dnssec/ >>> >>> This site from Verisign tell me, I have all Secure and also the A, AAAA >>> Records >>> >>> FreeIPA 4.3.1 Centos 7.2 > > I mean with the FreeIPA 4.2 I have A or AAAA Records but one from the list > tell me 4.3.1 is the better version for DNSSEC ? > >>> But when I test my IPA created domain >>> http://dnsviz.net/d/4gjn.com/dnssec/ >>> >>> I miss the A, AAAA Records >>> >>> can this be correct ? >>> >>> Thanks for a answer >> >> Hello, >> do you have configured A and AAAA records in zone apex of '4gjn.com'? > > Yes I have configured A AAAA Records, but something is wrong with the Zone File > ? when I look on my secondary DNS this is a PDNS then I found total different > entry for esslmaier.at and my 4gjn.com. > > >> I can `dig +dnssec ipa.4gjn.com. A` with DNSSEC results but for `dig >> +dnssec 4gjn.com. A` , it looks like there is no A/AAAA records. > Yes I wrote this before but I have no answer, what I can do :-(. > >> Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ? > > this is all !!! > > [root at ipa ~]# ipa dnsrecord-show 4gjn.com. @ > Datensatzname: @ > MX record: 10 smtp.4gjn.com. > NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net., > ns1.gratisdns.dk. > TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 ip6:2001:470:6f: > 8f1::223 > ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all" > > ipa dnsrecord-show 4gjn.com. AAAA > ipa: ERROR: AAAA: DNS resource record nicht gefunden > > Is this a LDAP Problem ? Apparently you do not have any A/AAAA records defined in IPA. Add some and you will see :-) Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get for DNSSEC. There is many bugs in older versions. -- Petr^2 Spacek From peljasz at yahoo.co.uk Fri Jun 10 14:15:08 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 10 Jun 2016 15:15:08 +0100 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: <20160610123417.wnzenrhlhcdubmol@redhat.com> References: <20160610090142.GS3271@hendrix> <20160610091246.npcsba6fx3ufdplc@redhat.com> <1465560945.19234.18.camel@yahoo.co.uk> <20160610123417.wnzenrhlhcdubmol@redhat.com> Message-ID: <1465568108.19234.27.camel@yahoo.co.uk> On Fri, 2016-06-10 at 15:34 +0300, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, lejeczek wrote: > > On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote: > > > On Fri, 10 Jun 2016, Jakub Hrozek wrote: > > > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > > > > hi everyone > > > > > > > > > > there is a master IPA which in some weird way puts AD users > > > > > into > > > > > its ldap > > > > > catalog. I say weird cause there is no trust nor other sync > > > > > established, > > > > > there was a trust agreement, one way type, but now 'trust- > > > > > find' > > > > > shows > > > > > nothing, that trust was removed. > > > > > > > > > > but still when I create a user @AD DS a second later I see it > > > > > in > > > > > IPA's ldap, > > > > > eg. > > > > > > > > > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=p > > > > > riva > > > > > te,dc=c > > > > > ?cnr,dc=aaa,dc=private,dc=dom > > > > > > > > > > how to trace the culprit config responsible for this? > > > > > > > > Check the DN, this is not the IPA tree (cn=account), but the > > > > compat > > > > tree > > > > (cn=compat) populated by the slapi-nis plugin. The intent is to > > > > make the > > > > AD users available to non-SSSD clients that can only use LDAP > > > > as an > > > > interface. > > > > > > Yes. If you enabled slapi-nis on IPA master but didn't establish > > > actual > > > trust to AD and instead added an SSSD configuration to lookup AD > > > users > > > directly, then slapi-nis will happily ask SSSD for whatever users > > > with @ > > > in the name were requested by the LDAP clients and SSSD would > > > look > > > them > > > up in AD. > > but would entries from AD wound up in IPA's ldap? > > I'm poking around and still am puzzled, I believe I've enabled nis > > on a > > replica but it's not doing it there, those AD users are not in IPA > > replica ldap whereas they exist on the master. > They wouldn't be in LDAP tree. > > cn=compat is purely virtual and is not replicated. The tree is > populated > on demand and if your replica is configured differently to the master > w.r.t. AD trust or SSSD, you'll get different results. so it's a square one then, I forget IPA replicas for now, only master, while I'm looking at?https://git.fedorahosted.org/cgit/slapi-nis.git/pl ain/doc/nis-getting-started.txt before I use?ipa-compat-manage (to disable to test) - where in ldap config (or anywhere) it says this plugin is on & working so I can be sure? And flat configs for sssd & krb are virtually identical on both IPA master & replica, I just copied those manually to be sure, replica still has no AD users entries. -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Fri Jun 10 14:41:47 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Fri, 10 Jun 2016 15:41:47 +0100 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: <20160610090806.GR3302@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <20160610090806.GR3302@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <1465569707.19234.30.camel@yahoo.co.uk> On Fri, 2016-06-10 at 11:08 +0200, Sumit Bose wrote: > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > hi everyone > > > > there is a master IPA which in some weird way puts AD users into > > its ldap > > catalog. I say weird cause there is no trust nor other sync > > established, > > there was a trust agreement, one way type, but now 'trust-find' > > shows > > nothing, that trust was removed. > > > > but still when I create a user @AD DS a second later I see it in > > IPA's ldap, > > eg. > > > > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private > > ,dc=c > > ?cnr,dc=aaa,dc=private,dc=dom > > > > how to trace the culprit config responsible for this? > > > > and funny(?) thing is that these users do not get replicated to IPA > > replicas. > > Did you remove the trust on the AD side as well. If not SSSD running > on > the IPA server might still have valid credentials in a keytab in > /var/lib/sss/db and is able to read the user data from AD. nope, not agreements left @AD, I tried:?$ sss_cache -E -d ad.domain but it segfaulted: [1316003.857780] sss_cache[31028]: segfault at 0 ip 00007fab730f434c sp 00007fffbf576c10 error 4 in libsss_util.so[7fab730c8000+68000] so that would be sssd actually pulling and inserting these entries in IPA's ldap? many thanks, L > HTH > > bye, > Sumit > > > > > > > > many thanks, > > > > L > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dan.Finkelstein at high5games.com Fri Jun 10 15:24:48 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Fri, 10 Jun 2016 15:24:48 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) In-Reply-To: <8776E3A1-A1DE-42FA-9C11-B32BDFC88D48@high5games.com> References: <8776E3A1-A1DE-42FA-9C11-B32BDFC88D48@high5games.com> Message-ID: <11A7EF75-24E7-4F02-9BB7-B128EF8005E9@high5games.com> An update: The journalctl command has some really interesting output: Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING: Symbolic link '/var/lib/pki/pki-tomcat/alias' does NOT exist! Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO: Attempting to create '/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/aliJun 10 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link ?/var/lib/pki/pki-tomcat/alias?: Permission denied Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR: Failed to create '/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/alias'Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING: Symbolic link '/var/lib/pki/pki-tomcat/logs' does NOT exist! Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO: Attempting to create '/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link ?/var/lib/pki/pki-tomcat/logs?: Permission denied Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR: Failed to create '/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'! Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING: Symbolic link '/var/lib/pki/pki-tomcat/bin' does NOT exist! Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO: Attempting to create '/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin' . Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link ?/var/lib/pki/pki-tomcat/bin?: Permission denied Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR: Failed to create '/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin'! Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING: Symbolic link '/var/lib/pki/pki-tomcat/conf' does NOT exist! Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO: Attempting to create '/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat' . .Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic link ?/var/lib/pki/pki-tomcat/conf?: Permission denied Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR: Failed to create '/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat'! Jun 10 11:16:23 ipa.example.com systemd[1]: pki-tomcatd at pki-tomcat.service: control process exited, code=exited status=1 Jun 10 11:16:23 ipa.example.com systemd[1]: Failed to start PKI Tomcat Server pki-tomcat. Which makes me think All we have to do is create the right directory structures/links and/or change the file permissions? But which ones and to whom? ?Dan [cid:image001.jpg at 01D1C30A.B174B4C0] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: on behalf of Daniel Finkestein Date: Wednesday, June 8, 2016 at 17:11 To: "freeipa-users at redhat.com" Subject: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that emits this error in the httpd logs whenever the WebUI tries to see the certificates page: [Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR: ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS ([Errno 111] Connection refused) [Wed Jun 08 16:56:27.052401 2016] [:error] [pid 2863] ipa: INFO: [jsonserver_session] dfinkelstein at EXAMPLE.COM: cert_find(version=u'2.156'): CertificateOperationError The certificates appear as follows: [root at ipa httpd]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u auditSigningCert cert-pki-ca u,u,u EXAMPLE.COM IPA CA CTu,u,Cu ipaCert u,u,u ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Upon reboot, httpd fails to start with the error: Failed to start Identity, Policy, Audit. But it can be started later with `ipactl restart`. Finally, the two last IPA services don't appear to start: [root at ipa]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful I'd appreciate any guidance or suggestions. Thanks, Dan [cid:image002.jpg at 01D1C30A.B174B4C0] Daniel Alex Finkelstein| Senior Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 4332 bytes Desc: image002.jpg URL: From gjn at gjn.priv.at Fri Jun 10 15:33:30 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 10 Jun 2016 17:33:30 +0200 Subject: [Freeipa-users] DNSSEC A, AAAA Records In-Reply-To: References: <2449798.RXz9XgO01f@techz> <1515597.fHlFGLGvaR@techz> Message-ID: <1520306.ntx6C1O0cR@techz> Am Freitag, 10. Juni 2016, 15:26:39 CEST schrieb Petr Spacek: > On 10.6.2016 14:21, G?nther J. Niederwimmer wrote: > > Hello, > > > > Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti: > >> On 10.06.2016 09:09, G?nther J. Niederwimmer wrote: > >>> Hello, > >>> > >>> can any help me to clear a question for DNSSEC, NSEC3 > >>> > >>> I have a domain created with bind and DNSSEC and NSEC3 I test this > >>> Domain > >>> and other, not my Domain with > >>> > >>> http://dnsviz.net/d/esslmaier.at/dnssec/ > >>> > >>> This site from Verisign tell me, I have all Secure and also the A, AAAA > >>> Records > >>> > >>> FreeIPA 4.3.1 Centos 7.2 > > > > I mean with the FreeIPA 4.2 I have A or AAAA Records but one from the list > > tell me 4.3.1 is the better version for DNSSEC ? > > > >>> But when I test my IPA created domain > >>> http://dnsviz.net/d/4gjn.com/dnssec/ > >>> > >>> I miss the A, AAAA Records > >>> > >>> can this be correct ? > >>> > >>> Thanks for a answer > >> > >> Hello, > >> do you have configured A and AAAA records in zone apex of '4gjn.com'? > > > > Yes I have configured A AAAA Records, but something is wrong with the Zone > > File ? when I look on my secondary DNS this is a PDNS then I found total > > different entry for esslmaier.at and my 4gjn.com. > > > >> I can `dig +dnssec ipa.4gjn.com. A` with DNSSEC results but for `dig > >> +dnssec 4gjn.com. A` , it looks like there is no A/AAAA records. > > > > Yes I wrote this before but I have no answer, what I can do :-(. > > > >> Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ? > > > > this is all !!! > > > > [root at ipa ~]# ipa dnsrecord-show 4gjn.com. @ > > > > Datensatzname: @ > > MX record: 10 smtp.4gjn.com. > > NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net., > > > > ns1.gratisdns.dk. > > > > TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 ip6:2001:470:6f: > > 8f1::223 > > > > ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all" > > > > ipa dnsrecord-show 4gjn.com. AAAA > > > > ipa: ERROR: AAAA: DNS resource record nicht gefunden > > > > Is this a LDAP Problem ? > > Apparently you do not have any A/AAAA records defined in IPA. Add some and > you will see :-) NO ;-( I have configurede all my server with A and AAAA Records ? > Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get for > DNSSEC. There is many bugs in older versions. I have IPA 4.3.1, I mean you tell me this with the Bugs, but I can't found 4.3.2 I have this Repo group_freeipa-freeipa-4-3-centos-7-epel-7.repo -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From pgb205 at yahoo.com Fri Jun 10 15:36:43 2016 From: pgb205 at yahoo.com (pgb205) Date: Fri, 10 Jun 2016 15:36:43 +0000 (UTC) Subject: [Freeipa-users] Can't establish trust with 2008 AD In-Reply-To: <20160610055825.kfovvvuc7j6kzgq7@redhat.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <20160609203048.bn3fvbjk5ctifvyy@redhat.com> <1893386531.399624.1465508657306.JavaMail.yahoo@mail.yahoo.com> <20160610041428.gdumaw6cvp2yonzx@redhat.com> <459591492.524111.1465533356241.JavaMail.yahoo@mail.yahoo.com> <20160610055825.kfovvvuc7j6kzgq7@redhat.com> Message-ID: <1593556923.713788.1465573003082.JavaMail.yahoo@mail.yahoo.com> Alexander, here you go. One thing that came to mind that might the a problem. My Active directory is adserver.addomain.comwhile IPA is ipax1.ipadomain; there is no suffix. Not sure if that would matter.? Anyway here is the log as requested.? Thank you. ?net ads lookup -d 10 -S ?dc.addomain.comINFO: Current debug levels:? all: 10? tdb: 10? printdrivers: 10? lanman: 10? smb: 10? rpc_parse: 10? rpc_srv: 10? rpc_cli: 10? passdb: 10? sam: 10? auth: 10? winbind: 10? vfs: 10? idmap: 10? quota: 10? acls: 10? locking: 10? msdfs: 10? dmapi: 10? registry: 10? scavenger: 10? dns: 10? ldb: 10lp_load_ex: refreshing parametersInitialising global parametersrlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)INFO: Current debug levels:? all: 10? tdb: 10? printdrivers: 10? lanman: 10? smb: 10? rpc_parse: 10? rpc_srv: 10? rpc_cli: 10? passdb: 10? sam: 10? auth: 10? winbind: 10? vfs: 10? idmap: 10? quota: 10? acls: 10? locking: 10? msdfs: 10? dmapi: 10? registry: 10? scavenger: 10? dns: 10? ldb: 10Processing section "[global]"doing parameter debug pid = yesdoing parameter config backend = registrypm_process() returned Yeslp_load_ex: changing to config backend registryFreeing parametrics:Initialising global parametersrlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)INFO: Current debug levels:? all: 10? tdb: 10? printdrivers: 10? lanman: 10? smb: 10? rpc_parse: 10? rpc_srv: 10? rpc_cli: 10? passdb: 10? sam: 10? auth: 10? winbind: 10? vfs: 10? idmap: 10? quota: 10? acls: 10? locking: 10? msdfs: 10? dmapi: 10? registry: 10? scavenger: 10? dns: 10? ldb: 10lp_load_ex: refreshing parametersInitialising global parametersrlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)INFO: Current debug levels:? all: 10? tdb: 10? printdrivers: 10? lanman: 10? smb: 10? rpc_parse: 10? rpc_srv: 10? rpc_cli: 10? passdb: 10? sam: 10? auth: 10? winbind: 10? vfs: 10? idmap: 10? quota: 10? acls: 10? locking: 10? msdfs: 10? dmapi: 10? registry: 10? scavenger: 10? dns: 10? ldb: 10doing parameter registry shares = yesregistry_init_smbconf calledregdb_init: registry db openend. refcount reset (1)reghook_cache_init: new tree with default ops 0x7f2130163000 for key []regdb_fetch_values: Looking for values of key [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports]regdb_unpack_values: value[0]: name[Samba Printer Port] len[2]regdb_fetch_values: Looking for values of key [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers]regdb_unpack_values: value[0]: name[DefaultSpoolDirectory] len[70]regdb_fetch_values: Looking for values of key [HKLM\SYSTEM\CurrentControlSet\Services\Eventlog]regdb_unpack_values: value[0]: name[DisplayName] len[20]regdb_unpack_values: value[1]: name[ErrorControl] len[4]regdb_fetch_values: Looking for values of key [HKLM\SYSTEM\CurrentControlSet\Services\Eventlog]regdb_unpack_values: value[0]: name[DisplayName] len[20]regdb_unpack_values: value[1]: name[ErrorControl] len[4]reghook_cache_add: Adding ops 0x7f2132ee2520 for key [\HKLM\SOFTWARE\Samba\smbconf]pathtree_add: Enterpathtree_add: Successfully added node [HKLM\SOFTWARE\Samba\smbconf] to treepathtree_add: Exitregdb_close: decrementing refcount (1->0)regdb_open: registry db opened. refcount reset (1)regkey_open_onelevel: name = [HKLM]regdb_open: incrementing refcount (1->2)reghook_cache_find: Searching for keyname [\HKLM]pathtree_find: Enter [\HKLM]pathtree_find: Exitreghook_cache_find: found ops 0x7f2130163000 for key [\HKLM]regkey_open_onelevel: name = [SOFTWARE]regdb_open: incrementing refcount (2->3)reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE]pathtree_find: Enter [\HKLM\SOFTWARE]pathtree_find: Exitreghook_cache_find: found ops 0x7f2130163000 for key [\HKLM\SOFTWARE]regkey_open_onelevel: name = [Samba]regdb_open: incrementing refcount (3->4)reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE\Samba]pathtree_find: Enter [\HKLM\SOFTWARE\Samba]pathtree_find: Exitreghook_cache_find: found ops 0x7f2130163000 for key [\HKLM\SOFTWARE\Samba]regkey_open_onelevel: name = [smbconf]regdb_open: incrementing refcount (4->5)reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE\Samba\smbconf]pathtree_find: Enter [\HKLM\SOFTWARE\Samba\smbconf]pathtree_find: Exitreghook_cache_find: found ops 0x7f2132ee2520 for key [\HKLM\SOFTWARE\Samba\smbconf]regdb_close: decrementing refcount (5->4)regdb_close: decrementing refcount (4->3)regdb_close: decrementing refcount (3->2)process_registry_service: service name globalregkey_open_onelevel: name = [global]regdb_open: incrementing refcount (2->3)reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE\Samba\smbconf\global]pathtree_find: Enter [\HKLM\SOFTWARE\Samba\smbconf\global]pathtree_find: Exitreghook_cache_find: found ops 0x7f2132ee2520 for key [\HKLM\SOFTWARE\Samba\smbconf\global]regdb_close: decrementing refcount (3->2)regkey_open_onelevel: name = [global]regdb_open: incrementing refcount (2->3)reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE\Samba\smbconf\global]pathtree_find: Enter [\HKLM\SOFTWARE\Samba\smbconf\global]pathtree_find: Exitreghook_cache_find: found ops 0x7f2132ee2520 for key [\HKLM\SOFTWARE\Samba\smbconf\global]fetch_reg_values called for key 'HKLM\SOFTWARE\Samba\smbconf\global' (ops 0x7f2132ee2520)regdb_fetch_values: Looking for values of key [HKLM\SOFTWARE\Samba\smbconf\global]regdb_unpack_values: value[0]: name[workgroup] len[8]regdb_unpack_values: value[1]: name[netbios name] len[12]regdb_unpack_values: value[2]: name[realm] len[8]regdb_unpack_values: value[3]: name[kerberos method] len[34]regdb_unpack_values: value[4]: name[dedicated keytab file] len[58]regdb_unpack_values: value[5]: name[create krb5 conf] len[6]regdb_unpack_values: value[6]: name[security] len[10]regdb_unpack_values: value[7]: name[domain master] len[8]regdb_unpack_values: value[8]: name[domain logons] len[8]regdb_unpack_values: value[9]: name[max log size] len[14]regdb_unpack_values: value[10]: name[log file] len[44]regdb_unpack_values: value[11]: name[passdb backend] len[94]regdb_unpack_values: value[12]: name[disable spoolss] len[8]regdb_unpack_values: value[13]: name[ldapsam:trusted] len[8]regdb_unpack_values: value[14]: name[ldap ssl] len[8]regdb_unpack_values: value[15]: name[ldap suffix] len[14]regdb_unpack_values: value[16]: name[ldap user suffix] len[42]regdb_unpack_values: value[17]: name[ldap group suffix] len[44]regdb_unpack_values: value[18]: name[ldap machine suffix] len[50]regdb_unpack_values: value[19]: name[rpc_server:epmapper] len[18]regdb_unpack_values: value[20]: name[rpc_server:lsarpc] len[18]regdb_unpack_values: value[21]: name[rpc_server:lsass] len[18]regdb_unpack_values: value[22]: name[rpc_server:lsasd] len[18]regdb_unpack_values: value[23]: name[rpc_server:samr] len[18]regdb_unpack_values: value[24]: name[rpc_server:netlogon] len[18]regdb_unpack_values: value[25]: name[rpc_server:tcpip] len[8]regdb_unpack_values: value[26]: name[rpc_daemon:epmd] len[10]regdb_unpack_values: value[27]: name[rpc_daemon:lsasd] len[10]regdb_unpack_values: value[28]: name[log level] len[8]regdb_close: decrementing refcount (3->2)Processing section "[global]"doing parameter workgroup = IPADOMAINdoing parameter netbios name = IPAX1doing parameter realm = IPADOMAINdoing parameter kerberos method = dedicated keytabdoing parameter dedicated keytab file = FILE:/etc/samba/samba.keytabdoing parameter create krb5 conf = nodoing parameter security = userdoing parameter domain master = yesdoing parameter domain logons = yesdoing parameter max log size = 100000doing parameter log file = /var/log/samba/log.%mdoing parameter passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-IPADOMAIN.socketdoing parameter disable spoolss = yesdoing parameter ldapsam:trusted = yesdoing parameter ldap ssl = offdoing parameter ldap suffix = dc=ipadomaindoing parameter ldap user suffix = cn=users,cn=accountsdoing parameter ldap group suffix = cn=groups,cn=accountsdoing parameter ldap machine suffix = cn=computers,cn=accountsdoing parameter rpc_server:epmapper = externaldoing parameter rpc_server:lsarpc = externaldoing parameter rpc_server:lsass = externaldoing parameter rpc_server:lsasd = externaldoing parameter rpc_server:samr = externaldoing parameter rpc_server:netlogon = externaldoing parameter rpc_server:tcpip = yesdoing parameter rpc_daemon:epmd = forkdoing parameter rpc_daemon:lsasd = forkdoing parameter log level = 100lp_servicenumber: couldn't find homesNetbios name list:-my_netbios_names[0]="IPAX1"added interface eno1 ip= bcast= netmask=255.255.255.0Registering messaging pointer for type 2 - private_data=(nil)Registering messaging pointer for type 9 - private_data=(nil)Registered MSG_REQ_POOL_USAGERegistering messaging pointer for type 11 - private_data=(nil)Registering messaging pointer for type 12 - private_data=(nil)Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGEDRegistering messaging pointer for type 1 - private_data=(nil)Registering messaging pointer for type 5 - private_data=(nil)Opening cache file at /var/lib/samba/gencache.tdbOpening cache file at /var/lib/samba/gencache_notrans.tdbsitename_fetch: No stored sitename for IPADOMAINinternal_resolve_name: looking up dc.addomain.com#20 (sitename (null))name dc.addomain.com#20 found.remove_duplicate_addrs2: looking for duplicate address/port pairsads_try_connect: sending CLDAP request to 172.19.1.10 (realm: (null))ads_cldap_netlogon: did not get a replyads_try_connect: CLDAP request 172.19.1.10 failed.sitename_fetch: No stored sitename for IPADOMAINads_find_dc: (cldap) looking for domain 'IPADOMAIN'get_sorted_dc_list: attempting lookup for name IPADOMAIN (sitename NULL)saf_fetch: failed to find server for "IPADOMAIN" domainget_dc_list: preferred server list: ", *"internal_resolve_name: looking up IPADOMAIN#1c (sitename (null))no entry for IPADOMAIN#1C found.resolve_lmhosts: Attempting lmhosts lookup for name IPADOMAIN<0x1c>resolve_lmhosts: Attempting lmhosts lookup for name IPADOMAIN<0x1c>getlmhostsent: lmhost entry: 127.0.0.1 localhostresolve_wins: WINS server resolution selected and no WINS servers listed.resolve_hosts: not appropriate for name type <0x1c>name_resolve_bcast: Attempting broadcast lookup for name IPADOMAIN<0x1c>tstream_unix_connect failed: No such file or directorynmbd not aroundAdding 0 DC's from auto lookupget_dc_list: no servers foundads_connect: No logon serverssitename_fetch: No stored sitename for IPADOMAINinternal_resolve_name: looking up dc.addomain.com#20 (sitename (null))name dc.addomain.com#20 found.remove_duplicate_addrs2: looking for duplicate address/port pairsads_try_connect: sending CLDAP request to 172.19.1.10 (realm: (null))ads_cldap_netlogon: did not get a replyads_try_connect: CLDAP request 172.19.1.10 failed.sitename_fetch: No stored sitename for IPADOMAINads_find_dc: (cldap) looking for domain 'IPADOMAIN'get_sorted_dc_list: attempting lookup for name IPADOMAIN (sitename NULL)saf_fetch: failed to find server for "IPADOMAIN" domainget_dc_list: preferred server list: ", *"internal_resolve_name: looking up IPADOMAIN#1c (sitename (null))no entry for IPADOMAIN#1C found.resolve_lmhosts: Attempting lmhosts lookup for name IPADOMAIN<0x1c>resolve_lmhosts: Attempting lmhosts lookup for name IPADOMAIN<0x1c>getlmhostsent: lmhost entry: 127.0.0.1 localhostresolve_wins: WINS server resolution selected and no WINS servers listed.resolve_hosts: not appropriate for name type <0x1c>name_resolve_bcast: Attempting broadcast lookup for name IPADOMAIN<0x1c>tstream_unix_connect failed: No such file or directorynmbd not aroundAdding 0 DC's from auto lookupget_dc_list: no servers foundads_connect: No logon serversDidn't find the cldap server!return code = -1 From: Alexander Bokovoy To: pgb205 Cc: "freeipa-users at redhat.com" Sent: Friday, June 10, 2016 1:58 AM Subject: Re: [Freeipa-users] Can't establish trust with 2008 AD On Fri, 10 Jun 2016, pgb205 wrote: >The trust setup still results in >Shared secret for the trust:: ERROR: CIFS server communication error: code "None",? ? ? ? ? ? ? ? ? message "NT_STATUS_IO_TIMEOUT" (both may be "None") >If you want I can provide with logs. Can you show output of net ads lookup -d 10 -S dc.addomain.com -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jun 10 16:01:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jun 2016 18:01:32 +0200 Subject: [Freeipa-users] DNSSEC A, AAAA Records In-Reply-To: <1520306.ntx6C1O0cR@techz> References: <2449798.RXz9XgO01f@techz> <1515597.fHlFGLGvaR@techz> <1520306.ntx6C1O0cR@techz> Message-ID: On 10.06.2016 17:33, G?nther J. Niederwimmer wrote: > Am Freitag, 10. Juni 2016, 15:26:39 CEST schrieb Petr Spacek: >> On 10.6.2016 14:21, G?nther J. Niederwimmer wrote: >>> Hello, >>> >>> Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti: >>>> On 10.06.2016 09:09, G?nther J. Niederwimmer wrote: >>>>> Hello, >>>>> >>>>> can any help me to clear a question for DNSSEC, NSEC3 >>>>> >>>>> I have a domain created with bind and DNSSEC and NSEC3 I test this >>>>> Domain >>>>> and other, not my Domain with >>>>> >>>>> http://dnsviz.net/d/esslmaier.at/dnssec/ >>>>> >>>>> This site from Verisign tell me, I have all Secure and also the A, AAAA >>>>> Records >>>>> >>>>> FreeIPA 4.3.1 Centos 7.2 >>> I mean with the FreeIPA 4.2 I have A or AAAA Records but one from the list >>> tell me 4.3.1 is the better version for DNSSEC ? >>> >>>>> But when I test my IPA created domain >>>>> http://dnsviz.net/d/4gjn.com/dnssec/ >>>>> >>>>> I miss the A, AAAA Records >>>>> >>>>> can this be correct ? >>>>> >>>>> Thanks for a answer >>>> Hello, >>>> do you have configured A and AAAA records in zone apex of '4gjn.com'? >>> Yes I have configured A AAAA Records, but something is wrong with the Zone >>> File ? when I look on my secondary DNS this is a PDNS then I found total >>> different entry for esslmaier.at and my 4gjn.com. >>> >>>> I can `dig +dnssec ipa.4gjn.com. A` with DNSSEC results but for `dig >>>> +dnssec 4gjn.com. A` , it looks like there is no A/AAAA records. >>> Yes I wrote this before but I have no answer, what I can do :-(. >>> >>>> Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ? >>> this is all !!! >>> >>> [root at ipa ~]# ipa dnsrecord-show 4gjn.com. @ >>> >>> Datensatzname: @ >>> MX record: 10 smtp.4gjn.com. >>> NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net., >>> >>> ns1.gratisdns.dk. >>> >>> TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 > ip6:2001:470:6f: >>> 8f1::223 >>> >>> ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all" >>> >>> ipa dnsrecord-show 4gjn.com. AAAA >>> >>> ipa: ERROR: AAAA: DNS resource record nicht gefunden >>> >>> Is this a LDAP Problem ? >> Apparently you do not have any A/AAAA records defined in IPA. Add some and >> you will see :-) > NO ;-( I have configurede all my server with A and AAAA Records ? But your server name is not '4gjn.com', but 'ipa.4gjn.com'. The second one contains A/AAAA records. 4gjn.com AFAIK is your IPA domain, so it should not contain A/AAAA records by default, unless you manually added them there. Martin > >> Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get for >> DNSSEC. There is many bugs in older versions. > I have IPA 4.3.1, I mean you tell me this with the Bugs, but I can't found > 4.3.2 > > I have this Repo > > group_freeipa-freeipa-4-3-centos-7-epel-7.repo From gjn at gjn.priv.at Fri Jun 10 16:14:49 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 10 Jun 2016 18:14:49 +0200 Subject: [Freeipa-users] DNSSEC A, AAAA Records In-Reply-To: References: <2449798.RXz9XgO01f@techz> <1520306.ntx6C1O0cR@techz> Message-ID: <52345124.MKM8PJL3F2@techz> Am Freitag, 10. Juni 2016, 18:01:32 CEST schrieb Martin Basti: > On 10.06.2016 17:33, G?nther J. Niederwimmer wrote: > > Am Freitag, 10. Juni 2016, 15:26:39 CEST schrieb Petr Spacek: > >> On 10.6.2016 14:21, G?nther J. Niederwimmer wrote: > >>> Hello, > >>> > >>> Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti: > >>>> On 10.06.2016 09:09, G?nther J. Niederwimmer wrote: > >>>>> Hello, > >>>>> > >>>>> can any help me to clear a question for DNSSEC, NSEC3 > >>>>> > >>>>> I have a domain created with bind and DNSSEC and NSEC3 I test this > >>>>> Domain > >>>>> and other, not my Domain with > >>>>> > >>>>> http://dnsviz.net/d/esslmaier.at/dnssec/ > >>>>> > >>>>> This site from Verisign tell me, I have all Secure and also the A, > >>>>> AAAA > >>>>> Records > >>>>> > >>>>> FreeIPA 4.3.1 Centos 7.2 > >>> > >>> I mean with the FreeIPA 4.2 I have A or AAAA Records but one from the > >>> list > >>> tell me 4.3.1 is the better version for DNSSEC ? > >>> > >>>>> But when I test my IPA created domain > >>>>> http://dnsviz.net/d/4gjn.com/dnssec/ > >>>>> > >>>>> I miss the A, AAAA Records > >>>>> > >>>>> can this be correct ? > >>>>> > >>>>> Thanks for a answer > >>>> > >>>> Hello, > >>>> do you have configured A and AAAA records in zone apex of '4gjn.com'? > >>> > >>> Yes I have configured A AAAA Records, but something is wrong with the > >>> Zone > >>> File ? when I look on my secondary DNS this is a PDNS then I found total > >>> different entry for esslmaier.at and my 4gjn.com. > >>> > >>>> I can `dig +dnssec ipa.4gjn.com. A` with DNSSEC results but for `dig > >>>> +dnssec 4gjn.com. A` , it looks like there is no A/AAAA records. > >>> > >>> Yes I wrote this before but I have no answer, what I can do :-(. > >>> > >>>> Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ? > >>> > >>> this is all !!! > >>> > >>> [root at ipa ~]# ipa dnsrecord-show 4gjn.com. @ > >>> > >>> Datensatzname: @ > >>> MX record: 10 smtp.4gjn.com. > >>> NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net., > >>> > >>> ns1.gratisdns.dk. > >>> > >>> TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 > > > > ip6:2001:470:6f: > >>> 8f1::223 > >>> > >>> ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all" > >>> > >>> ipa dnsrecord-show 4gjn.com. AAAA > >>> > >>> ipa: ERROR: AAAA: DNS resource record nicht gefunden > >>> > >>> Is this a LDAP Problem ? > >> > >> Apparently you do not have any A/AAAA records defined in IPA. Add some > >> and > >> you will see :-) > > > > NO ;-( I have configurede all my server with A and AAAA Records ? > > But your server name is not '4gjn.com', but 'ipa.4gjn.com'. The second > one contains A/AAAA records. > > 4gjn.com AFAIK is your IPA domain, so it should not contain A/AAAA > records by default, unless you manually added them there. When I make a ipa dnsrecord-show I miss the RRSIG Record ? ipa dnsrecord-show Datensatzname: ipa Zonenname: 4gjn.com Datensatzname: ipa A record: 89.26.XXX.6 AAAA record: 2001:470:6f:XXX::204 SSHFP record: 1 1 96CEB1FC971F7916A37D7327DEBD97FAE0B19CDE, 3 2 59ED122BF99D4B149A17B159EF18A277DC0001BE66C14BBDDBF108FB 05763604, 1 2 537DEA114D6232F6698D3B8B940091AE8AE159146764B073B8B77755 8E8789A0, 3 1 02614298C6F2CCF1F2F9BF8FA8A3267589E1FE1B > >> Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get > >> for > >> DNSSEC. There is many bugs in older versions. > > > > I have IPA 4.3.1, I mean you tell me this with the Bugs, but I can't found > > 4.3.2 > > > > I have this Repo > > > > group_freeipa-freeipa-4-3-centos-7-epel-7.repo From mbasti at redhat.com Fri Jun 10 16:23:34 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jun 2016 18:23:34 +0200 Subject: [Freeipa-users] DNSSEC A, AAAA Records In-Reply-To: <52345124.MKM8PJL3F2@techz> References: <2449798.RXz9XgO01f@techz> <1520306.ntx6C1O0cR@techz> <52345124.MKM8PJL3F2@techz> Message-ID: <1307585b-6ace-98e4-b353-333d47cd1acd@redhat.com> On 10.06.2016 18:14, G?nther J. Niederwimmer wrote: > Am Freitag, 10. Juni 2016, 18:01:32 CEST schrieb Martin Basti: >> On 10.06.2016 17:33, G?nther J. Niederwimmer wrote: >>> Am Freitag, 10. Juni 2016, 15:26:39 CEST schrieb Petr Spacek: >>>> On 10.6.2016 14:21, G?nther J. Niederwimmer wrote: >>>>> Hello, >>>>> >>>>> Am Freitag, 10. Juni 2016, 10:12:50 CEST schrieb Martin Basti: >>>>>> On 10.06.2016 09:09, G?nther J. Niederwimmer wrote: >>>>>>> Hello, >>>>>>> >>>>>>> can any help me to clear a question for DNSSEC, NSEC3 >>>>>>> >>>>>>> I have a domain created with bind and DNSSEC and NSEC3 I test this >>>>>>> Domain >>>>>>> and other, not my Domain with >>>>>>> >>>>>>> http://dnsviz.net/d/esslmaier.at/dnssec/ >>>>>>> >>>>>>> This site from Verisign tell me, I have all Secure and also the A, >>>>>>> AAAA >>>>>>> Records >>>>>>> >>>>>>> FreeIPA 4.3.1 Centos 7.2 >>>>> I mean with the FreeIPA 4.2 I have A or AAAA Records but one from the >>>>> list >>>>> tell me 4.3.1 is the better version for DNSSEC ? >>>>> >>>>>>> But when I test my IPA created domain >>>>>>> http://dnsviz.net/d/4gjn.com/dnssec/ >>>>>>> >>>>>>> I miss the A, AAAA Records >>>>>>> >>>>>>> can this be correct ? >>>>>>> >>>>>>> Thanks for a answer >>>>>> Hello, >>>>>> do you have configured A and AAAA records in zone apex of '4gjn.com'? >>>>> Yes I have configured A AAAA Records, but something is wrong with the >>>>> Zone >>>>> File ? when I look on my secondary DNS this is a PDNS then I found total >>>>> different entry for esslmaier.at and my 4gjn.com. >>>>> >>>>>> I can `dig +dnssec ipa.4gjn.com. A` with DNSSEC results but for `dig >>>>>> +dnssec 4gjn.com. A` , it looks like there is no A/AAAA records. >>>>> Yes I wrote this before but I have no answer, what I can do :-(. >>>>> >>>>>> Can you provide output of the `ipa dnsrecord-show 4gjn.com. @` ? >>>>> this is all !!! >>>>> >>>>> [root at ipa ~]# ipa dnsrecord-show 4gjn.com. @ >>>>> >>>>> Datensatzname: @ >>>>> MX record: 10 smtp.4gjn.com. >>>>> NS record: dns.esslmaier.at., ipa.4gjn.com., ns1.ns71.net., >>>>> >>>>> ns1.gratisdns.dk. >>>>> >>>>> TXT record: "v=spf1 mx ip4:89.26.108.213 ip4:89.26.108.0/28 >>> ip6:2001:470:6f: >>>>> 8f1::223 >>>>> >>>>> ip6:2001:470:6f:8f1::/64 ?include:gjn.priv.at -all" >>>>> >>>>> ipa dnsrecord-show 4gjn.com. AAAA >>>>> >>>>> ipa: ERROR: AAAA: DNS resource record nicht gefunden >>>>> >>>>> Is this a LDAP Problem ? >>>> Apparently you do not have any A/AAAA records defined in IPA. Add some >>>> and >>>> you will see :-) >>> NO ;-( I have configurede all my server with A and AAAA Records ? >> But your server name is not '4gjn.com', but 'ipa.4gjn.com'. The second >> one contains A/AAAA records. >> >> 4gjn.com AFAIK is your IPA domain, so it should not contain A/AAAA >> records by default, unless you manually added them there. > When I make a ipa dnsrecord-show > > I miss the RRSIG Record ? > > ipa dnsrecord-show > Datensatzname: ipa > Zonenname: 4gjn.com > Datensatzname: ipa > A record: 89.26.XXX.6 > AAAA record: 2001:470:6f:XXX::204 > SSHFP record: 1 1 96CEB1FC971F7916A37D7327DEBD97FAE0B19CDE, 3 2 > 59ED122BF99D4B149A17B159EF18A277DC0001BE66C14BBDDBF108FB > 05763604, 1 2 > 537DEA114D6232F6698D3B8B940091AE8AE159146764B073B8B77755 > 8E8789A0, 3 1 > 02614298C6F2CCF1F2F9BF8FA8A3267589E1FE1B > RRSIG records are not stored in LDAP, they are dynamically generated on named server for each record, so ipa commands cannot show them, you must use dig +dnssec @ipaserveraddress ipa.4gjn.com. A Martin > >>>> Speaking of IPA versions, yes, latest IPA 4.3.2 is the best you can get >>>> for >>>> DNSSEC. There is many bugs in older versions. >>> I have IPA 4.3.1, I mean you tell me this with the Bugs, but I can't found >>> 4.3.2 >>> >>> I have this Repo >>> >>> group_freeipa-freeipa-4-3-centos-7-epel-7.repo > > From prashant at apigee.com Fri Jun 10 16:43:43 2016 From: prashant at apigee.com (Prashant Bapat) Date: Fri, 10 Jun 2016 22:13:43 +0530 Subject: [Freeipa-users] Using LDAP directly - Password Expiry Message-ID: Hi, I'm using FreeIPA's LDAP component as user database in another application. The binds happen using the user's credentials (password+otp) and the search happens by a service account created under cn=sysaccounts. Things are working as expected except one small hitch. Password Expiry. Binds are allowed even for users with expired passwords. Are others using the LDAP directly ? If yes, how are you handing the password expiry. Thanks. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jun 10 17:37:45 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Jun 2016 13:37:45 -0400 Subject: [Freeipa-users] Using LDAP directly - Password Expiry In-Reply-To: References: Message-ID: <575AFAE9.8080007@redhat.com> Prashant Bapat wrote: > Hi, > > I'm using FreeIPA's LDAP component as user database in another > application. The binds happen using the user's credentials > (password+otp) and the search happens by a service account created under > cn=sysaccounts. > > Things are working as expected except one small hitch. Password Expiry. > Binds are allowed even for users with expired passwords. > > Are others using the LDAP directly ? If yes, how are you handing the > password expiry. > > Thanks. > --Prashant > > There is a bit of a chicken and egg problem, see https://fedorahosted.org/freeipa/ticket/1539 rob From randym at chem.byu.edu Fri Jun 10 17:41:33 2016 From: randym at chem.byu.edu (Randy Morgan) Date: Fri, 10 Jun 2016 11:41:33 -0600 Subject: [Freeipa-users] Redhat Summit Message-ID: <4982207e-ad99-60f2-c21e-c09d15993fc8@chem.byu.edu> So I have a slightly different question. Redhat Summit is the end of this month, and I was wondering why FreeIPA was not doing a presentation at the summit? This is a subject I would be very interested in at the summit. Randy -- Randy Morgan CSR Department of Chemistry and Biochemistry Brigham Young University 801-422-4100 From rcritten at redhat.com Fri Jun 10 17:51:14 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Jun 2016 13:51:14 -0400 Subject: [Freeipa-users] Redhat Summit In-Reply-To: <4982207e-ad99-60f2-c21e-c09d15993fc8@chem.byu.edu> References: <4982207e-ad99-60f2-c21e-c09d15993fc8@chem.byu.edu> Message-ID: <575AFE12.1060607@redhat.com> Randy Morgan wrote: > So I have a slightly different question. Redhat Summit is the end of > this month, and I was wondering why FreeIPA was not doing a presentation > at the summit? This is a subject I would be very interested in at the > summit. > > Randy > IPA will be there in at least these sessions: Practical steps implementing Red Hat identity management solution https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45364 Red Hat identity and access management vision, solution, and roadmap https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=46061 and a lab: Up and running with Red Hat identity management https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45128 There will also be folks in a booth showing demos and answering questions. rob From randym at chem.byu.edu Fri Jun 10 17:54:21 2016 From: randym at chem.byu.edu (Randy Morgan) Date: Fri, 10 Jun 2016 11:54:21 -0600 Subject: [Freeipa-users] Redhat Summit In-Reply-To: <575AFE12.1060607@redhat.com> References: <4982207e-ad99-60f2-c21e-c09d15993fc8@chem.byu.edu> <575AFE12.1060607@redhat.com> Message-ID: Awesome, Thanks Rob, I am looking forward to it. Randy Randy Morgan CSR Department of Chemistry and Biochemistry Brigham Young University 801-422-4100 On 6/10/2016 11:51 AM, Rob Crittenden wrote: > Randy Morgan wrote: >> So I have a slightly different question. Redhat Summit is the end of >> this month, and I was wondering why FreeIPA was not doing a presentation >> at the summit? This is a subject I would be very interested in at the >> summit. >> >> Randy >> > > IPA will be there in at least these sessions: > > Practical steps implementing Red Hat identity management solution > https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45364 > > > Red Hat identity and access management vision, solution, and roadmap > https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=46061 > > and a lab: > > Up and running with Red Hat identity management > https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45128 > > There will also be folks in a booth showing demos and answering > questions. > > rob From mitra.dehghan at gmail.com Fri Jun 10 18:08:33 2016 From: mitra.dehghan at gmail.com (Mitra Dehghan) Date: Fri, 10 Jun 2016 22:38:33 +0430 Subject: [Freeipa-users] problem in sudo policy when target commands use local environment variables In-Reply-To: <6FB2F9495EBCAB469F1F3B0E0FA02107A02CCF3F@itxxmb001.exhosted.itec.suny.edu> References: <6FB2F9495EBCAB469F1F3B0E0FA02107A02CCF3F@itxxmb001.exhosted.itec.suny.edu> Message-ID: Dear Paul, Thanks for your suggestion. It worked. By the way, using -i option I had to change sudocmd definition in IPA SERVER, to the " /bin/bash -c /path/to/target_cmd" then after -i option worked successfully. Thanks a lot. On Jun 6, 2016 8:33 PM, "Brennan, Paul J" wrote: > Hi Mitra, > I'm not sure if '-H' is the best option for this. If I'm reading the > documentation correctly, it sounds like that option only sets the value of > $HOME to ~*srvusr*. You may want to try: > > $ sudo -u *srvusr* -i > > */path/to/target_cmd *That should run the command using a login shell for > *srvusr*, instantiating that user's variables. > > Good luck, > Paul Brennan > > (Apologies if this ends up in the wrong thread or something, I just signed > up to this list.) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Jun 10 18:48:54 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Jun 2016 14:48:54 -0400 Subject: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) In-Reply-To: <11A7EF75-24E7-4F02-9BB7-B128EF8005E9@high5games.com> References: <8776E3A1-A1DE-42FA-9C11-B32BDFC88D48@high5games.com> <11A7EF75-24E7-4F02-9BB7-B128EF8005E9@high5games.com> Message-ID: <575B0B96.8070502@redhat.com> Dan.Finkelstein at high5games.com wrote: > An update: The journalctl command has some really interesting output: > > Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING: Symbolic > link '/var/lib/pki/pki-tomcat/alias' does NOT exist! > > Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO: Attempting to > create '/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/aliJun 10 > 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic > link ?/var/lib/pki/pki-tomcat/alias?: Permission denied > > Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR: Failed to > create '/var/lib/pki/pki-tomcat/alias' -> '/etc/pki/pki-tomcat/alias'Jun > 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING: Symbolic link > '/var/lib/pki/pki-tomcat/logs' does NOT exist! > > Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO: Attempting to > create '/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'Jun 10 > 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic > link ?/var/lib/pki/pki-tomcat/logs?: Permission denied > > Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR: Failed to > create '/var/lib/pki/pki-tomcat/logs' -> '/var/log/pki/pki-tomcat'! > > Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING: Symbolic > link '/var/lib/pki/pki-tomcat/bin' does NOT exist! > > Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO: Attempting to > create '/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin' . Jun 10 > 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic > link ?/var/lib/pki/pki-tomcat/bin?: Permission denied > > Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR: Failed to > create '/var/lib/pki/pki-tomcat/bin' -> '/usr/share/tomcat/bin'! > > Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: WARNING: Symbolic > link '/var/lib/pki/pki-tomcat/conf' does NOT exist! > > Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: INFO: Attempting to > create '/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat' . .Jun 10 > 11:16:23 ipa.example.com pkidaemon[25032]: ln: failed to create symbolic > link ?/var/lib/pki/pki-tomcat/conf?: Permission denied > > Jun 10 11:16:23 ipa.example.com pkidaemon[25032]: ERROR: Failed to > create '/var/lib/pki/pki-tomcat/conf' -> '/etc/pki/pki-tomcat'! > > Jun 10 11:16:23 ipa.example.com systemd[1]: > pki-tomcatd at pki-tomcat.service: control process exited, code=exited status=1 > > Jun 10 11:16:23 ipa.example.com systemd[1]: Failed to start PKI Tomcat > Server pki-tomcat. > > Which makes me think All we have to do is create the right directory > structures/links and/or change the file permissions? But which ones and > to whom? I'd reinstall some rpms to properly create these: tomcat pki-base pki-server I'm not positive it will fix permissions, rpm -V on the same may point out problems as well. rob > > ?Dan > > > > *Daniel Alex Finkelstein*| Lead Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _ | 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: * on behalf of Daniel > Finkestein > *Date: *Wednesday, June 8, 2016 at 17:11 > *To: *"freeipa-users at redhat.com" > *Subject: *[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA > Error 4301: CertificateOperationError) > > I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that > emits this error in the httpd logs whenever the WebUI tries to see the > certificates page: > > [Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR: > ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS > ([Errno 111] Connection refused) > > [Wed Jun 08 16:56:27.052401 2016] [:error] [pid 2863] ipa: INFO: > [jsonserver_session] dfinkelstein at EXAMPLE.COM: > cert_find(version=u'2.156'): CertificateOperationError > > The certificates appear as follows: > > [root at ipa httpd]# certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust > Attributes > > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > > auditSigningCert cert-pki-ca u,u,u > > EXAMPLE.COM IPA CA CTu,u,Cu > > ipaCert u,u,u > > ocspSigningCert cert-pki-ca u,u,u > > subsystemCert cert-pki-ca u,u,u > > Upon reboot, httpd fails to start with the error: Failed to start > Identity, Policy, Audit. But it can be started later with `ipactl > restart`. Finally, the two last IPA services don't appear to start: > > [root at ipa]# ipactl status > > Directory Service: RUNNING > > krb5kdc Service: RUNNING > > kadmin Service: RUNNING > > named Service: RUNNING > > ipa_memcached Service: RUNNING > > httpd Service: RUNNING > > pki-tomcatd Service: RUNNING > > ipa-otpd Service: STOPPED > > ipa-dnskeysyncd Service: STOPPED > > ipa: INFO: The ipactl command was successful > > I'd appreciate any guidance or suggestions. > > Thanks, > > Dan > > > > *Daniel Alex Finkelstein*| Senior Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _ | 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > > From Dan.Finkelstein at high5games.com Fri Jun 10 18:52:45 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Fri, 10 Jun 2016 18:52:45 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) In-Reply-To: <575B0B96.8070502@redhat.com> References: <8776E3A1-A1DE-42FA-9C11-B32BDFC88D48@high5games.com> <11A7EF75-24E7-4F02-9BB7-B128EF8005E9@high5games.com> <575B0B96.8070502@redhat.com> Message-ID: That?s exactly right, and we got the files and links back to serviceable order. Now we're (merely) facing issues with our restored certificate store, which the pki-tomcatd process is not happy with. All IPA services start normally except for tomcat, which spits out SSL errors (and we're pretty sure must be related to bad certs? somewhere). Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) Internal Database Error encountered: Could not connect to LDAP server host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1601) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) I think we might be willing to toss out the existing certificate store and start anew, which fortunately should preserve the DNS, user, group, etc., data already in LDAP. If we wanted to create a new trust and self-signed cert for the server, how are those steps different from promoting a replica to a cert-signing master? Thanks, Dan [cid:image001.jpg at 01D1C327.BEB26C00] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden Date: Friday, June 10, 2016 at 14:48 To: Daniel Finkestein , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) I'd reinstall some rpms to properly create these: tomcat pki-base pki-server I'm not positive it will fix permissions, rpm -V on the same may point out problems as well. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: From aalam at paperlesspost.com Fri Jun 10 18:59:21 2016 From: aalam at paperlesspost.com (Ash Alam) Date: Fri, 10 Jun 2016 14:59:21 -0400 Subject: [Freeipa-users] Replication time and relation to cache size Message-ID: Hello I have been going through the lists but i have not found the answer i am looking for. I am seeing few issues for which i am looking for some clarification. 1. What is the relationship between replication time and cache size? - I am noticing that it's taking up to 5 minutes for some things to replication when change is made on one node and there are two additional masters. The ipa nodes are all virtual machines within the same cluster. - WARNING: changelog: entry cache size 2097152B is less than db size 116154368B; We recommend to increase the entry cache size nsslapd-cachememsize. - I don't understand the cache size. Would't increasing it cause the same issue when we hit the new limit? - connection - conn=3779 fd=175 Incoming BER Element was 3 bytes, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. 2. Is there a definitive solution to this error? This seems to pop up every so often. - NSMMReplicationPlugin - agmt="cn=meToipa009.pp" (ipa009:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) Thank You -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Jun 10 19:29:13 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jun 2016 22:29:13 +0300 Subject: [Freeipa-users] Can't establish trust with 2008 AD In-Reply-To: <1593556923.713788.1465573003082.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <20160609203048.bn3fvbjk5ctifvyy@redhat.com> <1893386531.399624.1465508657306.JavaMail.yahoo@mail.yahoo.com> <20160610041428.gdumaw6cvp2yonzx@redhat.com> <459591492.524111.1465533356241.JavaMail.yahoo@mail.yahoo.com> <20160610055825.kfovvvuc7j6kzgq7@redhat.com> <1593556923.713788.1465573003082.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160610192913.wt2pt7l6mf2f7tcu@redhat.com> On Fri, 10 Jun 2016, pgb205 wrote: >Alexander, here you go. >One thing that came to mind that might the a problem. My Active >directory is adserver.addomain.comwhile IPA is ipax1.ipadomain; there >is no suffix. Not sure if that would matter.? Anyway here is the log as >requested.? So here is what we see: ads_try_connect: sending CLDAP request to 172.19.1.10 (realm: (null)) ads_cldap_netlogon: did not get a reply ads_try_connect: CLDAP request 172.19.1.10 failed. You have real connectivity issues -- CLDAP is UDP port 389. Check your firewall. -- / Alexander Bokovoy From Dan.Finkelstein at high5games.com Fri Jun 10 19:33:00 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Fri, 10 Jun 2016 19:33:00 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) In-Reply-To: References: <8776E3A1-A1DE-42FA-9C11-B32BDFC88D48@high5games.com> <11A7EF75-24E7-4F02-9BB7-B128EF8005E9@high5games.com> <575B0B96.8070502@redhat.com> Message-ID: <4FD7DA07-768F-4EFF-AECB-F49007407213@high5games.com> And, from the 'ipactl -d --ignore-service-failures restart' we get this: ipa: DEBUG: stderr= ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300 ipa: DEBUG: Waiting until the CA is running ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus' ipa: DEBUG: Process finished, return code=4 ipa: DEBUG: stdout= ipa: DEBUG: stderr=--2016-06-10 15:29:38-- https://ipa.example.com:8443/ca/admin/ca/getStatus Resolving ipa.example.com (ipa.example.com)... 10.55.10.31 Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... connected. Unable to establish SSL connection. ipa: DEBUG: The CA status is: check interrupted due to error: Command ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero exit status 4 ipa: DEBUG: Waiting for CA to start... ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus' ipa: DEBUG: Process finished, return code=4 ipa: DEBUG: stdout= ipa: DEBUG: stderr=--2016-06-10 15:29:43-- https://ipa.example.com:8443/ca/admin/ca/getStatus Resolving ipa.example.com (ipa.example.com)... 10.55.10.31 Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... connected. Unable to establish SSL connection. ipa: DEBUG: The CA status is: check interrupted due to error: Command ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero exit status 4 ipa: DEBUG: Waiting for CA to start... ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus' Which leads me to believe that tomcat doesn't have the right certificate(s). [cid:image001.jpg at 01D1C32D.5D927900] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: on behalf of Daniel Finkestein Date: Friday, June 10, 2016 at 14:52 To: "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) That?s exactly right, and we got the files and links back to serviceable order. Now we're (merely) facing issues with our restored certificate store, which the pki-tomcatd process is not happy with. All IPA services start normally except for tomcat, which spits out SSL errors (and we're pretty sure must be related to bad certs? somewhere). Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) Internal Database Error encountered: Could not connect to LDAP server host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1601) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) I think we might be willing to toss out the existing certificate store and start anew, which fortunately should preserve the DNS, user, group, etc., data already in LDAP. If we wanted to create a new trust and self-signed cert for the server, how are those steps different from promoting a replica to a cert-signing master? Thanks, Dan [cid:image002.jpg at 01D1C32D.5D927900] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden Date: Friday, June 10, 2016 at 14:48 To: Daniel Finkestein , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) I'd reinstall some rpms to properly create these: tomcat pki-base pki-server I'm not positive it will fix permissions, rpm -V on the same may point out problems as well. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 4334 bytes Desc: image002.jpg URL: From randym at chem.byu.edu Fri Jun 10 20:26:10 2016 From: randym at chem.byu.edu (Randy Morgan) Date: Fri, 10 Jun 2016 14:26:10 -0600 Subject: [Freeipa-users] Redhat Summit In-Reply-To: <575AFE12.1060607@redhat.com> References: <4982207e-ad99-60f2-c21e-c09d15993fc8@chem.byu.edu> <575AFE12.1060607@redhat.com> Message-ID: <43073180-d733-40ba-e4aa-cc7ffcd55109@chem.byu.edu> Do you know the vendor name on the booth, or will it be under Redhat? Randy Randy Morgan CSR Department of Chemistry and Biochemistry Brigham Young University 801-422-4100 On 6/10/2016 11:51 AM, Rob Crittenden wrote: > Randy Morgan wrote: >> So I have a slightly different question. Redhat Summit is the end of >> this month, and I was wondering why FreeIPA was not doing a presentation >> at the summit? This is a subject I would be very interested in at the >> summit. >> >> Randy >> > > IPA will be there in at least these sessions: > > Practical steps implementing Red Hat identity management solution > https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45364 > > > Red Hat identity and access management vision, solution, and roadmap > https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=46061 > > and a lab: > > Up and running with Red Hat identity management > https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45128 > > There will also be folks in a booth showing demos and answering > questions. > > rob From Nathan.Peters at globalrelay.net Fri Jun 10 21:05:59 2016 From: Nathan.Peters at globalrelay.net (Nathan Peters) Date: Fri, 10 Jun 2016 21:05:59 +0000 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: References: <20160607204327.GA6308@hendrix> Message-ID: This is definitely an actual problem. Can someone please take a look at this and confirm that it is a bug in CentOS 6.8? In order to confirm that it was not our Katello installation that was causing this, I created a brand new centOS 6.8 installation by downloading the DVD from centos.org. I selected a minimal installation, and upon install, I just ran the following 2 commands (nothing else has been done to this system) : # yum -y install ipa-client # ipa-client-install --enable-dns-updates --mkhomedir Then I tried to login using a FreeIPA account that is a member of both hbac and sudo access to all rules and it succeeded. Then I tried to sudo and it prompted me for a password and then claimed I was not allowed to run sudo. login as: nathan.peters nathan.peters at 10.178.17.15's password: Creating home directory for nathan.peters. [nathan.peters at centos68test ~]$ sudo su - We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for nathan.peters: nathan.peters is not allowed to run sudo on centos68test. This incident will be reported. [nathan.peters at centos68test ~]$ Has anyone actually gotten sudo working on CentOS 6.8? I'd love to hear how because I have 100% failure rate for this no matter what provisioning method I use... -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Nathan Peters Sent: Wednesday, June 8, 2016 11:14 AM To: Jakub Hrozek; freeipa-users at redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails I'm pretty lost here. I tried following the directions on that page but the results still make no sense to me. From what I can see, the account is successfully authorized, and the groups that I am part of are found and some sudo rules are found, but then I am denied access for no reason. This is not working on any CentOS 6.8 server, and working properly on all previous versions of CentOS. I have tried several steps including deleting and re-creating the 6.8 hosts, and unjoining them and re-joining them to the domain. Nothing helps ========== /var/log/sudo_debug ====================== Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ ./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ ./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ ./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ ./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> log_denial @ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> audit_failure @ ./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ ./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ ./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ ./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277] -> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- new_logline @ ./logging.c:867 := user NOT authorized on host ; TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - Jun 8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 sudo[7277] -> mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <- mysyslog @ ./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ ./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ ./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ ./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ ./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ ./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: [756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, 756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ ./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ ./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ ./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ ./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ ./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ ./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ ./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ ./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ ./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ ./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ ./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 sudo[7277] policy plugin returns 0 ============== /var/log/sssd/sssd_sudo.log ===================== (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit ============= /var/log/sssd/sssd_mydomain.log ============== (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=deployment_engineer] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! ===== output of ldap query manually copied from the sssd_sudo.log first search returns nothing second search returns 2 rules ================== [root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' asq: Unable to register control with rootdse! # returned 0 records # 0 entries # 0 referrals [root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' asq: Unable to register control with rootdse! # record 1 dn: name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb cn: s_allow_deployment_engineer_to_all dataExpireTimestamp: 1465412946 name: s_allow_deployment_engineer_to_all objectClass: sudoRule sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoRunAsGroup: ALL sudoRunAsUser: ALL sudoUser: %deployment_engineer distinguishedName: name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus tom,cn=dev-mydomain.net,cn=sysdb # record 2 dn: name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb cn: s_allow_sysadmins_to_all dataExpireTimestamp: 1465412946 name: s_allow_sysadmins_to_all objectClass: sudoRule sudoCommand: ALL sudoHost: ALL sudoOption: !authenticate sudoRunAsGroup: ALL sudoRunAsUser: ALL sudoUser: %sysadmins distinguishedName: name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev -mydomain.net,cn=sysdb # returned 2 records # 2 entries # 0 referrals ====== output of ldap query against directory for search used in the sssd_domain.log =========== [root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 [root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek Sent: Tuesday, June 7, 2016 1:43 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails On Tue, Jun 07, 2016 at 08:21:21PM +0000, Nathan Peters wrote: > I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on Fedora 23. > > When I try to sudo on this host, it fails. Here are the log entries from /var/log/secure. Note that we have several hundred CentOS 6.5-6.7 machines where this works fine. > > Is this a new bug in CentOS 6.8? It's true that in 6.8, the sudo part was changed quite a bit, but we haven't heard about any bugs so far. Could you please follow: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO and also: https://fedorahosted.org/sssd/wiki/Troubleshooting to inspect SSSD logs? For authentication failed you'll probably want to take a look at the domain logs and maybe the krb5_child.log -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From rcritten at redhat.com Fri Jun 10 21:16:07 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Jun 2016 17:16:07 -0400 Subject: [Freeipa-users] Redhat Summit In-Reply-To: <43073180-d733-40ba-e4aa-cc7ffcd55109@chem.byu.edu> References: <4982207e-ad99-60f2-c21e-c09d15993fc8@chem.byu.edu> <575AFE12.1060607@redhat.com> <43073180-d733-40ba-e4aa-cc7ffcd55109@chem.byu.edu> Message-ID: <575B2E17.6040500@redhat.com> Randy Morgan wrote: > Do you know the vendor name on the booth, or will it be under Redhat? I'm told there will be an Identity Management kiosk/demo area at the Red Hat booth. rob > > Randy > > Randy Morgan > CSR > Department of Chemistry and Biochemistry > Brigham Young University > 801-422-4100 > > On 6/10/2016 11:51 AM, Rob Crittenden wrote: >> Randy Morgan wrote: >>> So I have a slightly different question. Redhat Summit is the end of >>> this month, and I was wondering why FreeIPA was not doing a presentation >>> at the summit? This is a subject I would be very interested in at the >>> summit. >>> >>> Randy >>> >> >> IPA will be there in at least these sessions: >> >> Practical steps implementing Red Hat identity management solution >> https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45364 >> >> >> Red Hat identity and access management vision, solution, and roadmap >> https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=46061 >> >> >> and a lab: >> >> Up and running with Red Hat identity management >> https://rh2016.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=45128 >> >> >> There will also be folks in a booth showing demos and answering >> questions. >> >> rob > From rcritten at redhat.com Fri Jun 10 21:17:49 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Jun 2016 17:17:49 -0400 Subject: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) In-Reply-To: <4FD7DA07-768F-4EFF-AECB-F49007407213@high5games.com> References: <8776E3A1-A1DE-42FA-9C11-B32BDFC88D48@high5games.com> <11A7EF75-24E7-4F02-9BB7-B128EF8005E9@high5games.com> <575B0B96.8070502@redhat.com> <4FD7DA07-768F-4EFF-AECB-F49007407213@high5games.com> Message-ID: <575B2E7D.4050206@redhat.com> Dan.Finkelstein at high5games.com wrote: > And, from the 'ipactl -d --ignore-service-failures restart' we get this: > > ipa: DEBUG: stderr= > > ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300 > > ipa: DEBUG: Waiting until the CA is running > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > '--no-check-certificate' > 'https://ipa.example.com:8443/ca/admin/ca/getStatus' > > ipa: DEBUG: Process finished, return code=4 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr=--2016-06-10 15:29:38-- > https://ipa.example.com:8443/ca/admin/ca/getStatus > > Resolving ipa.example.com (ipa.example.com)... 10.55.10.31 > > Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... > connected. > > Unable to establish SSL connection. > > ipa: DEBUG: The CA status is: check interrupted due to error: Command > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' > 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero > exit status 4 > > ipa: DEBUG: Waiting for CA to start... > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > '--no-check-certificate' > 'https://ipa.example.com:8443/ca/admin/ca/getStatus' > > ipa: DEBUG: Process finished, return code=4 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr=--2016-06-10 15:29:43-- > https://ipa.example.com:8443/ca/admin/ca/getStatus > > Resolving ipa.example.com (ipa.example.com)... 10.55.10.31 > > Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... > connected. > > Unable to establish SSL connection. > > ipa: DEBUG: The CA status is: check interrupted due to error: Command > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' > 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero > exit status 4 > > ipa: DEBUG: Waiting for CA to start... > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > '--no-check-certificate' > 'https://ipa.example.com:8443/ca/admin/ca/getStatus' > > Which leads me to believe that tomcat doesn't have the right certificate(s). I don't think that's the problem. I'd check the pki logs to see if it started and if not, why. Note that it is quite possible for tomcat to start and the CA to fail because tomcat is just a container. In a previous e-mail you said something about a restore, what was that? rob > > > > *Daniel Alex Finkelstein*| Lead Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _| 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: * on behalf of Daniel > Finkestein > *Date: *Friday, June 10, 2016 at 14:52 > *To: *"freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA > Error 4301: CertificateOperationError) > > That?s exactly right, and we got the files and links back to serviceable > order. Now we're (merely) facing issues with our restored certificate > store, which the pki-tomcatd process is not happy with. All IPA services > start normally except for tomcat, which spits out SSL errors (and we're > pretty sure must be related to bad certs somewhere). > > Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) > > Internal Database Error encountered: Could not connect to LDAP server > host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO > Error creating JSS SSL Socket (-1) > > at > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673) > > at > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107) > > at > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013) > > at > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510) > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1601) > > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > at > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > at java.security.AccessController.doPrivileged(Native > Method) > > at > javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > at > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > at > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > at > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > at java.security.AccessController.doPrivileged(Native > Method) > > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > at > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:745) > > I think we might be willing to toss out the existing certificate store > and start anew, which fortunately should preserve the DNS, user, group, > etc., data already in LDAP. If we wanted to create a new trust and > self-signed cert for the server, how are those steps different from > promoting a replica to a cert-signing master? > > Thanks, > > Dan > > > > *Daniel Alex Finkelstein*| Lead Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _| 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: *Rob Crittenden > *Date: *Friday, June 10, 2016 at 14:48 > *To: *Daniel Finkestein , > "freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA > Error 4301: CertificateOperationError) > > I'd reinstall some rpms to properly create these: > > tomcat > > pki-base > > pki-server > > I'm not positive it will fix permissions, rpm -V on the same may point > > out problems as well. > > rob > > > From lslebodn at redhat.com Sat Jun 11 09:01:44 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Sat, 11 Jun 2016 11:01:44 +0200 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: References: <20160607204327.GA6308@hendrix> Message-ID: <20160611090142.GA18966@10.4.128.1> On (08/06/16 18:14), Nathan Peters wrote: >I'm pretty lost here. I tried following the directions on that page but the results still make no sense to me. From what I can see, the account is successfully authorized, and the groups that I am part of are found and some sudo rules are found, but then I am denied access for no reason. This is not working on any CentOS 6.8 server, and working properly on all previous versions of CentOS. I have tried several steps including deleting and re-creating the 6.8 hosts, and unjoining them and re-joining them to the domain. Nothing helps > >========== /var/log/sudo_debug ====================== > >Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 >Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 >Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ ./auth/sudo_auth.c:160 >Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ ./auth/pam.c:185 >Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ ./auth/pam.c:189 := 0 >Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ ./auth/sudo_auth.c:177 := 0 >Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref @ ./pwutil.c:249 >Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 >Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 >Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref @ ./pwutil.c:251 >Jun 8 16:56:01 sudo[7277] <- check_user @ ./check.c:189 := true >Jun 8 16:56:01 sudo[7277] -> log_failure @ ./logging.c:318 >Jun 8 16:56:01 sudo[7277] -> log_denial @ ./logging.c:256 >Jun 8 16:56:01 sudo[7277] -> audit_failure @ ./audit.c:68 >Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ ./linux_audit.c:70 >Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ ./linux_audit.c:49 >Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ ./linux_audit.c:61 := 15 >Jun 8 16:56:01 sudo[7277] <- linux_audit_command @ ./linux_audit.c:97 := 3 >Jun 8 16:56:01 sudo[7277] <- audit_failure @ ./audit.c:81 >Jun 8 16:56:01 sudo[7277] -> new_logline @ ./logging.c:746 >Jun 8 16:56:01 sudo[7277] <- new_logline @ ./logging.c:867 := user NOT authorized on host ; TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - >Jun 8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 >Jun 8 16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false >Jun 8 16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138 >Jun 8 16:56:01 sudo[7277] -> mysyslog @ ./logging.c:96 >Jun 8 16:56:01 sudo[7277] <- mysyslog @ ./logging.c:119 >Jun 8 16:56:01 sudo[7277] <- do_syslog @ ./logging.c:185 >Jun 8 16:56:01 sudo[7277] <- log_denial @ ./logging.c:309 >Jun 8 16:56:01 sudo[7277] <- log_failure @ ./logging.c:341 >Jun 8 16:56:01 sudo[7277] -> rewind_perms @ ./set_perms.c:90 >Jun 8 16:56:01 sudo[7277] -> restore_perms @ ./set_perms.c:363 >Jun 8 16:56:01 sudo[7277] restore_perms: uid: [756600344, 0, 0] -> [756600344, 0, 0] >Jun 8 16:56:01 sudo[7277] restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, 756600344, 756600344] >Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816 >Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 >Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 >Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818 >Jun 8 16:56:01 sudo[7277] <- restore_perms @ ./set_perms.c:407 >Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ ./pwutil.c:816 >Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 >Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 >Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ ./pwutil.c:818 >Jun 8 16:56:01 sudo[7277] <- rewind_perms @ ./set_perms.c:96 >Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ ./pwutil.c:443 >Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ ./pwutil.c:426 >Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 >Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 >Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ ./pwutil.c:238 >Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ ./pwutil.c:243 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 >Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ ./pwutil.c:437 >Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ ./pwutil.c:448 >Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ ./pwutil.c:861 >Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ ./pwutil.c:840 >Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 >Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ ./pwutil.c:657 >Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ ./pwutil.c:662 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ ./pwutil.c:657 >Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ ./pwutil.c:662 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 >Jun 8 16:56:01 sudo[7277] -> rbdestroy @ ./redblack.c:359 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ ./redblack.c:341 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 >Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ ./pwutil.c:805 >Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ ./pwutil.c:810 >Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ ./redblack.c:349 >Jun 8 16:56:01 sudo[7277] <- rbdestroy @ ./redblack.c:362 >Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ ./pwutil.c:855 >Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ ./pwutil.c:866 >Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ ./sudoers.c:753 := false >Jun 8 16:56:01 sudo[7277] <- sudoers_policy_check @ ./sudoers.c:766 := false >Jun 8 16:56:01 sudo[7277] <- policy_check @ ./sudo.c:1204 := false >Jun 8 16:56:01 sudo[7277] policy plugin returns 0 > >============== /var/log/sssd/sssd_sudo.log ===================== > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [nathan.peters] from [] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [nathan.peters at dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [nathan.peters at dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [nathan.peters] from [dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched without domain, user is nathan.peters >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [nathan.peters] from [] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [nathan.peters at dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [nathan.peters at dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [nathan.peters] from [dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 2 rules for [nathan.peters at dev-mydomain.net] >(Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service >(Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! >(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x1091360][17] >(Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service >(Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit > >============= /var/log/sssd/sssd_mydomain.log ============== > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=deployment_engineer] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] (0x2000): Searching 10.178.0.98 >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 finished >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. It looks like group deployment_engineer cannot be find in IPA. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] (0x0400): No such entry >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=sysadmins] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing request domain from [dev-mydomain.net] to [dev-mydomain.net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_print_server] (0x2000): Searching 10.178.0.98 >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 finished >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. It looks like group sysadmins cannot be find in IPA. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sysdb_search_by_name] (0x0400): No such entry >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > >===== output of ldap query manually copied from the sssd_sudo.log first search returns nothing second search returns 2 rules ================== > >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' >asq: Unable to register control with rootdse! ># returned 0 records ># 0 entries ># 0 referrals > > >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' >asq: Unable to register control with rootdse! ># record 1 >dn: name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb >cn: s_allow_deployment_engineer_to_all >dataExpireTimestamp: 1465412946 >name: s_allow_deployment_engineer_to_all >objectClass: sudoRule >sudoCommand: ALL >sudoHost: ALL >sudoOption: !authenticate >sudoRunAsGroup: ALL >sudoRunAsUser: ALL >sudoUser: %deployment_engineer >distinguishedName: name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus > tom,cn=dev-mydomain.net,cn=sysdb > ># record 2 >dn: name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.net,cn=sysdb >cn: s_allow_sysadmins_to_all >dataExpireTimestamp: 1465412946 >name: s_allow_sysadmins_to_all >objectClass: sudoRule >sudoCommand: ALL >sudoHost: ALL >sudoOption: !authenticate >sudoRunAsGroup: ALL >sudoRunAsUser: ALL >sudoUser: %sysadmins >distinguishedName: name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev > -mydomain.net,cn=sysdb > ># returned 2 records ># 2 entries ># 0 referrals > >====== output of ldap query against directory for search used in the sssd_domain.log =========== > >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' ># extended LDIF ># ># LDAPv3 ># base with scope subtree ># filter: (&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) ># requesting: ALL ># > ># search result >search: 2 >result: 0 Success > ># numResponses: 1 > >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' ># extended LDIF ># ># LDAPv3 ># base with scope subtree ># filter: (&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) ># requesting: ALL ># > LDAP searches confirmed that it's not possible to find groups: deployment_engineer and sysadmins. But you used anonymous search. It would be good if you could provide an output of for groups using ipa command. e.g. kinit admin ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins LS From Dan.Finkelstein at high5games.com Sun Jun 12 17:05:26 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Sun, 12 Jun 2016 17:05:26 +0000 Subject: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) In-Reply-To: <575B2E7D.4050206@redhat.com> References: <8776E3A1-A1DE-42FA-9C11-B32BDFC88D48@high5games.com> <11A7EF75-24E7-4F02-9BB7-B128EF8005E9@high5games.com> <575B0B96.8070502@redhat.com> <4FD7DA07-768F-4EFF-AECB-F49007407213@high5games.com> <575B2E7D.4050206@redhat.com> Message-ID: <55BB6337-5F5F-449C-802E-1DC2097046D8@high5games.com> The restore I was referring to was a red herring; we ended up wiping the server and saving ipa-backup files, which was the only way we could successfully reconfigure/reinitialize IPA on the host. [cid:image001.jpg at 01D1C4AB.15A2FD70] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden Date: Friday, June 10, 2016 at 17:17 To: Daniel Finkestein , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) Dan.Finkelstein at high5games.com wrote: And, from the 'ipactl -d --ignore-service-failures restart' we get this: ipa: DEBUG: stderr= ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300 ipa: DEBUG: Waiting until the CA is running ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus' ipa: DEBUG: Process finished, return code=4 ipa: DEBUG: stdout= ipa: DEBUG: stderr=--2016-06-10 15:29:38-- https://ipa.example.com:8443/ca/admin/ca/getStatus Resolving ipa.example.com (ipa.example.com)... 10.55.10.31 Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... connected. Unable to establish SSL connection. ipa: DEBUG: The CA status is: check interrupted due to error: Command ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero exit status 4 ipa: DEBUG: Waiting for CA to start... ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus' ipa: DEBUG: Process finished, return code=4 ipa: DEBUG: stdout= ipa: DEBUG: stderr=--2016-06-10 15:29:43-- https://ipa.example.com:8443/ca/admin/ca/getStatus Resolving ipa.example.com (ipa.example.com)... 10.55.10.31 Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... connected. Unable to establish SSL connection. ipa: DEBUG: The CA status is: check interrupted due to error: Command ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero exit status 4 ipa: DEBUG: Waiting for CA to start... ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' 'https://ipa.example.com:8443/ca/admin/ca/getStatus' Which leads me to believe that tomcat doesn't have the right certificate(s). I don't think that's the problem. I'd check the pki logs to see if it started and if not, why. Note that it is quite possible for tomcat to start and the CA to fail because tomcat is just a container. In a previous e-mail you said something about a restore, what was that? rob *Daniel Alex Finkelstein*| Lead Dev Ops Engineer _Dan.Finkelstein at h5g.com _| 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook , Twitter , YouTube , Linkedin // /This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful./ *From: *> on behalf of Daniel Finkestein > *Date: *Friday, June 10, 2016 at 14:52 *To: *"freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) That?s exactly right, and we got the files and links back to serviceable order. Now we're (merely) facing issues with our restored certificate store, which the pki-tomcatd process is not happy with. All IPA services start normally except for tomcat, which spits out SSL errors (and we're pretty sure must be related to bad certs? somewhere). Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) Internal Database Error encountered: Could not connect to LDAP server host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1601) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) I think we might be willing to toss out the existing certificate store and start anew, which fortunately should preserve the DNS, user, group, etc., data already in LDAP. If we wanted to create a new trust and self-signed cert for the server, how are those steps different from promoting a replica to a cert-signing master? Thanks, Dan *Daniel Alex Finkelstein*| Lead Dev Ops Engineer _Dan.Finkelstein at h5g.com _| 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook , Twitter , YouTube , Linkedin // /This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful./ *From: *Rob Crittenden > *Date: *Friday, June 10, 2016 at 14:48 *To: *Daniel Finkestein >, "freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) I'd reinstall some rpms to properly create these: tomcat pki-base pki-server I'm not positive it will fix permissions, rpm -V on the same may point out problems as well. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: From Dan.Finkelstein at high5games.com Sun Jun 12 17:13:51 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Sun, 12 Jun 2016 17:13:51 +0000 Subject: [Freeipa-users] FreeIPA 4.2, CentOS 7: WebUI login "Decrypt integrity check failed" after restore Message-ID: We restored data (just the data) from an ipa-backup on a newly-installed and configured host and with an LDAP browser we can see the data; however, the DNS data doesn't appear to be available over port 53 (selinux & firewall deactivated) and we can't login as any of the preserved users. In the httpd error logs we see output like this: [Sun Jun 12 13:02:56.669035 2016] [:error] [pid 15624] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sun Jun 12 13:02:56.669118 2016] [:error] [pid 15624] ipa: DEBUG: WSGI jsonserver_session.__call__: [Sun Jun 12 13:02:56.669915 2016] [:error] [pid 15624] ipa: DEBUG: no session id in request, generating empty session data with id=70632094201d72deec8d6aed0a0c4ace [Sun Jun 12 13:02:56.670014 2016] [:error] [pid 15624] ipa: DEBUG: store session: session_id=70632094201d72deec8d6aed0a0c4ace start_timestamp=2016-06-12T13:02:56 access_timestamp=2016-06-12T13:02:56 expiration_timestamp=1969-12-31T19:00:00 [Sun Jun 12 13:02:56.670231 2016] [:error] [pid 15624] ipa: DEBUG: jsonserver_session.__call__: session_id=70632094201d72deec8d6aed0a0c4ace start_timestamp=2016-06-12T13:02:56 access_timestamp=2016-06-12T13:02:56 expiration_timestamp=1969-12-31T19:00:00 [Sun Jun 12 13:02:56.670271 2016] [:error] [pid 15624] ipa: DEBUG: no ccache, need login [Sun Jun 12 13:02:56.670304 2016] [:error] [pid 15624] ipa: DEBUG: jsonserver_session: 401 Unauthorized need login [Sun Jun 12 13:03:06.961830 2016] [:error] [pid 15623] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sun Jun 12 13:03:06.961921 2016] [:error] [pid 15623] ipa: DEBUG: WSGI login_password.__call__: [Sun Jun 12 13:03:07.070179 2016] [:error] [pid 15623] ipa: DEBUG: Obtaining armor ccache: principal=HTTP/ipa.EXAMPLE.COM at EXAMPLE.COM keytab=/etc/httpd/conf/ipa.keytab ccache=/var/run/ipa_memcached/krbcc_A_username [Sun Jun 12 13:03:07.070264 2016] [:error] [pid 15623] ipa: DEBUG: Initializing principal HTTP/ipa.EXAMPLE.COM at EXAMPLE.COM using keytab /etc/httpd/conf/ipa.keytab [Sun Jun 12 13:03:07.070298 2016] [:error] [pid 15623] ipa: DEBUG: using ccache /var/run/ipa_memcached/krbcc_A_username [Sun Jun 12 13:03:07.088452 2016] [:error] [pid 15623] [remote 10.55.200.1:148] mod_wsgi (pid=15623): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Sun Jun 12 13:03:07.088498 2016] [:error] [pid 15623] [remote 10.55.200.1:148] Traceback (most recent call last): [Sun Jun 12 13:03:07.088514 2016] [:error] [pid 15623] [remote 10.55.200.1:148] File "/usr/share/ipa/wsgi.py", line 49, in application [Sun Jun 12 13:03:07.088587 2016] [:error] [pid 15623] [remote 10.55.200.1:148] return api.Backend.wsgi_dispatch(environ, start_response) [Sun Jun 12 13:03:07.088596 2016] [:error] [pid 15623] [remote 10.55.200.1:148] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 258, in __call__ [Sun Jun 12 13:03:07.088859 2016] [:error] [pid 15623] [remote 10.55.200.1:148] return self.route(environ, start_response) [Sun Jun 12 13:03:07.088869 2016] [:error] [pid 15623] [remote 10.55.200.1:148] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 270, in route [Sun Jun 12 13:03:07.088883 2016] [:error] [pid 15623] [remote 10.55.200.1:148] return app(environ, start_response) [Sun Jun 12 13:03:07.088888 2016] [:error] [pid 15623] [remote 10.55.200.1:148] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 944, in __call__ [Sun Jun 12 13:03:07.088895 2016] [:error] [pid 15623] [remote 10.55.200.1:148] self.kinit(user, self.api.env.realm, password, ipa_ccache_name) [Sun Jun 12 13:03:07.088899 2016] [:error] [pid 15623] [remote 10.55.200.1:148] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 966, in kinit [Sun Jun 12 13:03:07.088906 2016] [:error] [pid 15623] [remote 10.55.200.1:148] raise CCacheError(str(e)) [Sun Jun 12 13:03:07.088912 2016] [:error] [pid 15623] [remote 10.55.200.1:148] File "/usr/lib/python2.7/site-packages/ipalib/errors.py", line 248, in __init__ [Sun Jun 12 13:03:07.089157 2016] [:error] [pid 15623] [remote 10.55.200.1:148] messages.process_message_arguments(self, format, message, **kw) [Sun Jun 12 13:03:07.089174 2016] [:error] [pid 15623] [remote 10.55.200.1:148] File "/usr/lib/python2.7/site-packages/ipalib/messages.py", line 52, in process_message_arguments [Sun Jun 12 13:03:07.089252 2016] [:error] [pid 15623] [remote 10.55.200.1:148] name, format) [Sun Jun 12 13:03:07.089271 2016] [:error] [pid 15623] [remote 10.55.200.1:148] ValueError: non-generic 'CCacheError' needs format=None; got format="(-1765328353, 'Decrypt integrity check failed')" However, 'kinit username' works. An 'ipa user-find username' fails with output like this: [root at ipa httpd]# ipa user-find username ipa: ERROR: cert validation failed for "CN=ipa-replica-1.EXAMPLE.COM,O=EXAMPLE.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) (snip) ipa: ERROR: Kerberos error: Service 'HTTP at ipa-replica-1.EXAMPLE.COM' not found in Kerberos database/ And those replicas also show up in 'ipa-replica-manage list' and 'ipa-csreplica-manage list' but not if I then try to remove them via 'ipa-replica-manage del '. The crucial issues before me are 1) How do we restore WebUI login ability to the restored users, and 2) How do we restore DNS service for the restored DNS records in LDAP? Best regards, Dan [cid:image001.jpg at 01D1C4AC.42E52EB0] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: From ipa at border.nuneshiggs.com Sun Jun 12 18:47:13 2016 From: ipa at border.nuneshiggs.com (Nuno Higgs) Date: Sun, 12 Jun 2016 19:47:13 +0100 Subject: [Freeipa-users] Error with DNS forwarding on replica. Message-ID: <0c6701d1c4da$d5e36820$81aa3860$@border.nuneshiggs.com> Hello all, I have a IPA server - IPA 4.2 - and i have added a new IPA to geographic replication. I have added it as stated in the documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica .html#replica-install-with-dns All was replicated correctly, and i can do a kinit user at DOMAIN with success within the replica. However there is a problem with the DNS sections: Although it DNS is ok, my configuration within IPA on the first server regarding DNS zones that are set on forward only are not. In my first server, i can do a forward of domain - let's say domain.eu. On the second server (replica) the forward is shown configured correctly within the webgui but it does not work, giving a NX error on query www.domain.eu (the A Record exists and is shown on the first server). It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it isn't a network permissions issue. I have deleted the zone on the master (and replica), and recreated it. On the first server, it worked fine. On the replica the problem persisted. Am I missing anything? Is there a undocumented trick, or have i missed something? Thanks for your help. Nuno -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jun 13 05:50:22 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 13 Jun 2016 07:50:22 +0200 Subject: [Freeipa-users] Error with DNS forwarding on replica. In-Reply-To: <0c6701d1c4da$d5e36820$81aa3860$@border.nuneshiggs.com> References: <0c6701d1c4da$d5e36820$81aa3860$@border.nuneshiggs.com> Message-ID: <34c49430-1745-8814-1535-6b0ecf18ce64@redhat.com> On 12.6.2016 20:47, Nuno Higgs wrote: > Hello all, > > > > I have a IPA server - IPA 4.2 - and i have added a new IPA to geographic > replication. > > > > I have added it as stated in the documentation here: > ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replic > a.html#replica-install-with-dns> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm > l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica > .html#replica-install-with-dns > > > > All was replicated correctly, and i can do a kinit user at DOMAIN with success > within the replica. > > However there is a problem with the DNS sections: > > > > Although it DNS is ok, my configuration within IPA on the first server > regarding DNS zones that are set on forward only are not. > > In my first server, i can do a forward of domain - let's say > domain.eu. On the second server (replica) the forward is > shown configured correctly within the webgui but it does not work, giving a > NX error on query www.domain.eu (the A Record exists > and is shown on the first server). It also shows on dig on the replica (dig > @x.x.x.x www.domain.eu), so it isn't a network permissions issue. > > > > I have deleted the zone on the master (and replica), and recreated it. On > the first server, it worked fine. On the replica the problem persisted. > > > > Am I missing anything? Is there a undocumented trick, or have i missed > something? Hello, it could be either a DNS configuration problem or a LDAP replication problem. Please show us output from command: $ ipa dnsforwardzone-show domain.eu from all IPA servers you have. The output should be the same. If it is not the same then you are most likely facing an replication problem, please see http://www.freeipa.org/page/Troubleshooting#Replication_issues -- Petr^2 Spacek From mkosek at redhat.com Mon Jun 13 07:35:53 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 13 Jun 2016 09:35:53 +0200 Subject: [Freeipa-users] Password sync settings not working In-Reply-To: <1711638.VYOPI54qdq@hosanna> References: <1711638.VYOPI54qdq@hosanna> Message-ID: On 06/10/2016 01:59 AM, Joshua J. Kugler wrote: > Howdy! > > We are trying to set up password sync. I have read this: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#password-sync > > I have added that attribute: > echo -e 'dn: cn=ipa_pwd_extop,cn=plugins,cn=config\nchangetype: modify\nadd: > passSyncManagersDNs\npassSyncManagersDNs: > uid=admin,cn=users,cn=accounts,dc=example,dc=com' | ldapmodify -x -D > 'cn=Directory Manager' -w {{ ipaserver_dir_admin_password }} -h localhost -p > 389 > > However, when I reset a password as the 'admin' user, the user's password is > still set to expired. This is CentOS 7 with the latest FreeIPA there. > > What might I be missing? I would try to double check that the passSyncManagersDNs is indeed filled properly in the plugin configuration. Base ldapsearch will help. Then I would also recommend checking your global password policy "ipa pwpolicy-show" to make sure that you for example do not have the password max life set to 0, which would cause this behavior in current FreeIPA version. Martin From harald.dunkel at aixigo.de Mon Jun 13 07:40:24 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Mon, 13 Jun 2016 09:40:24 +0200 Subject: [Freeipa-users] ldapsearch in cron job woes about no credentials In-Reply-To: <5c3574d0-a2a8-b792-bf82-5476d700b0f2@aixigo.de> References: <5c3574d0-a2a8-b792-bf82-5476d700b0f2@aixigo.de> Message-ID: <05d03f1e-8f9b-4a35-10bc-1cbb5c9616c6@aixigo.de> On 06/09/16 15:16, Harald Dunkel wrote: > Hi folks, > > Platform: freeipa 4.2 (Centos7) > > Problem: My cron job needs a ticket to run ldapsearch. The > error message is: > > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) > > Google pointed me to this solution > > http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#kerbcron > > I wonder what is the "freeipa way" to handle this scenario, > esp. how to generate the additional kerberos entry without > confusing FreeIPA? Maybe I am too blind to see, but I haven't > found this problem in the FAQs. > Too much noob? Harri From abokovoy at redhat.com Mon Jun 13 08:18:27 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 13 Jun 2016 11:18:27 +0300 Subject: [Freeipa-users] ldapsearch in cron job woes about no credentials In-Reply-To: <05d03f1e-8f9b-4a35-10bc-1cbb5c9616c6@aixigo.de> References: <5c3574d0-a2a8-b792-bf82-5476d700b0f2@aixigo.de> <05d03f1e-8f9b-4a35-10bc-1cbb5c9616c6@aixigo.de> Message-ID: <20160613081827.iavj772u2bodypqe@redhat.com> On Mon, 13 Jun 2016, Harald Dunkel wrote: >On 06/09/16 15:16, Harald Dunkel wrote: >> Hi folks, >> >> Platform: freeipa 4.2 (Centos7) >> >> Problem: My cron job needs a ticket to run ldapsearch. The >> error message is: >> >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Local error (-2) >> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) >> >> Google pointed me to this solution >> >> http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#kerbcron >> >> I wonder what is the "freeipa way" to handle this scenario, >> esp. how to generate the additional kerberos entry without >> confusing FreeIPA? Maybe I am too blind to see, but I haven't >> found this problem in the FAQs. >> > >Too much noob? I appreciate your self-assessment but no need to be so intimidating. ;) When you are using SASL GSSAPI, it is expected that there are credentials obtained prior to running the utility that uses SASL GSSAPI. Typically this is done with kinit or in case of a user logon, SSSD would create a credentials cache with valid credentials for you. For crontab-based environments you need to make that yourself. But it would also be useful to avoid re-acquiring Kerberos tickets all the time and re-use existing ticket during the time of its validity. This problem of acquiring Kerberos tickets periodically on behalf of some other application has long history, not really solved in stock MIT Kerberos distribution as you can see. You have few options but the one I'd recommend is to integrate your application with GSS-Proxy. GSS-Proxy installs a special plugin into GSSAPI infrastructure that triggers look up of credentials via GSS-Proxy daemon. This allows to avoid giving access to actual credentials to the application but also allows to initiate acquisition of the credentials on behalf of the application. To do so, you need to configure couple things: - Create a service in IPA that would be used to present your job. The service is more correct to use here instead of a user account because if you don't need to have POSIX attributes associated with it, only Kerberos authentication, the service principal is a correct one. Add a service to the host where you'd be running the cron job: ipa service-add mycronservice/ipa.client.host - This host (ipa.client.host) will be able to fetch a keytab with a key for the service because the host always manages its services. - On ipa.client.host do: kinit -k ipa-getkeytab -s ipa.master.host -p mycronservice/ipa.client.host \ -k /etc/krb5.mycronservice.keytab - Now you have Kerberos keys (random password) for the mycronservice/ipa.client.host service principal stored in the keytab, you can set up gss-proxy to use it. Add a following configuration file to the /etc/gssproxy/80-mycronservice.conf --8<--8<--8<--8<--8<--8<--8<--8<--8<-- [service/mycronservice] mechs = krb5 cred_store = client_keytab:/etc/krb5.mycronservice.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_mycronservice_%U cred_usage = initiate euid = --8<--8<--8<--8<--8<--8<--8<--8<--8<-- - In your cronjob script add environmental variable GSS_USE_PROXY=yes That's it. Whenever GSSAPI is used, GSS-Proxy plugin is loaded, looks at GSS_USE_PROXY=yes environmental variable and then contacts GSS-Proxy to request a ticket to the service you want to access. This would trigger a look up in the ccache if that ticket already exist and will also trigger acquisition of the new credentials if that is needed, thanks to client_keytab setting in the GSS-Proxy config. See man pages for gssproxy, gssproxy-mech, and gssproxy.conf for details. -- / Alexander Bokovoy From pvoborni at redhat.com Mon Jun 13 08:41:39 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 13 Jun 2016 10:41:39 +0200 Subject: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError) In-Reply-To: <55BB6337-5F5F-449C-802E-1DC2097046D8@high5games.com> References: <8776E3A1-A1DE-42FA-9C11-B32BDFC88D48@high5games.com> <11A7EF75-24E7-4F02-9BB7-B128EF8005E9@high5games.com> <575B0B96.8070502@redhat.com> <4FD7DA07-768F-4EFF-AECB-F49007407213@high5games.com> <575B2E7D.4050206@redhat.com> <55BB6337-5F5F-449C-802E-1DC2097046D8@high5games.com> Message-ID: On 06/12/2016 07:05 PM, Dan.Finkelstein at high5games.com wrote: > The restore I was referring to was a red herring; we ended up wiping the server > and saving ipa-backup files, which was the only way we could successfully > reconfigure/reinitialize IPA on the host. > As Rob wrote, please check PKI logs. The most important ones here are: /var/log/pki/pki-tomcat/ca/selftests.log /var/log/pki/pki-tomcat/ca/debug Debug log usually has additional info for possible cause logged in selftest log. > *From: *Rob Crittenden > *Date: *Friday, June 10, 2016 at 17:17 > *To: *Daniel Finkestein , > "freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error > 4301: CertificateOperationError) > > Dan.Finkelstein at high5games.com wrote: > > And, from the 'ipactl -d --ignore-service-failures restart' we get this: > > ipa: DEBUG: stderr= > > ipa: DEBUG: wait_for_open_ports: localhost [8080, 8443] timeout 300 > > ipa: DEBUG: Waiting until the CA is running > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > > '--no-check-certificate' > > 'https://ipa.example.com:8443/ca/admin/ca/getStatus' > > ipa: DEBUG: Process finished, return code=4 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr=--2016-06-10 15:29:38-- > > https://ipa.example.com:8443/ca/admin/ca/getStatus > > Resolving ipa.example.com (ipa.example.com)... 10.55.10.31 > > Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... > > connected. > > Unable to establish SSL connection. > > ipa: DEBUG: The CA status is: check interrupted due to error: Command > > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' > > 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero > > exit status 4 > > ipa: DEBUG: Waiting for CA to start... > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > > '--no-check-certificate' > > 'https://ipa.example.com:8443/ca/admin/ca/getStatus' > > ipa: DEBUG: Process finished, return code=4 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr=--2016-06-10 15:29:43-- > > https://ipa.example.com:8443/ca/admin/ca/getStatus > > Resolving ipa.example.com (ipa.example.com)... 10.55.10.31 > > Connecting to ipa.example.com (ipa.example.com)|10.55.10.31|:8443... > > connected. > > Unable to establish SSL connection. > > ipa: DEBUG: The CA status is: check interrupted due to error: Command > > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' > > 'https://ipa.example.com:8443/ca/admin/ca/getStatus'' returned non-zero > > exit status 4 > > ipa: DEBUG: Waiting for CA to start... > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > > '--no-check-certificate' > > 'https://ipa.example.com:8443/ca/admin/ca/getStatus' > > Which leads me to believe that tomcat doesn't have the right certificate(s). > > I don't think that's the problem. I'd check the pki logs to see if it > > started and if not, why. Note that it is quite possible for tomcat to > > start and the CA to fail because tomcat is just a container. > > In a previous e-mail you said something about a restore, what was that? > > rob > > > > *Daniel Alex Finkelstein*| Lead Dev Ops Engineer > > _Dan.Finkelstein at h5g.com > _| > 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > > the Sky > > Follow us on: Facebook , Twitter > > , YouTube > > , Linkedin > > > > // > > /This message and any attachments may contain confidential or privileged > > information and are only for the use of the intended recipient of this > > message. If you are not the intended recipient, please notify the sender > > by return email, and delete or destroy this and all copies of this > > message and all attachments. Any unauthorized disclosure, use, > > distribution, or reproduction of this message or any attachments is > > prohibited and may be unlawful./ > > *From: * > on behalf of Daniel > > Finkestein > > > *Date: *Friday, June 10, 2016 at 14:52 > > *To: *"freeipa-users at redhat.com " > > > > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA > > Error 4301: CertificateOperationError) > > That?s exactly right, and we got the files and links back to serviceable > > order. Now we're (merely) facing issues with our restored certificate > > store, which the pki-tomcatd process is not happy with. All IPA services > > start normally except for tomcat, which spits out SSL errors (and we're > > pretty sure must be related to bad certs? somewhere). > > Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) > > Internal Database Error encountered: Could not connect to LDAP server > > host ipa.example.com port 636 Error netscape.ldap.LDAPException: IO > > Error creating JSS SSL Socket (-1) > > at > > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:673) > > at > > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107) > > at > > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013) > > at > > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:510) > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1601) > > at > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > at > > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > at > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > at java.security.AccessController.doPrivileged(Native > > Method) > > at > > javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > > at > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > at > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > at > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > at > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > at > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > at > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > > at > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > at > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > at > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > at > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > at > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > at > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > at java.security.AccessController.doPrivileged(Native > > Method) > > at > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > at > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > at > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > at > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > at > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:745) > > I think we might be willing to toss out the existing certificate store > > and start anew, which fortunately should preserve the DNS, user, group, > > etc., data already in LDAP. If we wanted to create a new trust and > > self-signed cert for the server, how are those steps different from > > promoting a replica to a cert-signing master? > > Thanks, > > Dan > > /This message and any attachments may contain confidential or privileged > > information and are only for the use of the intended recipient of this > > message. If you are not the intended recipient, please notify the sender > > by return email, and delete or destroy this and all copies of this > > message and all attachments. Any unauthorized disclosure, use, > > distribution, or reproduction of this message or any attachments is > > prohibited and may be unlawful./ > > *From: *Rob Crittenden > > > *Date: *Friday, June 10, 2016 at 14:48 > > *To: *Daniel Finkestein >, > > "freeipa-users at redhat.com " > > > > *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA > > Error 4301: CertificateOperationError) > > I'd reinstall some rpms to properly create these: > > tomcat > > pki-base > > pki-server > > I'm not positive it will fix permissions, rpm -V on the same may point > > out problems as well. > > rob > > > -- Petr Vobornik From ipa at border.nuneshiggs.com Mon Jun 13 09:14:17 2016 From: ipa at border.nuneshiggs.com (Nuno Higgs) Date: Mon, 13 Jun 2016 10:14:17 +0100 Subject: [Freeipa-users] Error with DNS forwarding on replica. In-Reply-To: <34c49430-1745-8814-1535-6b0ecf18ce64@redhat.com> References: <0c6701d1c4da$d5e36820$81aa3860$@border.nuneshiggs.com> <34c49430-1745-8814-1535-6b0ecf18ce64@redhat.com> Message-ID: <0ce001d1c553$f62da900$e288fb00$@border.nuneshiggs.com> Hello again, [root at ipa01 ~]# kinit user Password for user at DOMAIN.LOCAL: [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu Zone name: domain.eu. Active zone: TRUE Zone forwarders: 194.65.3.20 195.65.3.21 Forward policy: only [root at ipa01 ~]# [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu Zone name: domain.eu. Active zone: TRUE Zone forwarders: 194.65.3.20 195.65.3.21 Forward policy: only [root at ipa02 ~]# On both servers the return is the same. I haven't touched the DNS config besides deleting the zone and recreating it. I am at a loss. What can be the issue here? Thanks, Nuno -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek Sent: segunda-feira, 13 de junho de 2016 06:50 To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Error with DNS forwarding on replica. On 12.6.2016 20:47, Nuno Higgs wrote: > Hello all, > > > > I have a IPA server - IPA 4.2 - and i have added a new IPA to > geographic replication. > > > > I have added it as stated in the documentation here: > x/7/ht > ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the- > replic > a.html#replica-install-with-dns> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux > /7/htm > l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r > eplica > .html#replica-install-with-dns > > > > All was replicated correctly, and i can do a kinit user at DOMAIN with > success within the replica. > > However there is a problem with the DNS sections: > > > > Although it DNS is ok, my configuration within IPA on the first server > regarding DNS zones that are set on forward only are not. > > In my first server, i can do a forward of domain - let's say > domain.eu. On the second server (replica) the > forward is shown configured correctly within the webgui but it does > not work, giving a NX error on query > www.domain.eu (the A Record exists and is shown on the first server). > It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it isn't a network permissions issue. > > > > I have deleted the zone on the master (and replica), and recreated it. > On the first server, it worked fine. On the replica the problem persisted. > > > > Am I missing anything? Is there a undocumented trick, or have i missed > something? Hello, it could be either a DNS configuration problem or a LDAP replication problem. Please show us output from command: $ ipa dnsforwardzone-show domain.eu from all IPA servers you have. The output should be the same. If it is not the same then you are most likely facing an replication problem, please see http://www.freeipa.org/page/Troubleshooting#Replication_issues -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From Nathan.Peters at globalrelay.net Mon Jun 13 17:30:16 2016 From: Nathan.Peters at globalrelay.net (Nathan Peters) Date: Mon, 13 Jun 2016 17:30:16 +0000 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: <20160611090142.GA18966@10.4.128.1> References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> Message-ID: All group lists return correctly when using the ipa group-show command. Like I said, there is definitely something wrong with CentOS 6.8 because all group lists are correct. This was done on one of the CentOS 6.8 servers so we know that the server can retrieve the group lists properly. [nathan.peters at cass1 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_756600344 Default principal: admin at DEV-MYDOMAIN.NET Valid starting Expires Service principal 06/13/16 17:21:56 06/14/16 17:21:41 krbtgt/DEV-MYDOMAIN.NET at DEV-MYDOMAIN.NET [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins ipa: ERROR: command 'group_show' takes at most 1 argument [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net Group name: deployment_engineer Description: deployment engineers Member users: nathan.peters, Member of groups: admins Roles: DNS Administrator Member of Sudo rule: s_allow_deployment_engineer_to_all Member of HBAC rule: allow_deployment_engineer_to_all ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17 objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup [nathan.peters at cass1 ~]$ ipa group-show --all sysadmins dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net Group name: sysadmins Description: System Administrators Member users: nathan.peters, Member of groups: admins Member of Sudo rule: s_allow_sysadmins_to_all Member of HBAC rule: allow_sysadmins_to_all ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17 objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup [nathan.peters at cass1 ~]$ ipa group-show --raw deployment_engineer cn: deployment_engineer description: deployment engineers member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net [nathan.peters at cass1 ~]$ ipa group-show --raw sysadmins cn: sysadmins description: System Administrators member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net [nathan.peters at cass1 ~]$ -----Original Message----- From: Lukas Slebodnik [mailto:lslebodn at redhat.com] Sent: Saturday, June 11, 2016 2:02 AM To: Nathan Peters Cc: Jakub Hrozek; freeipa-users at redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails On (08/06/16 18:14), Nathan Peters wrote: >I'm pretty lost here. I tried following the directions on that page >but the results still make no sense to me. From what I can see, the >account is successfully authorized, and the groups that I am part of >are found and some sudo rules are found, but then I am denied access >for no reason. This is not working on any CentOS 6.8 server, and >working properly on all previous versions of CentOS. I have tried >several steps including deleting and re-creating the 6.8 hosts, and >unjoining them and re-joining them to the domain. Nothing helps > >========== /var/log/sudo_debug ====================== > >Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 >Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 >Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ >./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ >./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ >./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ >./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> >sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> >sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- >sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- >sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- >check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> >log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> log_denial >@ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> audit_failure @ >./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ >./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ >./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ >./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- >linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 >sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277] >-> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- >new_logline @ ./logging.c:867 := user NOT authorized on host ; >TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - Jun >8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 16:56:01 >sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 16:56:01 >sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 sudo[7277] -> >mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <- mysyslog @ >./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ >./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ >./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ >./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ >./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ >./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: >[756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] >restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, >756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref >@ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ >./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ >./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ >./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ >./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ >./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ >./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ >./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ >./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ >./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ >./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ >./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ >./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ >./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ >./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- >sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 >sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 >sudo[7277] policy plugin returns 0 > >============== /var/log/sssd/sssd_sudo.log ===================== > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using >protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name >'nathan.peters' matched without domain, user is nathan.peters (Wed Jun >8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): >Requesting default options for [nathan.peters] from [] (Wed Jun 8 >17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking >negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info >for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options >for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe >ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] >[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for >[@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed >Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] >(0x0200): name 'nathan.peters' matched without domain, user is >nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules >for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache >for [NCE/USER/dev-mydomain.net/nathan.peters] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info >for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for >[nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe >ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoU >ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysad >mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser= >+*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] >(0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 >2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): >Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8 >17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received >SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! >(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): >Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) >[sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method >org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service >(Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] >(0x2000): Not a sysbus message, quit > >============= /var/log/sssd/sssd_mydomain.log ============== > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_message_handler] (0x2000): Received SBUS method >org.freedesktop.sssd.dataprovider.getAccountInfo on path >/org/freedesktop/sssd/dataprovider >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >(0x0200): Got request for [0x1002][FAST >BE_REQ_GROUP][1][name=deployment_engineer] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[be_req_set_domain] (0x0400): Changing request domain from >[dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): >Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. It looks like group deployment_engineer cannot be find in IPA. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_message_handler] (0x2000): Received SBUS method >org.freedesktop.sssd.dataprovider.getAccountInfo on path >/org/freedesktop/sssd/dataprovider >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >(0x0200): Got request for [0x1002][FAST >BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing >request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_groups_next_base] (0x0400): Searching for groups with base >[cn=accounts,dc=dev-mydomain,dc=net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. It looks like group sysadmins cannot be find in IPA. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > >===== output of ldap query manually copied from the sssd_sudo.log >first search returns nothing second search returns 2 rules >================== > >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' >asq: Unable to register control with rootdse! ># returned 0 records ># 0 entries ># 0 referrals > > >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' >asq: Unable to register control with rootdse! ># record 1 >dn: >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-m >ydomain.net,cn=sysdb >cn: s_allow_deployment_engineer_to_all >dataExpireTimestamp: 1465412946 >name: s_allow_deployment_engineer_to_all >objectClass: sudoRule >sudoCommand: ALL >sudoHost: ALL >sudoOption: !authenticate >sudoRunAsGroup: ALL >sudoRunAsUser: ALL >sudoUser: %deployment_engineer >distinguishedName: >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus > tom,cn=dev-mydomain.net,cn=sysdb > ># record 2 >dn: >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.ne >t,cn=sysdb >cn: s_allow_sysadmins_to_all >dataExpireTimestamp: 1465412946 >name: s_allow_sysadmins_to_all >objectClass: sudoRule >sudoCommand: ALL >sudoHost: ALL >sudoOption: !authenticate >sudoRunAsGroup: ALL >sudoRunAsUser: ALL >sudoUser: %sysadmins >distinguishedName: >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev > -mydomain.net,cn=sysdb > ># returned 2 records ># 2 entries ># 0 referrals > >====== output of ldap query against directory for search used in the >sssd_domain.log =========== > >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' ># extended LDIF ># ># LDAPv3 ># base with scope subtree # >filter: >(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posi >xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) ># requesting: ALL ># > ># search result >search: 2 >result: 0 Success > ># numResponses: 1 > >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' ># extended LDIF ># ># LDAPv3 ># base with scope subtree # >filter: >(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(c >n=*)(&(gidNumber=*)(!(gidNumber=0)))) ># requesting: ALL ># > LDAP searches confirmed that it's not possible to find groups: deployment_engineer and sysadmins. But you used anonymous search. It would be good if you could provide an output of for groups using ipa command. e.g. kinit admin ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins LS From DFischer at PetSmart.com Mon Jun 13 18:20:48 2016 From: DFischer at PetSmart.com (David Fischer) Date: Mon, 13 Jun 2016 11:20:48 -0700 Subject: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users Message-ID: <1465842048.20989.37.camel@petsmart.com> (Note: versions below) All, I am getting password failures for accounts coming from a sub-ad domain. I originally was not able to do 'getent' lookups of random users or groups and found that it was timing out during ldap scan. I upped the timeout on the 'IPA Configuration' tab in the web interface and this solved the 'getent' issue. Now I am able to do 'getent' passwd on all users in a sub-ad domain My new problem is that I am now unable to use password to login. If I grab a kerberos ticket I am able to just ssh into any IPA unix system, but fails when trying to do a password lookup. the layout of systems are as follows: 1) forest domain with no users or groups 2) child domain with all users and groups. 3) IPA Realm/Domain trusted to forest domain All users are in a sub-OU below the top of the domain in a OU called Users. There are about 11K users in this OU. but lookups seam really slow. I have added to sssd.conf the following 1) lookup_family_order = ipv4_only 2) ignore_group_members=True 3) ldap_purge_cache_timeout=0 4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout 5) debug_level=9 Could anyone help direct me to a place to start looking for why lookups are slow and passwords are not being allowed? Thanks, ________________________________ ##################################################################################### The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. ##################################################################################### From abokovoy at redhat.com Mon Jun 13 19:07:29 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 13 Jun 2016 22:07:29 +0300 Subject: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users In-Reply-To: <1465842048.20989.37.camel@petsmart.com> References: <1465842048.20989.37.camel@petsmart.com> Message-ID: <20160613190729.evh3ykgmz7yvgiom@redhat.com> On Mon, 13 Jun 2016, David Fischer wrote: >(Note: versions below) > >All, >I am getting password failures for accounts coming from a sub-ad domain. >I originally was not able to do 'getent' lookups of random users or groups and found that it was timing out during ldap scan. I upped the timeout on the 'IPA Configuration' tab in the web interface and this solved the 'getent' issue. Now I am able to do 'getent' passwd on all users in a sub-ad domain > >My new problem is that I am now unable to use password to login. If I grab a kerberos ticket I am able to just ssh into any IPA unix system, but fails when trying to do a password lookup. > >the layout of systems are as follows: > >1) forest domain with no users or groups >2) child domain with all users and groups. >3) IPA Realm/Domain trusted to forest domain > >All users are in a sub-OU below the top of the domain in a OU called Users. There are about 11K users in this OU. but lookups seam really slow. > >I have added to sssd.conf the following >1) lookup_family_order = ipv4_only >2) ignore_group_members=True >3) ldap_purge_cache_timeout=0 >4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout >5) debug_level=9 > >Could anyone help direct me to a place to start looking for why lookups are slow and passwords are not being allowed? Start with https://fedorahosted.org/sssd/wiki/Troubleshooting -- / Alexander Bokovoy From guillermo.fuentes at modernizingmedicine.com Mon Jun 13 19:13:34 2016 From: guillermo.fuentes at modernizingmedicine.com (Guillermo Fuentes) Date: Mon, 13 Jun 2016 15:13:34 -0400 Subject: [Freeipa-users] ns-slapd hangs for 2-3 minutes, then resumes. In-Reply-To: References: <8b452beb-09fe-8183-319a-02f51a2153de@redhat.com> Message-ID: Hi Rich, After I started running the stack traces, the problem hasn't happen as frequently as it use to but today I was able to get the stack traces. As they aren't similar I'll send them over to you in a separate email. This is what I did to start the stack traces (CentOS 7): # yum install -y --enablerepo=base-debuginfo 389-ds-base-debuginfo ipa-debuginfo slapi-nis-debuginfo nspr-debuginfo # yum install -y gdb # systemctl stop ipa.service ; sleep 10; systemctl start ipa.service # mkdir -p /var/log/stacktraces Setup crontab to run the following every minute: gdb -ex 'set confirm off' -ex 'set pagination off' -ex 'thread apply all bt full' -ex 'quit' /usr/sbin/ns-slapd `pidof ns-slapd` > /var/log/stacktraces/stacktrace.`date +%s`.txt 2>&1 Thank you so much for your help, Guillermo On Wed, Jun 1, 2016 at 6:52 PM, Guillermo Fuentes wrote: > I'm now taking stack traces every minute and waiting for it to hang > again to check it. It happens usually under load but it's > unpredictable. Must likely tomorrow. > GUILLERMO FUENTES > SR. SYSTEMS ADMINISTRATOR > > 561-880-2998 x1337 > > guillermo.fuentes at modmed.com > > > > > > > On Wed, Jun 1, 2016 at 2:03 PM, Rich Megginson wrote: >> On 06/01/2016 10:37 AM, Guillermo Fuentes wrote: >>> >>> Hi all, >>> >>> We are experiencing a similar issue like the one discussed in the >>> following thread but we are running FreeIPA 4.2 on CentOS 7.2: >>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00205.html >> >> >> Are your stack traces similar? >> >> >>> >>> LDAP service stops responding to queries (hangs). LDAP connections on >>> the server climb sometimes up to 10 times the normal amount and load >>> goes to 0. Then, the connections start to drop until they get to a >>> normal level and the LDAP service starts to respond to queries again. >>> This happens in between 3-5 minutes: >>> >>> Time,LDAP conn, Opened files(ns-slapd), File >>> Desc(ns-slapd),Threads(ns-slapd),Load1,Load5,Load15 >>> 8:54:03,101,353,216,142,0.43,0.20,0.16 >>> 8:55:02,108,359,221,142,0.19,0.18,0.15 >>> 8:56:03,110,361,224,142,0.07,0.15,0.14 >>> 8:57:14,117,383,246,142,0.15,0.16,0.15 >>> 8:58:04,276,371,234,142,0.05,0.13,0.14 >>> 8:59:05,469,371,234,142,0.02,0.11,0.13 >>> 9:00:08,719,371,234,142,0.01,0.09,0.12 >>> 9:01:18,1060,371,234,142,0.00,0.07,0.12 >>> 9:02:10,742,371,233,142,0.10,0.09,0.12 >>> 9:03:06,365,372,235,142,0.13,0.10,0.13 >>> 9:04:04,262,379,242,142,0.87,0.29,0.19 >>> 9:05:02,129,371,233,142,0.51,0.31,0.20 >>> 9:06:03,126,377,240,142,0.42,0.33,0.22 >>> 9:07:03,125,377,238,142,0.17,0.27,0.21 >>> >>> Nothing is logged in the errors log file of the server having the >>> problem (ipa1 as an example). >>> In the replicas this is logged: >>> 8:59:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" >>> (ipa1:389): Unable to receive the response for a startReplication >>> extended operation to consumer (Timed out). Will retry later. >>> 9:01:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" >>> (ipa1:389): Unable to receive the response for a startReplication >>> extended operation to consumer (Timed out). Will retry later. >>> >>> Nothing is logged in the access log file until after ns-slapd starts >>> responding again: >>> ... >>> 8:57:00 -0400] conn=12384 fd=234 slot=234 connection from 172.20.0.1 >>> to 172.20.2.45 >>> 8:57:00 -0400] conn=12385 fd=235 slot=235 connection from 172.20.0.1 >>> to 172.20.2.45 >>> 8:57:00 -0400] conn=12386 fd=236 slot=236 connection from 172.20.0.1 >>> to 172.20.2.45 >>> 8:57:00 -0400] conn=12387 fd=237 slot=237 connection from 172.20.0.1 >>> to 172.20.2.45 >>> 8:57:00 -0400] conn=10384 op=1227 EXT oid="2.16.840.1.113730.3.5.12" >>> name="replication-multimaster-extop" >>> 8:57:00 -0400] conn=12324 op=8 RESULT err=0 tag=101 nentries=1 etime=0 >>> 8:57:00 -0400] conn=8838 op=2545 EXT oid="2.16.840.1.113730.3.5.12" >>> name="replication-multimaster-extop" >>> 8:57:00 -0400] conn=8838 op=2545 RESULT err=0 tag=120 nentries=0 etime=0 >>> 8:57:00 -0400] conn=10384 op=1227 RESULT err=0 tag=120 nentries=0 etime=0 >>> 8:57:00 -0400] conn=12382 op=-1 fd=170 closed - B1 >>> 8:57:00 -0400] conn=12383 op=0 SRCH base="" scope=0 >>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>> 8:57:00 -0400] conn=12384 op=-1 fd=234 closed - B1 >>> 8:57:00 -0400] conn=12385 op=0 SRCH base="" scope=0 >>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>> 8:57:00 -0400] conn=12383 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>> 8:57:00 -0400] conn=12386 op=-1 fd=236 closed - B1 >>> 8:57:00 -0400] conn=12385 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>> 8:57:00 -0400] conn=12387 op=0 SRCH base="" scope=0 >>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>> 8:57:00 -0400] conn=12387 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>> 8:57:00 -0400] conn=12385 op=1 BIND dn="" method=sasl version=3 >>> mech=GSSAPI >>> 8:57:00 -0400] conn=12387 op=1 BIND dn="" method=sasl version=3 >>> mech=GSSAPI >>> 8:57:00 -0400] conn=12385 op=1 RESULT err=14 tag=97 nentries=0 >>> etime=0, SASL bind in progress >>> 8:57:00 -0400] conn=12383 op=1 BIND dn="" method=sasl version=3 >>> mech=GSSAPI >>> 8:57:00 -0400] conn=10384 op=1228 EXT oid="2.16.840.1.113730.3.5.5" >>> name="Netscape Replication End Session" >>> 8:57:00 -0400] conn=10384 op=1228 RESULT err=0 tag=120 nentries=0 etime=0 >>> 8:57:00 -0400] conn=12383 op=1 RESULT err=14 tag=97 nentries=0 >>> etime=0, SASL bind in progress >>> 9:02:00 -0400] conn=12388 fd=170 slot=170 connection from 172.20.0.1 >>> to 172.20.2.45 >>> 9:02:00 -0400] conn=12389 fd=234 slot=234 SSL connection from >>> 172.20.0.24 to 172.20.2.45 >>> 9:02:00 -0400] conn=12390 fd=236 slot=236 connection from local to >>> /var/run/slapd-EXAMPLE-COM.socket >>> 9:02:00 -0400] conn=12391 fd=238 slot=238 connection from 172.20.0.1 >>> to 172.20.2.45 >>> 9:02:00 -0400] conn=12392 fd=239 slot=239 SSL connection from >>> 172.20.0.24 to 172.20.2.45 >>> 9:02:00 -0400] conn=12393 fd=240 slot=240 connection from local to >>> /var/run/slapd-EXAMPLE-COM.socket >>> 9:02:00 -0400] conn=12394 fd=241 slot=241 connection from 172.20.0.1 >>> to 172.20.2.45 >>> 9:02:00 -0400] conn=12395 fd=242 slot=242 SSL connection from >>> 172.20.0.24 to 172.20.2.45 >>> 9:02:00 -0400] conn=12396 fd=243 slot=243 connection from 172.20.0.1 >>> to 172.20.2.45 >>> 9:02:00 -0400] conn=12397 fd=244 slot=244 SSL connection from >>> 172.20.0.24 to 172.20.2.45 >>> 9:02:00 -0400] conn=12398 fd=245 slot=245 connection from 172.20.0.1 >>> to 172.20.2.45 >>> 9:02:00 -0400] conn=12400 fd=247 slot=247 connection from 172.20.0.1 >>> to 172.20.2.45 >>> 9:02:00 -0400] conn=12401 fd=248 slot=248 connection from 172.20.0.1 >>> to 172.20.2.45 >>> ... >>> 9:02:00 -0400] conn=12390 op=0 BIND dn="" method=sasl version=3 >>> mech=GSSAPI >>> 9:02:00 -0400] conn=12388 op=-1 fd=170 closed - B1 >>> 9:02:00 -0400] conn=12393 op=0 BIND dn="" method=sasl version=3 >>> mech=GSSAPI >>> 9:02:00 -0400] conn=12391 op=0 SRCH base="" scope=0 >>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>> 9:02:00 -0400] conn=12394 op=-1 fd=241 closed - B1 >>> 9:02:00 -0400] conn=12391 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>> 9:02:00 -0400] conn=12396 op=0 SRCH base="" scope=0 >>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>> 9:02:00 -0400] conn=12396 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>> 9:02:00 -0400] conn=12398 op=-1 fd=245 closed - B1 >>> 9:02:00 -0400] conn=12400 op=0 SRCH base="" scope=0 >>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>> 9:02:00 -0400] conn=12400 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>> 9:02:00 -0400] conn=12401 op=-1 fd=248 closed - B1 >>> 9:02:00 -0400] conn=12391 op=1 ABANDON targetop=NOTFOUND msgid=1 >>> 9:02:00 -0400] conn=12396 op=1 ABANDON targetop=NOTFOUND msgid=1 >>> 9:02:00 -0400] conn=12400 op=1 ABANDON targetop=NOTFOUND msgid=1 >>> 9:02:00 -0400] conn=12391 op=2 UNBIND >>> 9:02:00 -0400] conn=12396 op=2 UNBIND >>> 9:02:00 -0400] conn=12391 op=2 fd=238 closed - U1 >>> 9:02:00 -0400] conn=12396 op=2 fd=243 closed - U1 >>> 9:02:00 -0400] conn=12400 op=2 UNBIND >>> 9:02:00 -0400] conn=12400 op=2 fd=247 closed - U1 >>> ... >>> >>> >>> Environment: >>> # cat /etc/redhat-release >>> CentOS Linux release 7.2.1511 (Core) >>> >>> # rpm -qa ipa* >>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> >>> # rpm -qa 389* >>> 389-ds-base-libs-1.3.4.0-30.el7_2.x86_64 >>> 389-ds-base-1.3.4.0-30.el7_2.x86_64 >>> >>> We have 4 FreeIPA servers with replication working fine between them. >>> ipa1 is handling LDAP authentication for +400 clients and has been >>> tunned as recommended per >>> >>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html >>> >>> Is this a known issue? >>> Any idea what can be causing ns-slapd to hang? >>> >>> Thanks in advance! >>> >>> Guillermo >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From DFischer at PetSmart.com Mon Jun 13 19:27:58 2016 From: DFischer at PetSmart.com (David Fischer) Date: Mon, 13 Jun 2016 12:27:58 -0700 Subject: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users In-Reply-To: <20160613190729.evh3ykgmz7yvgiom@redhat.com> References: <1465842048.20989.37.camel@petsmart.com> <20160613190729.evh3ykgmz7yvgiom@redhat.com> Message-ID: <1465846078.20989.40.camel@petsmart.com> -----Original Message----- From: Alexander Bokovoy > To: David Fischer > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users Date: Mon, 13 Jun 2016 12:07:29 -0700 On Mon, 13 Jun 2016, David Fischer wrote: (Note: versions below) All, I am getting password failures for accounts coming from a sub-ad domain. I originally was not able to do 'getent' lookups of random users or groups and found that it was timing out during ldap scan. I upped the timeout on the 'IPA Configuration' tab in the web interface and this solved the 'getent' issue. Now I am able to do 'getent' passwd on all users in a sub-ad domain My new problem is that I am now unable to use password to login. If I grab a kerberos ticket I am able to just ssh into any IPA unix system, but fails when trying to do a password lookup. the layout of systems are as follows: 1) forest domain with no users or groups 2) child domain with all users and groups. 3) IPA Realm/Domain trusted to forest domain All users are in a sub-OU below the top of the domain in a OU called Users. There are about 11K users in this OU. but lookups seam really slow. I have added to sssd.conf the following 1) lookup_family_order = ipv4_only 2) ignore_group_members=True 3) ldap_purge_cache_timeout=0 4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout 5) debug_level=9 Could anyone help direct me to a place to start looking for why lookups are slow and passwords are not being allowed? Start with http://scanmail.trustwave.com/?c=6406&d=9ITf1_A7P_gkm18DVpKbEy7lQ6ga7hwK2wRD_04F5w&u=https%3a%2f%2ffedorahosted%2eorg%2fsssd%2fwiki%2fTroubleshooting Alexander, Thanks I am already running through this guild. One of the things that is happening is I can create a user with min groups and that account is able to login. So i am adding groups that other users have one at a time to see what affects this ________________________________ ##################################################################################### The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. ##################################################################################### From Nathan.Peters at globalrelay.net Mon Jun 13 19:55:11 2016 From: Nathan.Peters at globalrelay.net (Nathan Peters) Date: Mon, 13 Jun 2016 19:55:11 +0000 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> Message-ID: After more investigation I'm thinking this may be a bug in FreeIPA 4.3.1. I have for testing purposes, installed a CentOS 6.7 client and I'm getting the same issues. The only thing I can think of is that we updated our FreeIPA servers to 4.3.1 a few weeks ago and hadn't provisioned any new machines since then. It's like the server isn't properly storing the new clients in the database and is missing some flag that allows them to use sudo. You can see from the output below that pam and sss both allow the user access, but the sudo command itself denies it. It's like the sudo package is only looking in the local sudoers files and ignoring the previous calls to the IPA server. Jun 13 19:26:13 kafka1-msg-cpqa1-nvan sudo: pam_unix(sudo:auth): authentication failure; logname=nathan.peters uid=756600344 euid=0 tty=/dev/pts/0 ruser=nathan.peters rhost= user=nathan.peters Jun 13 19:26:14 kafka1-msg-cpqa1-nvan sudo: pam_sss(sudo:auth): authentication success; logname=nathan.peters uid=756600344 euid=0 tty=/dev/pts/0 ruser=nathan.peters rhost= user=nathan.peters Jun 13 19:26:14 kafka1-msg-cpqa1-nvan sudo: nathan.peters : user NOT authorized on host ; TTY=pts/0 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Nathan Peters Sent: Monday, June 13, 2016 10:30 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails All group lists return correctly when using the ipa group-show command. Like I said, there is definitely something wrong with CentOS 6.8 because all group lists are correct. This was done on one of the CentOS 6.8 servers so we know that the server can retrieve the group lists properly. [nathan.peters at cass1 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_756600344 Default principal: admin at DEV-MYDOMAIN.NET Valid starting Expires Service principal 06/13/16 17:21:56 06/14/16 17:21:41 krbtgt/DEV-MYDOMAIN.NET at DEV-MYDOMAIN.NET [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins ipa: ERROR: command 'group_show' takes at most 1 argument [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net Group name: deployment_engineer Description: deployment engineers Member users: nathan.peters, Member of groups: admins Roles: DNS Administrator Member of Sudo rule: s_allow_deployment_engineer_to_all Member of HBAC rule: allow_deployment_engineer_to_all ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17 objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup [nathan.peters at cass1 ~]$ ipa group-show --all sysadmins dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net Group name: sysadmins Description: System Administrators Member users: nathan.peters, Member of groups: admins Member of Sudo rule: s_allow_sysadmins_to_all Member of HBAC rule: allow_sysadmins_to_all ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17 objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup [nathan.peters at cass1 ~]$ ipa group-show --raw deployment_engineer cn: deployment_engineer description: deployment engineers member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net [nathan.peters at cass1 ~]$ ipa group-show --raw sysadmins cn: sysadmins description: System Administrators member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net [nathan.peters at cass1 ~]$ -----Original Message----- From: Lukas Slebodnik [mailto:lslebodn at redhat.com] Sent: Saturday, June 11, 2016 2:02 AM To: Nathan Peters Cc: Jakub Hrozek; freeipa-users at redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails On (08/06/16 18:14), Nathan Peters wrote: >I'm pretty lost here. I tried following the directions on that page >but the results still make no sense to me. From what I can see, the >account is successfully authorized, and the groups that I am part of >are found and some sudo rules are found, but then I am denied access >for no reason. This is not working on any CentOS 6.8 server, and >working properly on all previous versions of CentOS. I have tried >several steps including deleting and re-creating the 6.8 hosts, and >unjoining them and re-joining them to the domain. Nothing helps > >========== /var/log/sudo_debug ====================== > >Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 >Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 >Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ >./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ >./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ >./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ >./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> >sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> >sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- >sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- >sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- >check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> >log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> log_denial >@ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> audit_failure @ >./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ >./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ >./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ >./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- >linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 >sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277] >-> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- >new_logline @ ./logging.c:867 := user NOT authorized on host ; >TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - Jun >8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 16:56:01 >sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 16:56:01 >sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 sudo[7277] -> >mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <- mysyslog @ >./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ >./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ >./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ >./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ >./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ >./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: >[756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] >restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, >756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref >@ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ >./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ >./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ >./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ >./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ >./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ >./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ >./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ >./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ >./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ >./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ >./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ >./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ >./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ >./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- >sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 >sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 >sudo[7277] policy plugin returns 0 > >============== /var/log/sssd/sssd_sudo.log ===================== > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using >protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name >'nathan.peters' matched without domain, user is nathan.peters (Wed Jun >8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): >Requesting default options for [nathan.peters] from [] (Wed Jun 8 >17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking >negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info >for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options >for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe >ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] >[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for >[@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed >Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] >(0x0200): name 'nathan.peters' matched without domain, user is >nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules >for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache >for [NCE/USER/dev-mydomain.net/nathan.peters] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info >for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for >[nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe >ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoU >ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysad >mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser= >+*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] >(0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 >2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): >Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8 >17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received >SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! >(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): >Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) >[sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method >org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service >(Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] >(0x2000): Not a sysbus message, quit > >============= /var/log/sssd/sssd_mydomain.log ============== > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_message_handler] (0x2000): Received SBUS method >org.freedesktop.sssd.dataprovider.getAccountInfo on path >/org/freedesktop/sssd/dataprovider >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >(0x0200): Got request for [0x1002][FAST >BE_REQ_GROUP][1][name=deployment_engineer] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[be_req_set_domain] (0x0400): Changing request domain from >[dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): >Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Wed Jun 8 17:39! :12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. It looks like group deployment_engineer cannot be find in IPA. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_message_handler] (0x2000): Received SBUS method >org.freedesktop.sssd.dataprovider.getAccountInfo on path >/org/freedesktop/sssd/dataprovider >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >(0x0200): Got request for [0x1002][FAST >BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing >request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_groups_next_base] (0x0400): Searching for groups with base >[cn=accounts,dc=dev-mydomain,dc=net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Wed Jun 8 17:39! :12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. It looks like group sysadmins cannot be find in IPA. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > >===== output of ldap query manually copied from the sssd_sudo.log first >search returns nothing second search returns 2 rules ================== > >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' >asq: Unable to register control with rootdse! ># returned 0 records ># 0 entries ># 0 referrals > > >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' >asq: Unable to register control with rootdse! ># record 1 >dn: >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-m >ydomain.net,cn=sysdb >cn: s_allow_deployment_engineer_to_all >dataExpireTimestamp: 1465412946 >name: s_allow_deployment_engineer_to_all >objectClass: sudoRule >sudoCommand: ALL >sudoHost: ALL >sudoOption: !authenticate >sudoRunAsGroup: ALL >sudoRunAsUser: ALL >sudoUser: %deployment_engineer >distinguishedName: >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus > tom,cn=dev-mydomain.net,cn=sysdb > ># record 2 >dn: >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.ne >t,cn=sysdb >cn: s_allow_sysadmins_to_all >dataExpireTimestamp: 1465412946 >name: s_allow_sysadmins_to_all >objectClass: sudoRule >sudoCommand: ALL >sudoHost: ALL >sudoOption: !authenticate >sudoRunAsGroup: ALL >sudoRunAsUser: ALL >sudoUser: %sysadmins >distinguishedName: >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev > -mydomain.net,cn=sysdb > ># returned 2 records ># 2 entries ># 0 referrals > >====== output of ldap query against directory for search used in the >sssd_domain.log =========== > >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' ># extended LDIF ># ># LDAPv3 ># base with scope subtree # >filter: >(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posi >xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) ># requesting: ALL ># > ># search result >search: 2 >result: 0 Success > ># numResponses: 1 > >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' ># extended LDIF ># ># LDAPv3 ># base with scope subtree # >filter: >(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(c >n=*)(&(gidNumber=*)(!(gidNumber=0)))) ># requesting: ALL ># > LDAP searches confirmed that it's not possible to find groups: deployment_engineer and sysadmins. But you used anonymous search. It would be good if you could provide an output of for groups using ipa command. e.g. kinit admin ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From wia at iglass.net Mon Jun 13 20:05:32 2016 From: wia at iglass.net (Marc Wiatrowski) Date: Mon, 13 Jun 2016 16:05:32 -0400 Subject: [Freeipa-users] CA: IPA certificates not renewing Message-ID: Hello, I'm having issues with the 3 ipa certificates of type CA: IPA renewing on 2 of 3 replicas. Particularly on the 2 that are not the CA master. The other 5 certificates from getcert list do renew and all certificates on the CA master do look to renew. Both servers running ipa-server-3.0.0-50.el6.centos.1.x86_64 I've done full updates and rebooted. The failed renews look like: [root at spider01a]$ getcert list -i 20141202144354 Number of certificates and requests being tracked: 8. Request ID '20141202144354': status: CA_UNREACHABLE ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x3ffe0010 not found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01a.iglass.net,O=IGLASS.NET expires: 2016-12-02 14:38:45 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes [root at spider01a]$ getcert list -i 20141202144616 Number of certificates and requests being tracked: 8. Request ID '20141202144616': status: CA_UNREACHABLE ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x3ffe000f not found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01a.iglass.net,O=IGLASS.NET expires: 2016-12-02 14:38:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv IGLASS-NET track: yes auto-renew: yes [root at spider01a]$ getcert list -i 20141202144733 Number of certificates and requests being tracked: 8. Request ID '20141202144733': status: CA_UNREACHABLE ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x3ffe0011 not found)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01a.iglass.net,O=IGLASS.NET expires: 2016-12-02 14:38:46 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes From [root at spider01a]$ getcert resubmit -i 20141202144354 On the replica issuing the resubmit ==> /var/log/httpd/access_log <== 192.168.176.2 - - [13/Jun/2016:15:49:32 -0400] "POST /ipa/xml HTTP/1.1" 401 1370 ==> /var/log/httpd/error_log <== [Mon Jun 13 15:49:33 2016] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Certificate serial number 0x3ffe0010 not found) [Mon Jun 13 15:49:33 2016] [error] ipa: INFO: host/ spider01a.iglass.net at IGLASS.NET: cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET', add=True): CertificateOperationError ==> /var/log/httpd/access_log <== 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 200 262 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET [13/Jun/2016:15:49:32 -0400] "POST /ipa/xml HTTP/1.1" 200 376 ==> /var/log/pki-ca/system <== 2508.TP-Processor6 - [13/Jun/2016:15:49:33 EDT] [3] [3] Servlet caDisplayBySerial: Error encountered in DisplayBySerial. Error Record not found. On the CA master spider01o: ==> /var/log/httpd/access_log <== 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST /ipa/xml HTTP/1.1" 401 1370 ==> krb5kdc.log <== Jun 13 15:49:34 spider01o.iglass.net krb5kdc[1963](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.177.2: ISSUE: authtime 1465847372, etypes {rep=18 tkt=18 ses=18}, host/spider01a.iglass.net at IGLASS.NET for ldap/ spider01o.iglass.net at IGLASS.NET ==> /var/log/httpd/error_log <== [Mon Jun 13 15:49:34 2016] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Invalid Credential.) [Mon Jun 13 15:49:34 2016] [error] ipa: INFO: host/ spider01a.iglass.net at IGLASS.NET: cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET', add=True): CertificateOperationError ==> /var/log/httpd/access_log <== 192.168.177.2 - - [13/Jun/2016:15:49:34 -0400] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 200 235 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET [13/Jun/2016:15:49:33 -0400] "POST /ipa/xml HTTP/1.1" 200 349 ==> /var/log/pki-ca/system <== 2231.TP-Processor3 - [13/Jun/2016:15:49:34 EDT] [6] [3] Cannot authenticate agent with certificate Serial 0x5ffc0008 Subject DN CN=IPA RA,O=IGLASS.NET. Error: User not found I realize they expire at the end of the year, but I've had my certificates expire before and would rather not go through that again. Any idea on what's wrong or suggestions on where to look would be appreciated. Thanks, Marc -------------- next part -------------- An HTML attachment was scrubbed... URL: From Nathan.Peters at globalrelay.net Mon Jun 13 20:24:34 2016 From: Nathan.Peters at globalrelay.net (Nathan Peters) Date: Mon, 13 Jun 2016 20:24:34 +0000 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> Message-ID: Taking a second look at the sudo debugging logs : it looks like it can't figure out that I'm in the right group ? According to : https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO those next 2 lines should be true ? Jun 13 20:12:10 sudo[16270] <- user_in_group @ ./pwutil.c:957 := false Jun 13 20:12:10 sudo[16270] <- usergr_matches @ ./match.c:699 := false --- snip --- val[0]=%deployment_engineer Jun 13 20:12:10 sudo[16270] -> usergr_matches @ ./match.c:666 Jun 13 20:12:10 sudo[16270] -> user_in_group @ ./pwutil.c:914 Jun 13 20:12:10 sudo[16270] -> sudo_get_grlist @ ./pwutil.c:851 Jun 13 20:12:10 sudo[16270] -> rbfind @ ./redblack.c:273 Jun 13 20:12:10 sudo[16270] <- rbfind @ ./redblack.c:277 := 0x7f4bacb0e7f0 Jun 13 20:12:10 sudo[16270] <- sudo_get_grlist @ ./pwutil.c:904 := 0x7f4bacb11318 Jun 13 20:12:10 sudo[16270] -> sudo_getgrgid @ ./pwutil.c:655 Jun 13 20:12:10 sudo[16270] -> rbfind @ ./redblack.c:273 Jun 13 20:12:10 sudo[16270] <- rbfind @ ./redblack.c:277 := 0x7f4bacb111d0 Jun 13 20:12:10 sudo[16270] <- sudo_getgrgid @ ./pwutil.c:681 := 0x7f4bacb0e458 Jun 13 20:12:10 sudo[16270] -> sudo_gr_delref @ ./pwutil.c:642 Jun 13 20:12:10 sudo[16270] -> sudo_gr_delref_item @ ./pwutil.c:631 Jun 13 20:12:10 sudo[16270] <- sudo_gr_delref_item @ ./pwutil.c:636 Jun 13 20:12:10 sudo[16270] <- sudo_gr_delref @ ./pwutil.c:644 Jun 13 20:12:10 sudo[16270] -> sudo_grlist_delref @ ./pwutil.c:790 Jun 13 20:12:10 sudo[16270] -> sudo_grlist_delref_item @ ./pwutil.c:779 Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref_item @ ./pwutil.c:784 Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref @ ./pwutil.c:792 Jun 13 20:12:10 sudo[16270] <- user_in_group @ ./pwutil.c:957 := false Jun 13 20:12:10 sudo[16270] <- usergr_matches @ ./match.c:699 := false Jun 13 20:12:10 sudo[16270] <- sudo_sss_filter_sudoUser @ ./sssd.c:682 := false Jun 13 20:12:10 sudo[16270] <- sudo_sss_result_filterp @ ./sssd.c:696 := 0 Jun 13 20:12:10 sudo[16270] -> sudo_sss_result_filterp @ ./sssd.c:690 Jun 13 20:12:10 sudo[16270] -> sudo_sss_check_host @ ./sssd.c:577 Jun 13 20:12:10 sudo[16270] val[0]=ALL Jun 13 20:12:10 sudo[16270] sssd/ldap sudoHost 'ALL' ... MATCH! Jun 13 20:12:10 sudo[16270] <- sudo_sss_check_host @ ./sssd.c:613 := true Jun 13 20:12:10 sudo[16270] -> sudo_sss_filter_sudoUser @ ./sssd.c:626 Jun 13 20:12:10 sudo[16270] val[0]=%sysadmins Jun 13 20:12:10 sudo[16270] -> usergr_matches @ ./match.c:666 Jun 13 20:12:10 sudo[16270] -> user_in_group @ ./pwutil.c:914 Jun 13 20:12:10 sudo[16270] -> sudo_get_grlist @ ./pwutil.c:851 Jun 13 20:12:10 sudo[16270] -> rbfind @ ./redblack.c:273 Jun 13 20:12:10 sudo[16270] <- rbfind @ ./redblack.c:277 := 0x7f4bacb0e7f0 Jun 13 20:12:10 sudo[16270] <- sudo_get_grlist @ ./pwutil.c:904 := 0x7f4bacb11318 Jun 13 20:12:10 sudo[16270] -> sudo_getgrgid @ ./pwutil.c:655 Jun 13 20:12:10 sudo[16270] -> rbfind @ ./redblack.c:273 Jun 13 20:12:10 sudo[16270] <- rbfind @ ./redblack.c:277 := 0x7f4bacb111d0 Jun 13 20:12:10 sudo[16270] <- sudo_getgrgid @ ./pwutil.c:681 := 0x7f4bacb0e458 Jun 13 20:12:10 sudo[16270] -> sudo_gr_delref @ ./pwutil.c:642 Jun 13 20:12:10 sudo[16270] -> sudo_gr_delref_item @ ./pwutil.c:631 Jun 13 20:12:10 sudo[16270] <- sudo_gr_delref_item @ ./pwutil.c:636 Jun 13 20:12:10 sudo[16270] <- sudo_gr_delref @ ./pwutil.c:644 Jun 13 20:12:10 sudo[16270] -> sudo_grlist_delref @ ./pwutil.c:790 Jun 13 20:12:10 sudo[16270] -> sudo_grlist_delref_item @ ./pwutil.c:779 Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref_item @ ./pwutil.c:784 Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref @ ./pwutil.c:792 Jun 13 20:12:10 sudo[16270] <- user_in_group @ ./pwutil.c:957 := false Jun 13 20:12:10 sudo[16270] <- usergr_matches @ ./match.c:699 := false -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Nathan Peters Sent: Monday, June 13, 2016 12:55 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails After more investigation I'm thinking this may be a bug in FreeIPA 4.3.1. I have for testing purposes, installed a CentOS 6.7 client and I'm getting the same issues. The only thing I can think of is that we updated our FreeIPA servers to 4.3.1 a few weeks ago and hadn't provisioned any new machines since then. It's like the server isn't properly storing the new clients in the database and is missing some flag that allows them to use sudo. You can see from the output below that pam and sss both allow the user access, but the sudo command itself denies it. It's like the sudo package is only looking in the local sudoers files and ignoring the previous calls to the IPA server. Jun 13 19:26:13 kafka1-msg-cpqa1-nvan sudo: pam_unix(sudo:auth): authentication failure; logname=nathan.peters uid=756600344 euid=0 tty=/dev/pts/0 ruser=nathan.peters rhost= user=nathan.peters Jun 13 19:26:14 kafka1-msg-cpqa1-nvan sudo: pam_sss(sudo:auth): authentication success; logname=nathan.peters uid=756600344 euid=0 tty=/dev/pts/0 ruser=nathan.peters rhost= user=nathan.peters Jun 13 19:26:14 kafka1-msg-cpqa1-nvan sudo: nathan.peters : user NOT authorized on host ; TTY=pts/0 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Nathan Peters Sent: Monday, June 13, 2016 10:30 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails All group lists return correctly when using the ipa group-show command. Like I said, there is definitely something wrong with CentOS 6.8 because all group lists are correct. This was done on one of the CentOS 6.8 servers so we know that the server can retrieve the group lists properly. [nathan.peters at cass1 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_756600344 Default principal: admin at DEV-MYDOMAIN.NET Valid starting Expires Service principal 06/13/16 17:21:56 06/14/16 17:21:41 krbtgt/DEV-MYDOMAIN.NET at DEV-MYDOMAIN.NET [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins ipa: ERROR: command 'group_show' takes at most 1 argument [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net Group name: deployment_engineer Description: deployment engineers Member users: nathan.peters, Member of groups: admins Roles: DNS Administrator Member of Sudo rule: s_allow_deployment_engineer_to_all Member of HBAC rule: allow_deployment_engineer_to_all ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17 objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup [nathan.peters at cass1 ~]$ ipa group-show --all sysadmins dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net Group name: sysadmins Description: System Administrators Member users: nathan.peters, Member of groups: admins Member of Sudo rule: s_allow_sysadmins_to_all Member of HBAC rule: allow_sysadmins_to_all ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17 objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup [nathan.peters at cass1 ~]$ ipa group-show --raw deployment_engineer cn: deployment_engineer description: deployment engineers member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net [nathan.peters at cass1 ~]$ ipa group-show --raw sysadmins cn: sysadmins description: System Administrators member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net [nathan.peters at cass1 ~]$ -----Original Message----- From: Lukas Slebodnik [mailto:lslebodn at redhat.com] Sent: Saturday, June 11, 2016 2:02 AM To: Nathan Peters Cc: Jakub Hrozek; freeipa-users at redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails On (08/06/16 18:14), Nathan Peters wrote: >I'm pretty lost here. I tried following the directions on that page >but the results still make no sense to me. From what I can see, the >account is successfully authorized, and the groups that I am part of >are found and some sudo rules are found, but then I am denied access >for no reason. This is not working on any CentOS 6.8 server, and >working properly on all previous versions of CentOS. I have tried >several steps including deleting and re-creating the 6.8 hosts, and >unjoining them and re-joining them to the domain. Nothing helps > >========== /var/log/sudo_debug ====================== > >Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 >Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 >Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ >./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ >./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ >./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ >./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> >sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> >sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- >sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- >sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- >check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> >log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> log_denial >@ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> audit_failure @ >./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ >./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ >./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ >./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- >linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 >sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277] >-> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- >new_logline @ ./logging.c:867 := user NOT authorized on host ; >TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - Jun >8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 16:56:01 >sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 16:56:01 >sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 sudo[7277] -> >mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <- mysyslog @ >./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ >./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ >./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ >./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ >./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ >./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: >[756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] >restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, >756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref >@ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ >./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ >./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ >./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ >./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ >./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ >./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ >./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ >./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ >./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ >./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ >./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ >./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ >./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ >./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- >sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 >sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 >sudo[7277] policy plugin returns 0 > >============== /var/log/sssd/sssd_sudo.log ===================== > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using >protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name >'nathan.peters' matched without domain, user is nathan.peters (Wed Jun >8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): >Requesting default options for [nathan.peters] from [] (Wed Jun 8 >17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking >negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info >for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options >for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe >ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] >[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for >[@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed >Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] >(0x0200): name 'nathan.peters' matched without domain, user is >nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules >for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache >for [NCE/USER/dev-mydomain.net/nathan.peters] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info >for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for >[nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe >ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoU >ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysad >mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser= >+*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] >(0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 >2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): >Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8 >17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received >SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! >(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): >Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) >[sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method >org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service >(Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] >(0x2000): Not a sysbus message, quit > >============= /var/log/sssd/sssd_mydomain.log ============== > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_message_handler] (0x2000): Received SBUS method >org.freedesktop.sssd.dataprovider.getAccountInfo on path >/org/freedesktop/sssd/dataprovider >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >(0x0200): Got request for [0x1002][FAST >BE_REQ_GROUP][1][name=deployment_engineer] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[be_req_set_domain] (0x0400): Changing request domain from >[dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): >Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Wed Jun 8 17:39! :12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. It looks like group deployment_engineer cannot be find in IPA. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_message_handler] (0x2000): Received SBUS method >org.freedesktop.sssd.dataprovider.getAccountInfo on path >/org/freedesktop/sssd/dataprovider >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >(0x0200): Got request for [0x1002][FAST >BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing >request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_groups_next_base] (0x0400): Searching for groups with base >[cn=accounts,dc=dev-mydomain,dc=net] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Wed Jun 8 17:39! :12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. It looks like group sysadmins cannot be find in IPA. >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > >===== output of ldap query manually copied from the sssd_sudo.log first >search returns nothing second search returns 2 rules ================== > >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' >asq: Unable to register control with rootdse! ># returned 0 records ># 0 entries ># 0 referrals > > >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' >asq: Unable to register control with rootdse! ># record 1 >dn: >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-m >ydomain.net,cn=sysdb >cn: s_allow_deployment_engineer_to_all >dataExpireTimestamp: 1465412946 >name: s_allow_deployment_engineer_to_all >objectClass: sudoRule >sudoCommand: ALL >sudoHost: ALL >sudoOption: !authenticate >sudoRunAsGroup: ALL >sudoRunAsUser: ALL >sudoUser: %deployment_engineer >distinguishedName: >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus > tom,cn=dev-mydomain.net,cn=sysdb > ># record 2 >dn: >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.ne >t,cn=sysdb >cn: s_allow_sysadmins_to_all >dataExpireTimestamp: 1465412946 >name: s_allow_sysadmins_to_all >objectClass: sudoRule >sudoCommand: ALL >sudoHost: ALL >sudoOption: !authenticate >sudoRunAsGroup: ALL >sudoRunAsUser: ALL >sudoUser: %sysadmins >distinguishedName: >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev > -mydomain.net,cn=sysdb > ># returned 2 records ># 2 entries ># 0 referrals > >====== output of ldap query against directory for search used in the >sssd_domain.log =========== > >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' ># extended LDIF ># ># LDAPv3 ># base with scope subtree # >filter: >(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posi >xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) ># requesting: ALL ># > ># search result >search: 2 >result: 0 Success > ># numResponses: 1 > >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' ># extended LDIF ># ># LDAPv3 ># base with scope subtree # >filter: >(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(c >n=*)(&(gidNumber=*)(!(gidNumber=0)))) ># requesting: ALL ># > LDAP searches confirmed that it's not possible to find groups: deployment_engineer and sysadmins. But you used anonymous search. It would be good if you could provide an output of for groups using ipa command. e.g. kinit admin ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From lslebodn at redhat.com Mon Jun 13 20:54:19 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 13 Jun 2016 22:54:19 +0200 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> Message-ID: <20160613205418.GA16888@10.4.128.1> On (13/06/16 20:24), Nathan Peters wrote: >Taking a second look at the sudo debugging logs : it looks like it can't >figure out that I'm in the right group ? > >According to : https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO >those next 2 lines should be true ? > That's exactly a reason why I asked for output of ipa commands for groups deployment_engineer and sysadmins. What is and output of: * id nathan.peters * getent group deployment_engineer * getent group sysadmins You might try to run it on ipa server and ipa client(CentOS 6.8) LS From jhrozek at redhat.com Mon Jun 13 20:57:01 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 13 Jun 2016 22:57:01 +0200 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> Message-ID: <20160613205701.GA9992@hendrix> On Mon, Jun 13, 2016 at 05:30:16PM +0000, Nathan Peters wrote: > All group lists return correctly when using the ipa group-show command. > > Like I said, there is definitely something wrong with CentOS 6.8 because all group lists are correct. This was done on one of the CentOS 6.8 servers so we know that the server can retrieve the group lists properly. We had a similar report (untriaged yet) where adding POSIX attributes made the difference. Could you test if also in your environment adding the POSIX attributes makes the rules work? (It would be a bug nonetheless, but it's worth trying so that we pinpoint the issue) > > [nathan.peters at cass1 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_756600344 > Default principal: admin at DEV-MYDOMAIN.NET > > Valid starting Expires Service principal > 06/13/16 17:21:56 06/14/16 17:21:41 krbtgt/DEV-MYDOMAIN.NET at DEV-MYDOMAIN.NET > [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins > ipa: ERROR: command 'group_show' takes at most 1 argument > [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer > dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net > Group name: deployment_engineer > Description: deployment engineers > Member users: nathan.peters, > Member of groups: admins > Roles: DNS Administrator > Member of Sudo rule: s_allow_deployment_engineer_to_all > Member of HBAC rule: allow_deployment_engineer_to_all > ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17 > objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup > [nathan.peters at cass1 ~]$ ipa group-show --all sysadmins > dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net > Group name: sysadmins > Description: System Administrators > Member users: nathan.peters, > Member of groups: admins > Member of Sudo rule: s_allow_sysadmins_to_all > Member of HBAC rule: allow_sysadmins_to_all > ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17 > objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup > [nathan.peters at cass1 ~]$ ipa group-show --raw deployment_engineer > cn: deployment_engineer > description: deployment engineers > member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net > > [nathan.peters at cass1 ~]$ ipa group-show --raw sysadmins > cn: sysadmins > description: System Administrators > member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net > > [nathan.peters at cass1 ~]$ > > -----Original Message----- > From: Lukas Slebodnik [mailto:lslebodn at redhat.com] > Sent: Saturday, June 11, 2016 2:02 AM > To: Nathan Peters > Cc: Jakub Hrozek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails > > On (08/06/16 18:14), Nathan Peters wrote: > >I'm pretty lost here. I tried following the directions on that page > >but the results still make no sense to me. From what I can see, the > >account is successfully authorized, and the groups that I am part of > >are found and some sudo rules are found, but then I am denied access > >for no reason. This is not working on any CentOS 6.8 server, and > >working properly on all previous versions of CentOS. I have tried > >several steps including deleting and re-creating the 6.8 hosts, and > >unjoining them and re-joining them to the domain. Nothing helps > > > >========== /var/log/sudo_debug ====================== > > > >Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 > >Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 > >Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ > >./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ > >./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ > >./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ > >./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> > >sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> > >sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- > >sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- > >sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- > >check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> > >log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> log_denial > >@ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> audit_failure @ > >./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ > >./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ > >./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ > >./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- > >linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 > >sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277] > >-> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- > >new_logline @ ./logging.c:867 := user NOT authorized on host ; > >TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - Jun > >8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 16:56:01 > >sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 16:56:01 > >sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 sudo[7277] -> > >mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <- mysyslog @ > >./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ > >./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ > >./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ > >./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ > >./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ > >./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: > >[756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] > >restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, > >756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref > >@ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item > >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item > >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ > >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ > >./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ > >./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ > >./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ > >./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ > >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ > >./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ > >./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ > >./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ > >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ > >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ > >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ > >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ > >./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ > >./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ > >./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ > >./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ > >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ > >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ > >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ > >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item > >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item > >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item > >@ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item > >@ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ > >./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ > >./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ > >./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- > >sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 > >sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 > >sudo[7277] policy plugin returns 0 > > > >============== /var/log/sssd/sssd_sudo.log ===================== > > > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > >protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] > >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched > >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name > >'nathan.peters' matched without domain, user is nathan.peters (Wed Jun > >8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): > >Requesting default options for [nathan.peters] from [] (Wed Jun 8 > >17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking > >negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 > >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info > >for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options > >for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching > >sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha > >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( > >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe > >ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching > >sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] > >[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for > >[@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed > >Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'nathan.peters' matched without domain, user is > >nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] > >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched > >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules > >for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache > >for [NCE/USER/dev-mydomain.net/nathan.peters] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 > >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info > >for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for > >[nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching > >sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha > >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( > >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe > >ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching > >sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoU > >ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysad > >mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser= > >+*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] > >(0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 > >2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): > >Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8 > >17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received > >SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! > >(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): > >Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) > >[sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method > >org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service > >(Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] > >(0x2000): Not a sysbus message, quit > > > >============= /var/log/sssd/sssd_mydomain.log ============== > > > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sbus_message_handler] (0x2000): Received SBUS method > >org.freedesktop.sssd.dataprovider.getAccountInfo on path > >/org/freedesktop/sssd/dataprovider > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] > >(0x0200): Got request for [0x1002][FAST > >BE_REQ_GROUP][1][name=deployment_engineer] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[be_req_set_domain] (0x0400): Changing request domain from > >[dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): > >Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed > >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. > It looks like group deployment_engineer cannot be find in IPA. > > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 > >2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] > >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sbus_message_handler] (0x2000): Received SBUS method > >org.freedesktop.sssd.dataprovider.getAccountInfo on path > >/org/freedesktop/sssd/dataprovider > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] > >(0x0200): Got request for [0x1002][FAST > >BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing > >request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_groups_next_base] (0x0400): Searching for groups with base > >[cn=accounts,dc=dev-mydomain,dc=net] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed > >Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. > It looks like group sysadmins cannot be find in IPA. > > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 > >2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] > >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > > > >===== output of ldap query manually copied from the sssd_sudo.log > >first search returns nothing second search returns 2 rules > >================== > > > >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' > >asq: Unable to register control with rootdse! > ># returned 0 records > ># 0 entries > ># 0 referrals > > > > > >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' > >asq: Unable to register control with rootdse! > ># record 1 > >dn: > >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-m > >ydomain.net,cn=sysdb > >cn: s_allow_deployment_engineer_to_all > >dataExpireTimestamp: 1465412946 > >name: s_allow_deployment_engineer_to_all > >objectClass: sudoRule > >sudoCommand: ALL > >sudoHost: ALL > >sudoOption: !authenticate > >sudoRunAsGroup: ALL > >sudoRunAsUser: ALL > >sudoUser: %deployment_engineer > >distinguishedName: > >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus > > tom,cn=dev-mydomain.net,cn=sysdb > > > ># record 2 > >dn: > >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.ne > >t,cn=sysdb > >cn: s_allow_sysadmins_to_all > >dataExpireTimestamp: 1465412946 > >name: s_allow_sysadmins_to_all > >objectClass: sudoRule > >sudoCommand: ALL > >sudoHost: ALL > >sudoOption: !authenticate > >sudoRunAsGroup: ALL > >sudoRunAsUser: ALL > >sudoUser: %sysadmins > >distinguishedName: > >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev > > -mydomain.net,cn=sysdb > > > ># returned 2 records > ># 2 entries > ># 0 referrals > > > >====== output of ldap query against directory for search used in the > >sssd_domain.log =========== > > > >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' > ># extended LDIF > ># > ># LDAPv3 > ># base with scope subtree # > >filter: > >(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posi > >xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) > ># requesting: ALL > ># > > > ># search result > >search: 2 > >result: 0 Success > > > ># numResponses: 1 > > > >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' > ># extended LDIF > ># > ># LDAPv3 > ># base with scope subtree # > >filter: > >(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(c > >n=*)(&(gidNumber=*)(!(gidNumber=0)))) > ># requesting: ALL > ># > > > LDAP searches confirmed that it's not possible to find groups: > deployment_engineer and sysadmins. But you used anonymous search. > > It would be good if you could provide an output of for groups using ipa command. > > e.g. > kinit admin > ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins > > LS From rcritten at redhat.com Mon Jun 13 20:57:13 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2016 16:57:13 -0400 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> Message-ID: <575F1E29.3090504@redhat.com> Nathan Peters wrote: > Taking a second look at the sudo debugging logs : it looks like it can't figure out that I'm in the right group ? > > According to : https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO those next 2 lines should be true ? > > > > Jun 13 20:12:10 sudo[16270] <- user_in_group @ ./pwutil.c:957 := false > Jun 13 20:12:10 sudo[16270] <- usergr_matches @ ./match.c:699 := false I wonder if it only supports POSIX groups. Can you do a quick test with a POSIX group to see if that helps? rob > > --- snip --- > > val[0]=%deployment_engineer > Jun 13 20:12:10 sudo[16270] -> usergr_matches @ ./match.c:666 > Jun 13 20:12:10 sudo[16270] -> user_in_group @ ./pwutil.c:914 > Jun 13 20:12:10 sudo[16270] -> sudo_get_grlist @ ./pwutil.c:851 > Jun 13 20:12:10 sudo[16270] -> rbfind @ ./redblack.c:273 > Jun 13 20:12:10 sudo[16270] <- rbfind @ ./redblack.c:277 := 0x7f4bacb0e7f0 > Jun 13 20:12:10 sudo[16270] <- sudo_get_grlist @ ./pwutil.c:904 := 0x7f4bacb11318 > Jun 13 20:12:10 sudo[16270] -> sudo_getgrgid @ ./pwutil.c:655 > Jun 13 20:12:10 sudo[16270] -> rbfind @ ./redblack.c:273 > Jun 13 20:12:10 sudo[16270] <- rbfind @ ./redblack.c:277 := 0x7f4bacb111d0 > Jun 13 20:12:10 sudo[16270] <- sudo_getgrgid @ ./pwutil.c:681 := 0x7f4bacb0e458 > Jun 13 20:12:10 sudo[16270] -> sudo_gr_delref @ ./pwutil.c:642 > Jun 13 20:12:10 sudo[16270] -> sudo_gr_delref_item @ ./pwutil.c:631 > Jun 13 20:12:10 sudo[16270] <- sudo_gr_delref_item @ ./pwutil.c:636 > Jun 13 20:12:10 sudo[16270] <- sudo_gr_delref @ ./pwutil.c:644 > Jun 13 20:12:10 sudo[16270] -> sudo_grlist_delref @ ./pwutil.c:790 > Jun 13 20:12:10 sudo[16270] -> sudo_grlist_delref_item @ ./pwutil.c:779 > Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref_item @ ./pwutil.c:784 > Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref @ ./pwutil.c:792 > Jun 13 20:12:10 sudo[16270] <- user_in_group @ ./pwutil.c:957 := false > Jun 13 20:12:10 sudo[16270] <- usergr_matches @ ./match.c:699 := false > Jun 13 20:12:10 sudo[16270] <- sudo_sss_filter_sudoUser @ ./sssd.c:682 := false > Jun 13 20:12:10 sudo[16270] <- sudo_sss_result_filterp @ ./sssd.c:696 := 0 > Jun 13 20:12:10 sudo[16270] -> sudo_sss_result_filterp @ ./sssd.c:690 > Jun 13 20:12:10 sudo[16270] -> sudo_sss_check_host @ ./sssd.c:577 > Jun 13 20:12:10 sudo[16270] val[0]=ALL > Jun 13 20:12:10 sudo[16270] sssd/ldap sudoHost 'ALL' ... MATCH! > Jun 13 20:12:10 sudo[16270] <- sudo_sss_check_host @ ./sssd.c:613 := true > Jun 13 20:12:10 sudo[16270] -> sudo_sss_filter_sudoUser @ ./sssd.c:626 > Jun 13 20:12:10 sudo[16270] val[0]=%sysadmins > Jun 13 20:12:10 sudo[16270] -> usergr_matches @ ./match.c:666 > Jun 13 20:12:10 sudo[16270] -> user_in_group @ ./pwutil.c:914 > Jun 13 20:12:10 sudo[16270] -> sudo_get_grlist @ ./pwutil.c:851 > Jun 13 20:12:10 sudo[16270] -> rbfind @ ./redblack.c:273 > Jun 13 20:12:10 sudo[16270] <- rbfind @ ./redblack.c:277 := 0x7f4bacb0e7f0 > Jun 13 20:12:10 sudo[16270] <- sudo_get_grlist @ ./pwutil.c:904 := 0x7f4bacb11318 > Jun 13 20:12:10 sudo[16270] -> sudo_getgrgid @ ./pwutil.c:655 > Jun 13 20:12:10 sudo[16270] -> rbfind @ ./redblack.c:273 > Jun 13 20:12:10 sudo[16270] <- rbfind @ ./redblack.c:277 := 0x7f4bacb111d0 > Jun 13 20:12:10 sudo[16270] <- sudo_getgrgid @ ./pwutil.c:681 := 0x7f4bacb0e458 > Jun 13 20:12:10 sudo[16270] -> sudo_gr_delref @ ./pwutil.c:642 > Jun 13 20:12:10 sudo[16270] -> sudo_gr_delref_item @ ./pwutil.c:631 > Jun 13 20:12:10 sudo[16270] <- sudo_gr_delref_item @ ./pwutil.c:636 > Jun 13 20:12:10 sudo[16270] <- sudo_gr_delref @ ./pwutil.c:644 > Jun 13 20:12:10 sudo[16270] -> sudo_grlist_delref @ ./pwutil.c:790 > Jun 13 20:12:10 sudo[16270] -> sudo_grlist_delref_item @ ./pwutil.c:779 > Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref_item @ ./pwutil.c:784 > Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref @ ./pwutil.c:792 > Jun 13 20:12:10 sudo[16270] <- user_in_group @ ./pwutil.c:957 := false > Jun 13 20:12:10 sudo[16270] <- usergr_matches @ ./match.c:699 := false > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Nathan Peters > Sent: Monday, June 13, 2016 12:55 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails > > After more investigation I'm thinking this may be a bug in FreeIPA 4.3.1. > > I have for testing purposes, installed a CentOS 6.7 client and I'm getting the same issues. > > The only thing I can think of is that we updated our FreeIPA servers to 4.3.1 a few weeks ago and hadn't provisioned any new machines since then. > > It's like the server isn't properly storing the new clients in the database and is missing some flag that allows them to use sudo. You can see from the output below that pam and sss both allow the user access, but the sudo command itself denies it. It's like the sudo package is only looking in the local sudoers files and ignoring the previous calls to the IPA server. > > Jun 13 19:26:13 kafka1-msg-cpqa1-nvan sudo: pam_unix(sudo:auth): authentication failure; logname=nathan.peters uid=756600344 euid=0 tty=/dev/pts/0 ruser=nathan.peters rhost= user=nathan.peters Jun 13 19:26:14 kafka1-msg-cpqa1-nvan sudo: pam_sss(sudo:auth): authentication success; logname=nathan.peters uid=756600344 euid=0 tty=/dev/pts/0 ruser=nathan.peters rhost= user=nathan.peters Jun 13 19:26:14 kafka1-msg-cpqa1-nvan sudo: nathan.peters : user NOT authorized on host ; TTY=pts/0 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Nathan Peters > Sent: Monday, June 13, 2016 10:30 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails > > All group lists return correctly when using the ipa group-show command. > > Like I said, there is definitely something wrong with CentOS 6.8 because all group lists are correct. This was done on one of the CentOS 6.8 servers so we know that the server can retrieve the group lists properly. > > [nathan.peters at cass1 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_756600344 Default principal: admin at DEV-MYDOMAIN.NET > > Valid starting Expires Service principal > 06/13/16 17:21:56 06/14/16 17:21:41 krbtgt/DEV-MYDOMAIN.NET at DEV-MYDOMAIN.NET > [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins > ipa: ERROR: command 'group_show' takes at most 1 argument > [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer > dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net > Group name: deployment_engineer > Description: deployment engineers > Member users: nathan.peters, > Member of groups: admins > Roles: DNS Administrator > Member of Sudo rule: s_allow_deployment_engineer_to_all > Member of HBAC rule: allow_deployment_engineer_to_all > ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17 > objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup > [nathan.peters at cass1 ~]$ ipa group-show --all sysadmins > dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net > Group name: sysadmins > Description: System Administrators > Member users: nathan.peters, > Member of groups: admins > Member of Sudo rule: s_allow_sysadmins_to_all > Member of HBAC rule: allow_sysadmins_to_all > ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17 > objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup > [nathan.peters at cass1 ~]$ ipa group-show --raw deployment_engineer > cn: deployment_engineer > description: deployment engineers > member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net > > [nathan.peters at cass1 ~]$ ipa group-show --raw sysadmins > cn: sysadmins > description: System Administrators > member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net > > [nathan.peters at cass1 ~]$ > > -----Original Message----- > From: Lukas Slebodnik [mailto:lslebodn at redhat.com] > Sent: Saturday, June 11, 2016 2:02 AM > To: Nathan Peters > Cc: Jakub Hrozek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails > > On (08/06/16 18:14), Nathan Peters wrote: >> I'm pretty lost here. I tried following the directions on that page >> but the results still make no sense to me. From what I can see, the >> account is successfully authorized, and the groups that I am part of >> are found and some sudo rules are found, but then I am denied access >> for no reason. This is not working on any CentOS 6.8 server, and >> working properly on all previous versions of CentOS. I have tried >> several steps including deleting and re-creating the 6.8 hosts, and >> unjoining them and re-joining them to the domain. Nothing helps >> >> ========== /var/log/sudo_debug ====================== >> >> Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 >> Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := 1 >> Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ >> ./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup @ >> ./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ >> ./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup @ >> ./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> >> sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> >> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- >> sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- >> sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- >> check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> >> log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> log_denial >> @ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> audit_failure @ >> ./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ >> ./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ >> ./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ >> ./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- >> linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 >> sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277] >> -> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- >> new_logline @ ./logging.c:867 := user NOT authorized on host ; >> TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - Jun >> 8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 16:56:01 >> sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 16:56:01 >> sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 sudo[7277] -> >> mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <- mysyslog @ >> ./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ >> ./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ >> ./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ >> ./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ >> ./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ >> ./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: >> [756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] >> restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, >> 756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref >> @ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >> @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >> @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >> ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ >> ./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ >> ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item @ >> ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item @ >> ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >> ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ >> ./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ >> ./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ >> ./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >> ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >> ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >> ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >> ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ >> ./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ >> ./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ >> ./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ >> ./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >> ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >> ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >> ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >> ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >> @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >> @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >> @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >> @ ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ >> ./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ >> ./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ >> ./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- >> sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 >> sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 >> sudo[7277] policy plugin returns 0 >> >> ============== /var/log/sssd/sssd_sudo.log ===================== >> >> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! >> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. >> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. >> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using >> protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >> [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >> without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >> [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name >> 'nathan.peters' matched without domain, user is nathan.peters (Wed Jun >> 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): >> Requesting default options for [nathan.peters] from [] (Wed Jun 8 >> 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking >> negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] >> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >> 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info >> for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >> [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options >> for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >> [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >> sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha >> n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( >> sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe >> ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >> About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >> [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >> sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] >> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for >> [@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >> [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed >> Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'nathan.peters' matched without domain, user is >> nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >> [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >> without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >> [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules >> for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) >> [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache >> for [NCE/USER/dev-mydomain.net/nathan.peters] >> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >> 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info >> for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >> [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for >> [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >> [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >> sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=natha >> n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)( >> sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.pe >> ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >> About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >> [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >> sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoU >> ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysad >> mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser= >> +*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] >> (0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 >> 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): >> Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8 >> 17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received >> SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! >> (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): >> Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) >> [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method >> org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service >> (Wed Jun 8 17:39:26 2016) [sssd[sudo]] [sbus_get_sender_id_send] >> (0x2000): Not a sysbus message, quit >> >> ============= /var/log/sssd/sssd_mydomain.log ============== >> >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sbus_message_handler] (0x2000): Received SBUS method >> org.freedesktop.sssd.dataprovider.getAccountInfo on path >> /org/freedesktop/sssd/dataprovider >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun >> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >> (0x0200): Got request for [0x1002][FAST >> BE_REQ_GROUP][1][name=deployment_engineer] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [be_req_set_domain] (0x0400): Changing request domain from >> [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >> [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): >> Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun >> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed >> Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Wed Jun 8 17:! 39! > :12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. > It looks like group deployment_engineer cannot be find in IPA. > >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >> 2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] >> (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) >> [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sbus_message_handler] (0x2000): Received SBUS method >> org.freedesktop.sssd.dataprovider.getAccountInfo on path >> /org/freedesktop/sssd/dataprovider >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun >> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >> (0x0200): Got request for [0x1002][FAST >> BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) >> [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing >> request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun >> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_groups_next_base] (0x0400): Searching for groups with base >> [cn=accounts,dc=dev-mydomain,dc=net] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun >> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed >> Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Wed Jun 8 17:! 39! > :12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. > It looks like group sysadmins cannot be find in IPA. > >> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >> [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >> 2016) [sssd[be[dev-mydomain.net]]] [ipa_id_get_account_info_orig_done] >> (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) >> [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >> >> ===== output of ldap query manually copied from the sssd_sudo.log first >> search returns nothing second search returns 2 rules ================== >> >> [root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' >> asq: Unable to register control with rootdse! >> # returned 0 records >> # 0 entries >> # 0 referrals >> >> >> [root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' >> asq: Unable to register control with rootdse! >> # record 1 >> dn: >> name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev-m >> ydomain.net,cn=sysdb >> cn: s_allow_deployment_engineer_to_all >> dataExpireTimestamp: 1465412946 >> name: s_allow_deployment_engineer_to_all >> objectClass: sudoRule >> sudoCommand: ALL >> sudoHost: ALL >> sudoOption: !authenticate >> sudoRunAsGroup: ALL >> sudoRunAsUser: ALL >> sudoUser: %deployment_engineer >> distinguishedName: >> name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus >> tom,cn=dev-mydomain.net,cn=sysdb >> >> # record 2 >> dn: >> name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain.ne >> t,cn=sysdb >> cn: s_allow_sysadmins_to_all >> dataExpireTimestamp: 1465412946 >> name: s_allow_sysadmins_to_all >> objectClass: sudoRule >> sudoCommand: ALL >> sudoHost: ALL >> sudoOption: !authenticate >> sudoRunAsGroup: ALL >> sudoRunAsUser: ALL >> sudoUser: %sysadmins >> distinguishedName: >> name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev >> -mydomain.net,cn=sysdb >> >> # returned 2 records >> # 2 entries >> # 0 referrals >> >> ====== output of ldap query against directory for search used in the >> sssd_domain.log =========== >> >> [root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree # >> filter: >> (&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posi >> xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) >> # requesting: ALL >> # >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 1 >> >> [root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree # >> filter: >> (&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(c >> n=*)(&(gidNumber=*)(!(gidNumber=0)))) >> # requesting: ALL >> # >> > LDAP searches confirmed that it's not possible to find groups: > deployment_engineer and sysadmins. But you used anonymous search. > > It would be good if you could provide an output of for groups using ipa command. > > e.g. > kinit admin > ipa group-show --all deployment_engineer ipa group-show --all sysadmins ipa group-show --raw deployment_engineer ipa group-show --raw sysadmins > > LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From Nathan.Peters at globalrelay.net Mon Jun 13 21:15:26 2016 From: Nathan.Peters at globalrelay.net (Nathan Peters) Date: Mon, 13 Jun 2016 21:15:26 +0000 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: <20160613205418.GA16888@10.4.128.1> References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> <20160613205418.GA16888@10.4.128.1> Message-ID: ==== on domain controller ======= [nathan.peters at dc2 ~]$ getent group deployment_engineer [nathan.peters at dc2 ~]$ getent group sysadmins [nathan.peters at dc2 ~]$ id nathan.peters uid=756600344(nathan.peters) gid=756600344(nathan.peters) groups=756600344(nathan.peters),756600000(admins) [nathan.peters at dc2 ~]$ ===== on client ===== [nathan.peters at kafka1 ~]$ id nathan.peters uid=756600344(nathan.peters) gid=756600344(nathan.peters) groups=756600344(nathan.peters),756600000(admins) [nathan.peters at kafka1 ~]$ getent group deployment_engineer [nathan.peters at kafka1 ~]$ getent group sysadmins -----Original Message----- From: Lukas Slebodnik [mailto:lslebodn at redhat.com] Sent: Monday, June 13, 2016 1:54 PM To: Nathan Peters Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails On (13/06/16 20:24), Nathan Peters wrote: >Taking a second look at the sudo debugging logs : it looks like it >can't figure out that I'm in the right group ? > >According to : >https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO >those next 2 lines should be true ? > That's exactly a reason why I asked for output of ipa commands for groups deployment_engineer and sysadmins. What is and output of: * id nathan.peters * getent group deployment_engineer * getent group sysadmins You might try to run it on ipa server and ipa client(CentOS 6.8) LS From Nathan.Peters at globalrelay.net Mon Jun 13 21:17:40 2016 From: Nathan.Peters at globalrelay.net (Nathan Peters) Date: Mon, 13 Jun 2016 21:17:40 +0000 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: <20160613205701.GA9992@hendrix> References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> <20160613205701.GA9992@hendrix> Message-ID: There doesn't seem to be an option to add POSIX attributes to my sudo rules. Which attributes should I be adding and how? -----Original Message----- From: Jakub Hrozek [mailto:jhrozek at redhat.com] Sent: Monday, June 13, 2016 1:57 PM To: Nathan Peters Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails On Mon, Jun 13, 2016 at 05:30:16PM +0000, Nathan Peters wrote: > All group lists return correctly when using the ipa group-show command. > > Like I said, there is definitely something wrong with CentOS 6.8 because all group lists are correct. This was done on one of the CentOS 6.8 servers so we know that the server can retrieve the group lists properly. We had a similar report (untriaged yet) where adding POSIX attributes made the difference. Could you test if also in your environment adding the POSIX attributes makes the rules work? (It would be a bug nonetheless, but it's worth trying so that we pinpoint the issue) > > [nathan.peters at cass1 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_756600344 Default principal: > admin at DEV-MYDOMAIN.NET > > Valid starting Expires Service principal > 06/13/16 17:21:56 06/14/16 17:21:41 > krbtgt/DEV-MYDOMAIN.NET at DEV-MYDOMAIN.NET > [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer ipa > group-show --all sysadmins ipa group-show --raw deployment_engineer > ipa group-show --raw sysadmins > ipa: ERROR: command 'group_show' takes at most 1 argument > [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer > dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net > Group name: deployment_engineer > Description: deployment engineers > Member users: nathan.peters, > Member of groups: admins > Roles: DNS Administrator > Member of Sudo rule: s_allow_deployment_engineer_to_all > Member of HBAC rule: allow_deployment_engineer_to_all > ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17 > objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup > [nathan.peters at cass1 ~]$ ipa group-show --all sysadmins > dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net > Group name: sysadmins > Description: System Administrators > Member users: nathan.peters, > Member of groups: admins > Member of Sudo rule: s_allow_sysadmins_to_all > Member of HBAC rule: allow_sysadmins_to_all > ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17 > objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup > [nathan.peters at cass1 ~]$ ipa group-show --raw deployment_engineer > cn: deployment_engineer > description: deployment engineers > member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net > > [nathan.peters at cass1 ~]$ ipa group-show --raw sysadmins > cn: sysadmins > description: System Administrators > member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net > > [nathan.peters at cass1 ~]$ > > -----Original Message----- > From: Lukas Slebodnik [mailto:lslebodn at redhat.com] > Sent: Saturday, June 11, 2016 2:02 AM > To: Nathan Peters > Cc: Jakub Hrozek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails > > On (08/06/16 18:14), Nathan Peters wrote: > >I'm pretty lost here. I tried following the directions on that page > >but the results still make no sense to me. From what I can see, the > >account is successfully authorized, and the groups that I am part of > >are found and some sudo rules are found, but then I am denied access > >for no reason. This is not working on any CentOS 6.8 server, and > >working properly on all previous versions of CentOS. I have tried > >several steps including deleting and re-creating the 6.8 hosts, and > >unjoining them and re-joining them to the domain. Nothing helps > > > >========== /var/log/sudo_debug ====================== > > > >Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 > >Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := > >1 Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ > >./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup > >@ > >./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ > >./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup > >@ > >./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> > >sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> > >sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- > >sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- > >sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- > >check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> > >log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> > >log_denial @ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> > >audit_failure @ > >./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ > >./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ > >./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ > >./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- > >linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 > >sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277] > >-> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- > >new_logline @ ./logging.c:867 := user NOT authorized on host ; > >TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - > >Jun > >8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 > >16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 > >16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 > >sudo[7277] -> mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <- > >mysyslog @ > >./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ > >./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ > >./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ > >./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ > >./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ > >./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: > >[756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] > >restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, > >756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> > >sudo_grlist_delref @ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> > >sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] > ><- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 > >sudo[7277] <- sudo_grlist_delref @ > >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ > >./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ > >./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item > >@ > >./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item > >@ > >./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ > >./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ > >./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ > >./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ > >./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ > >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ > >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ > >./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ > >./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ > >./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ > >./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ > >./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ > >./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ > >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ > >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ > >./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ > >./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ > >./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ > >./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> > >sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] > ><- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 > >sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> > >sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] > ><- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 > >sudo[7277] <- _rbdestroy @ > >./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ > >./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ > >./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ > >./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ > >./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- > >sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 > >sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 > >sudo[7277] policy plugin returns 0 > > > >============== /var/log/sssd/sssd_sudo.log ===================== > > > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using > >protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] > >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched > >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name > >'nathan.peters' matched without domain, user is nathan.peters (Wed > >Jun > >8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): > >Requesting default options for [nathan.peters] from [] (Wed Jun > >8 > >17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking > >negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 > >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning > >info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 > >2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default > >options for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 > >17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nat > >ha > >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins > >)( > >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan. > >pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching > >sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] > >[sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for > >[@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed > >Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] > >(0x0200): name 'nathan.peters' matched without domain, user is > >nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] > >[sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched > >without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting > >rules for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache > >for [NCE/USER/dev-mydomain.net/nathan.peters] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): > >Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 > >17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning > >info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 > >2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for > >[nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching > >sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nat > >ha > >n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins > >)( > >sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan. > >pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] > >(Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > >About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) > >[sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching > >sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sud > >oU > >ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sys > >ad > >mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUse > >r= > >+*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] > >(0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 > >2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): > >Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8 > >17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received > >SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! > >(Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): > >Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) > >[sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method > >org.freedesktop.sssd.service.ping on path > >/org/freedesktop/sssd/service (Wed Jun 8 17:39:26 2016) [sssd[sudo]] > >[sbus_get_sender_id_send] > >(0x2000): Not a sysbus message, quit > > > >============= /var/log/sssd/sssd_mydomain.log ============== > > > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sbus_message_handler] (0x2000): Received SBUS method > >org.freedesktop.sssd.dataprovider.getAccountInfo on path > >/org/freedesktop/sssd/dataprovider > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed > >Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] > >(0x0200): Got request for [0x1002][FAST > >BE_REQ_GROUP][1][name=deployment_engineer] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[be_req_set_domain] (0x0400): Changing request domain from > >[dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): > >Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: > >[userPassword] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): > >Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): > >Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): > >Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. > It looks like group deployment_engineer cannot be find in IPA. > > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 > >2016) [sssd[be[dev-mydomain.net]]] > >[ipa_id_get_account_info_orig_done] > >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sbus_message_handler] (0x2000): Received SBUS method > >org.freedesktop.sssd.dataprovider.getAccountInfo on path > >/org/freedesktop/sssd/dataprovider > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed > >Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] > >(0x0200): Got request for [0x1002][FAST > >BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing > >request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_groups_next_base] (0x0400): Searching for groups with base > >[cn=accounts,dc=dev-mydomain,dc=net] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun > >8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sdap_get_generic_ext_step] (0x1000): Requesting attrs: > >[userPassword] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): > >Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): > >Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): > >Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. > It looks like group sysadmins cannot be find in IPA. > > >(Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] > >[sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 > >2016) [sssd[be[dev-mydomain.net]]] > >[ipa_id_get_account_info_orig_done] > >(0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) > >[sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > > > >===== output of ldap query manually copied from the sssd_sudo.log > >first search returns nothing second search returns 2 rules > >================== > > > >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' > >asq: Unable to register control with rootdse! > ># returned 0 records > ># 0 entries > ># 0 referrals > > > > > >[root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' > >asq: Unable to register control with rootdse! > ># record 1 > >dn: > >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev > >-m > >ydomain.net,cn=sysdb > >cn: s_allow_deployment_engineer_to_all > >dataExpireTimestamp: 1465412946 > >name: s_allow_deployment_engineer_to_all > >objectClass: sudoRule > >sudoCommand: ALL > >sudoHost: ALL > >sudoOption: !authenticate > >sudoRunAsGroup: ALL > >sudoRunAsUser: ALL > >sudoUser: %deployment_engineer > >distinguishedName: > >name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus > > tom,cn=dev-mydomain.net,cn=sysdb > > > ># record 2 > >dn: > >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain. > >ne > >t,cn=sysdb > >cn: s_allow_sysadmins_to_all > >dataExpireTimestamp: 1465412946 > >name: s_allow_sysadmins_to_all > >objectClass: sudoRule > >sudoCommand: ALL > >sudoHost: ALL > >sudoOption: !authenticate > >sudoRunAsGroup: ALL > >sudoRunAsUser: ALL > >sudoUser: %sysadmins > >distinguishedName: > >name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev > > -mydomain.net,cn=sysdb > > > ># returned 2 records > ># 2 entries > ># 0 referrals > > > >====== output of ldap query against directory for search used in the > >sssd_domain.log =========== > > > >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' > ># extended LDIF > ># > ># LDAPv3 > ># base with scope subtree # > >filter: > >(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=po > >si > >xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) > ># requesting: ALL > ># > > > ># search result > >search: 2 > >result: 0 Success > > > ># numResponses: 1 > > > >[root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' > ># extended LDIF > ># > ># LDAPv3 > ># base with scope subtree # > >filter: > >(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup)) > >(c > >n=*)(&(gidNumber=*)(!(gidNumber=0)))) > ># requesting: ALL > ># > > > LDAP searches confirmed that it's not possible to find groups: > deployment_engineer and sysadmins. But you used anonymous search. > > It would be good if you could provide an output of for groups using ipa command. > > e.g. > kinit admin > ipa group-show --all deployment_engineer ipa group-show --all > sysadmins ipa group-show --raw deployment_engineer ipa group-show > --raw sysadmins > > LS From rcritten at redhat.com Mon Jun 13 21:19:52 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2016 17:19:52 -0400 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> <20160613205701.GA9992@hendrix> Message-ID: <575F2378.1020703@redhat.com> Nathan Peters wrote: > There doesn't seem to be an option to add POSIX attributes to my sudo rules. > > Which attributes should I be adding and how? Not the sudo rule, the group. I'd create a new test group similar to one of your existing groups, add that to your sudo rule and try that. rob > > -----Original Message----- > From: Jakub Hrozek [mailto:jhrozek at redhat.com] > Sent: Monday, June 13, 2016 1:57 PM > To: Nathan Peters > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails > > On Mon, Jun 13, 2016 at 05:30:16PM +0000, Nathan Peters wrote: >> All group lists return correctly when using the ipa group-show command. >> >> Like I said, there is definitely something wrong with CentOS 6.8 because all group lists are correct. This was done on one of the CentOS 6.8 servers so we know that the server can retrieve the group lists properly. > > We had a similar report (untriaged yet) where adding POSIX attributes made the difference. Could you test if also in your environment adding the POSIX attributes makes the rules work? > > > (It would be a bug nonetheless, but it's worth trying so that we pinpoint the issue) > >> >> [nathan.peters at cass1 ~]$ klist >> Ticket cache: FILE:/tmp/krb5cc_756600344 Default principal: >> admin at DEV-MYDOMAIN.NET >> >> Valid starting Expires Service principal >> 06/13/16 17:21:56 06/14/16 17:21:41 >> krbtgt/DEV-MYDOMAIN.NET at DEV-MYDOMAIN.NET >> [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer ipa >> group-show --all sysadmins ipa group-show --raw deployment_engineer >> ipa group-show --raw sysadmins >> ipa: ERROR: command 'group_show' takes at most 1 argument >> [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer >> dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net >> Group name: deployment_engineer >> Description: deployment engineers >> Member users: nathan.peters, >> Member of groups: admins >> Roles: DNS Administrator >> Member of Sudo rule: s_allow_deployment_engineer_to_all >> Member of HBAC rule: allow_deployment_engineer_to_all >> ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17 >> objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup >> [nathan.peters at cass1 ~]$ ipa group-show --all sysadmins >> dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net >> Group name: sysadmins >> Description: System Administrators >> Member users: nathan.peters, >> Member of groups: admins >> Member of Sudo rule: s_allow_sysadmins_to_all >> Member of HBAC rule: allow_sysadmins_to_all >> ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17 >> objectclass: top, ipaobject, groupofnames, ipausergroup, nestedgroup >> [nathan.peters at cass1 ~]$ ipa group-show --raw deployment_engineer >> cn: deployment_engineer >> description: deployment engineers >> member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net >> >> [nathan.peters at cass1 ~]$ ipa group-show --raw sysadmins >> cn: sysadmins >> description: System Administrators >> member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net >> >> [nathan.peters at cass1 ~]$ >> >> -----Original Message----- >> From: Lukas Slebodnik [mailto:lslebodn at redhat.com] >> Sent: Saturday, June 11, 2016 2:02 AM >> To: Nathan Peters >> Cc: Jakub Hrozek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails >> >> On (08/06/16 18:14), Nathan Peters wrote: >>> I'm pretty lost here. I tried following the directions on that page >>> but the results still make no sense to me. From what I can see, the >>> account is successfully authorized, and the groups that I am part of >>> are found and some sudo rules are found, but then I am denied access >>> for no reason. This is not working on any CentOS 6.8 server, and >>> working properly on all previous versions of CentOS. I have tried >>> several steps including deleting and re-creating the 6.8 hosts, and >>> unjoining them and re-joining them to the domain. Nothing helps >>> >>> ========== /var/log/sudo_debug ====================== >>> >>> Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := 0 >>> Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 := >>> 1 Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ >>> ./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> sudo_pam_cleanup >>> @ >>> ./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ >>> ./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- sudo_auth_cleanup >>> @ >>> ./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> >>> sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> >>> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- >>> sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- >>> sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- >>> check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> >>> log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> >>> log_denial @ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> >>> audit_failure @ >>> ./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ >>> ./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ >>> ./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ >>> ./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- >>> linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 >>> sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 sudo[7277] >>> -> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- >>> new_logline @ ./logging.c:867 := user NOT authorized on host ; >>> TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - >>> Jun >>> 8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 >>> 16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 >>> 16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 >>> sudo[7277] -> mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] <- >>> mysyslog @ >>> ./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ >>> ./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ >>> ./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ >>> ./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ >>> ./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ >>> ./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: >>> [756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] >>> restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, >>> 756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> >>> sudo_grlist_delref @ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> >>> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] >>> <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 >>> sudo[7277] <- sudo_grlist_delref @ >>> ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ >>> ./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ >>> ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >>> @ >>> ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >>> @ >>> ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >>> ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ >>> ./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ >>> ./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ >>> ./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >>> ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >>> ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >>> ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >>> ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ >>> ./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ >>> ./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ >>> ./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ >>> ./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >>> ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >>> ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >>> ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >>> ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> >>> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] >>> <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 >>> sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> >>> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] >>> <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 >>> sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ >>> ./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ >>> ./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ >>> ./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- >>> sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 >>> sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 >>> sudo[7277] policy plugin returns 0 >>> >>> ============== /var/log/sssd/sssd_sudo.log ===================== >>> >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using >>> protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >>> [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >>> without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name >>> 'nathan.peters' matched without domain, user is nathan.peters (Wed >>> Jun >>> 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): >>> Requesting default options for [nathan.peters] from [] (Wed Jun >>> 8 >>> 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking >>> negative cache for [NCE/USER/dev-mydomain.net/nathan.peters] >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >>> Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >>> 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >>> info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 >>> 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default >>> options for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 >>> 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >>> (0x0200): Searching sysdb with >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nat >>> ha >>> n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins >>> )( >>> sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan. >>> pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >>> About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >>> sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >>> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for >>> [@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed >>> Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] >>> (0x0200): name 'nathan.peters' matched without domain, user is >>> nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >>> [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >>> without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting >>> rules for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative cache >>> for [NCE/USER/dev-mydomain.net/nathan.peters] >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >>> Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >>> 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >>> info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 >>> 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for >>> [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >>> sysdb with >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nat >>> ha >>> n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins >>> )( >>> sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan. >>> pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >>> About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >>> sysdb with >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sud >>> oU >>> ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sys >>> ad >>> mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUse >>> r= >>> +*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] >>> (0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 >>> 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): >>> Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8 >>> 17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): Received >>> SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! >>> (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): >>> Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) >>> [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method >>> org.freedesktop.sssd.service.ping on path >>> /org/freedesktop/sssd/service (Wed Jun 8 17:39:26 2016) [sssd[sudo]] >>> [sbus_get_sender_id_send] >>> (0x2000): Not a sysbus message, quit >>> >>> ============= /var/log/sssd/sssd_mydomain.log ============== >>> >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sbus_message_handler] (0x2000): Received SBUS method >>> org.freedesktop.sssd.dataprovider.getAccountInfo on path >>> /org/freedesktop/sssd/dataprovider >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed >>> Jun >>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >>> (0x0200): Got request for [0x1002][FAST >>> BE_REQ_GROUP][1][name=deployment_engineer] >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [be_req_set_domain] (0x0400): Changing request domain from >>> [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): >>> Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun >>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >>> [userPassword] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operati! o! > n 14 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. >> It looks like group deployment_engineer cannot be find in IPA. >> >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >>> 2016) [sssd[be[dev-mydomain.net]]] >>> [ipa_id_get_account_info_orig_done] >>> (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sbus_message_handler] (0x2000): Received SBUS method >>> org.freedesktop.sssd.dataprovider.getAccountInfo on path >>> /org/freedesktop/sssd/dataprovider >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed >>> Jun >>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >>> (0x0200): Got request for [0x1002][FAST >>> BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing >>> request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun >>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_groups_next_base] (0x0400): Searching for groups with base >>> [cn=accounts,dc=dev-mydomain,dc=net] >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Jun >>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >>> [userPassword] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operati! o! > n 15 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. >> It looks like group sysadmins cannot be find in IPA. >> >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >>> 2016) [sssd[be[dev-mydomain.net]]] >>> [ipa_id_get_account_info_orig_done] >>> (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >>> >>> ===== output of ldap query manually copied from the sssd_sudo.log >>> first search returns nothing second search returns 2 rules >>> ================== >>> >>> [root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' >>> asq: Unable to register control with rootdse! >>> # returned 0 records >>> # 0 entries >>> # 0 referrals >>> >>> >>> [root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' >>> asq: Unable to register control with rootdse! >>> # record 1 >>> dn: >>> name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=dev >>> -m >>> ydomain.net,cn=sysdb >>> cn: s_allow_deployment_engineer_to_all >>> dataExpireTimestamp: 1465412946 >>> name: s_allow_deployment_engineer_to_all >>> objectClass: sudoRule >>> sudoCommand: ALL >>> sudoHost: ALL >>> sudoOption: !authenticate >>> sudoRunAsGroup: ALL >>> sudoRunAsUser: ALL >>> sudoUser: %deployment_engineer >>> distinguishedName: >>> name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus >>> tom,cn=dev-mydomain.net,cn=sysdb >>> >>> # record 2 >>> dn: >>> name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain. >>> ne >>> t,cn=sysdb >>> cn: s_allow_sysadmins_to_all >>> dataExpireTimestamp: 1465412946 >>> name: s_allow_sysadmins_to_all >>> objectClass: sudoRule >>> sudoCommand: ALL >>> sudoHost: ALL >>> sudoOption: !authenticate >>> sudoRunAsGroup: ALL >>> sudoRunAsUser: ALL >>> sudoUser: %sysadmins >>> distinguishedName: >>> name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev >>> -mydomain.net,cn=sysdb >>> >>> # returned 2 records >>> # 2 entries >>> # 0 referrals >>> >>> ====== output of ldap query against directory for search used in the >>> sssd_domain.log =========== >>> >>> [root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree # >>> filter: >>> (&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=po >>> si >>> xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) >>> # requesting: ALL >>> # >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 1 >>> >>> [root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree # >>> filter: >>> (&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup)) >>> (c >>> n=*)(&(gidNumber=*)(!(gidNumber=0)))) >>> # requesting: ALL >>> # >>> >> LDAP searches confirmed that it's not possible to find groups: >> deployment_engineer and sysadmins. But you used anonymous search. >> >> It would be good if you could provide an output of for groups using ipa command. >> >> e.g. >> kinit admin >> ipa group-show --all deployment_engineer ipa group-show --all >> sysadmins ipa group-show --raw deployment_engineer ipa group-show >> --raw sysadmins >> >> LS > From Nathan.Peters at globalrelay.net Mon Jun 13 21:49:42 2016 From: Nathan.Peters at globalrelay.net (Nathan Peters) Date: Mon, 13 Jun 2016 21:49:42 +0000 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: <575F2378.1020703@redhat.com> References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> <20160613205701.GA9992@hendrix> <575F2378.1020703@redhat.com> Message-ID: I have confirmed that on both CentOS 6.8 and CentOS 6.7 that if the group is a POSIX group, it can be used in sudo rules. If the group is a 'normal' group it will fail when used in sudo rules. This is really silly because in a previous version of CentOS (6.3) sudo rules would fail if the group was POSIX, and work if the group was 'normal'. I'm not sure when this changed because we still have CentOS 6.7 machines that are working fine with the non posix groups. I did notice that in sssd 1.13.3-22.el6 sudo fails with non posix groups And with 1.12.4-47.el6_7.7 sudo works with non posix groups So now FreeIPA exists in a really funky state where if you are below CentOS 6.4 you MUST use non POSIX groups and If you are on CentOS 6.7 and above, you must use POSIX groups. So basically, you need to roll forward your entire infrastructure to CentOS 6.7 or above or else your old machines will suddently start failing sudo logins when you udate the groups or your new machines will simply fail with groups that worked on your old ones. Can you please confirm what the intended behavior is because I would rather not go through the trouble of re-creating all our sudo / hbac rules and user groups... -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Monday, June 13, 2016 2:20 PM To: Nathan Peters; Jakub Hrozek Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails Nathan Peters wrote: > There doesn't seem to be an option to add POSIX attributes to my sudo rules. > > Which attributes should I be adding and how? Not the sudo rule, the group. I'd create a new test group similar to one of your existing groups, add that to your sudo rule and try that. rob > > -----Original Message----- > From: Jakub Hrozek [mailto:jhrozek at redhat.com] > Sent: Monday, June 13, 2016 1:57 PM > To: Nathan Peters > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails > > On Mon, Jun 13, 2016 at 05:30:16PM +0000, Nathan Peters wrote: >> All group lists return correctly when using the ipa group-show command. >> >> Like I said, there is definitely something wrong with CentOS 6.8 because all group lists are correct. This was done on one of the CentOS 6.8 servers so we know that the server can retrieve the group lists properly. > > We had a similar report (untriaged yet) where adding POSIX attributes made the difference. Could you test if also in your environment adding the POSIX attributes makes the rules work? > > > (It would be a bug nonetheless, but it's worth trying so that we > pinpoint the issue) > >> >> [nathan.peters at cass1 ~]$ klist >> Ticket cache: FILE:/tmp/krb5cc_756600344 Default principal: >> admin at DEV-MYDOMAIN.NET >> >> Valid starting Expires Service principal >> 06/13/16 17:21:56 06/14/16 17:21:41 >> krbtgt/DEV-MYDOMAIN.NET at DEV-MYDOMAIN.NET >> [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer ipa >> group-show --all sysadmins ipa group-show --raw deployment_engineer >> ipa group-show --raw sysadmins >> ipa: ERROR: command 'group_show' takes at most 1 argument >> [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer >> dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net >> Group name: deployment_engineer >> Description: deployment engineers >> Member users: nathan.peters, >> Member of groups: admins >> Roles: DNS Administrator >> Member of Sudo rule: s_allow_deployment_engineer_to_all >> Member of HBAC rule: allow_deployment_engineer_to_all >> ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17 >> objectclass: top, ipaobject, groupofnames, ipausergroup, >> nestedgroup >> [nathan.peters at cass1 ~]$ ipa group-show --all sysadmins >> dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net >> Group name: sysadmins >> Description: System Administrators >> Member users: nathan.peters, >> Member of groups: admins >> Member of Sudo rule: s_allow_sysadmins_to_all >> Member of HBAC rule: allow_sysadmins_to_all >> ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17 >> objectclass: top, ipaobject, groupofnames, ipausergroup, >> nestedgroup >> [nathan.peters at cass1 ~]$ ipa group-show --raw deployment_engineer >> cn: deployment_engineer >> description: deployment engineers >> member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net >> >> [nathan.peters at cass1 ~]$ ipa group-show --raw sysadmins >> cn: sysadmins >> description: System Administrators >> member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net >> >> [nathan.peters at cass1 ~]$ >> >> -----Original Message----- >> From: Lukas Slebodnik [mailto:lslebodn at redhat.com] >> Sent: Saturday, June 11, 2016 2:02 AM >> To: Nathan Peters >> Cc: Jakub Hrozek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails >> >> On (08/06/16 18:14), Nathan Peters wrote: >>> I'm pretty lost here. I tried following the directions on that page >>> but the results still make no sense to me. From what I can see, the >>> account is successfully authorized, and the groups that I am part of >>> are found and some sudo rules are found, but then I am denied access >>> for no reason. This is not working on any CentOS 6.8 server, and >>> working properly on all previous versions of CentOS. I have tried >>> several steps including deleting and re-creating the 6.8 hosts, and >>> unjoining them and re-joining them to the domain. Nothing helps >>> >>> ========== /var/log/sudo_debug ====================== >>> >>> Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := >>> 0 Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 >>> := >>> 1 Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ >>> ./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> >>> sudo_pam_cleanup @ >>> ./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ >>> ./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- >>> sudo_auth_cleanup @ >>> ./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> >>> sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> >>> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- >>> sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- >>> sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- >>> check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> >>> log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> >>> log_denial @ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> >>> audit_failure @ >>> ./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ >>> ./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ >>> ./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ >>> ./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- >>> linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 >>> sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 >>> sudo[7277] >>> -> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- >>> new_logline @ ./logging.c:867 := user NOT authorized on host ; >>> TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - >>> Jun >>> 8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 >>> 16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 >>> 16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 >>> sudo[7277] -> mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] >>> <- mysyslog @ >>> ./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ >>> ./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ >>> ./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ >>> ./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ >>> ./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ >>> ./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: >>> [756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] >>> restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, >>> 756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> >>> sudo_grlist_delref @ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> >>> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] >>> <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 >>> sudo[7277] <- sudo_grlist_delref @ >>> ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ >>> ./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ >>> ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >>> @ >>> ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >>> @ >>> ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >>> ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ >>> ./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ >>> ./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ >>> ./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >>> ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >>> ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >>> ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >>> ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ >>> ./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ >>> ./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ >>> ./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ >>> ./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >>> ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >>> ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >>> ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >>> ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> >>> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] >>> <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 >>> sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> >>> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] >>> <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 >>> sudo[7277] <- _rbdestroy @ >>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ >>> ./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ >>> ./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ >>> ./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- >>> sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 >>> sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 >>> sudo[7277] policy plugin returns 0 >>> >>> ============== /var/log/sssd/sssd_sudo.log ===================== >>> >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): >>> Using protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >>> [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >>> without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name >>> 'nathan.peters' matched without domain, user is nathan.peters (Wed >>> Jun >>> 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): >>> Requesting default options for [nathan.peters] from [] (Wed Jun >>> 8 >>> 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): >>> Checking negative cache for >>> [NCE/USER/dev-mydomain.net/nathan.peters] >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >>> Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >>> 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >>> info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 >>> 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default >>> options for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 >>> 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >>> (0x0200): Searching sysdb with >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=na >>> t >>> ha >>> n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admin >>> s >>> )( >>> sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan. >>> pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >>> About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >>> sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >>> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for >>> [@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed >>> Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] >>> (0x0200): name 'nathan.peters' matched without domain, user is >>> nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >>> [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >>> without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting >>> rules for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative >>> cache for [NCE/USER/dev-mydomain.net/nathan.peters] >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >>> Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >>> 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >>> info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 >>> 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules >>> for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 >>> 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): >>> Searching sysdb with >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=na >>> t >>> ha >>> n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admin >>> s >>> )( >>> sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan. >>> pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >>> About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >>> [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >>> sysdb with >>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(su >>> d >>> oU >>> ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sy >>> s >>> ad >>> mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUs >>> e >>> r= >>> +*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] >>> (0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 >>> 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): >>> Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8 >>> 17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): >>> Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! >>> (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): >>> Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) >>> [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method >>> org.freedesktop.sssd.service.ping on path >>> /org/freedesktop/sssd/service (Wed Jun 8 17:39:26 2016) >>> [sssd[sudo]] [sbus_get_sender_id_send] >>> (0x2000): Not a sysbus message, quit >>> >>> ============= /var/log/sssd/sssd_mydomain.log ============== >>> >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sbus_message_handler] (0x2000): Received SBUS method >>> org.freedesktop.sssd.dataprovider.getAccountInfo on path >>> /org/freedesktop/sssd/dataprovider >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed >>> Jun >>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >>> (0x0200): Got request for [0x1002][FAST >>> BE_REQ_GROUP][1][name=deployment_engineer] >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [be_req_set_domain] (0x0400): Changing request domain from >>> [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): >>> Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >>> [objectClass] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [posixGroup] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [cn] (Wed Jun >>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >>> [userPassword] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operati! o! > n 14 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. >> It looks like group deployment_engineer cannot be find in IPA. >> >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >>> 2016) [sssd[be[dev-mydomain.net]]] >>> [ipa_id_get_account_info_orig_done] >>> (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 >>> 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sbus_message_handler] (0x2000): Received SBUS method >>> org.freedesktop.sssd.dataprovider.getAccountInfo on path >>> /org/freedesktop/sssd/dataprovider >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed >>> Jun >>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >>> (0x0200): Got request for [0x1002][FAST >>> BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing >>> request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed >>> Jun >>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_groups_next_base] (0x0400): Searching for groups with base >>> [cn=accounts,dc=dev-mydomain,dc=net] >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >>> [objectClass] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [posixGroup] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [cn] (Wed Jun >>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >>> [userPassword] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>> Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) >>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operati! o! > n 15 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. >> It looks like group sysadmins cannot be find in IPA. >> >>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>> [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >>> 2016) [sssd[be[dev-mydomain.net]]] >>> [ipa_id_get_account_info_orig_done] >>> (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 >>> 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >>> >>> ===== output of ldap query manually copied from the sssd_sudo.log >>> first search returns nothing second search returns 2 rules >>> ================== >>> >>> [root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' >>> asq: Unable to register control with rootdse! >>> # returned 0 records >>> # 0 entries >>> # 0 referrals >>> >>> >>> [root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' >>> asq: Unable to register control with rootdse! >>> # record 1 >>> dn: >>> name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=de >>> v >>> -m >>> ydomain.net,cn=sysdb >>> cn: s_allow_deployment_engineer_to_all >>> dataExpireTimestamp: 1465412946 >>> name: s_allow_deployment_engineer_to_all >>> objectClass: sudoRule >>> sudoCommand: ALL >>> sudoHost: ALL >>> sudoOption: !authenticate >>> sudoRunAsGroup: ALL >>> sudoRunAsUser: ALL >>> sudoUser: %deployment_engineer >>> distinguishedName: >>> name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus >>> tom,cn=dev-mydomain.net,cn=sysdb >>> >>> # record 2 >>> dn: >>> name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain. >>> ne >>> t,cn=sysdb >>> cn: s_allow_sysadmins_to_all >>> dataExpireTimestamp: 1465412946 >>> name: s_allow_sysadmins_to_all >>> objectClass: sudoRule >>> sudoCommand: ALL >>> sudoHost: ALL >>> sudoOption: !authenticate >>> sudoRunAsGroup: ALL >>> sudoRunAsUser: ALL >>> sudoUser: %sysadmins >>> distinguishedName: >>> name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev >>> -mydomain.net,cn=sysdb >>> >>> # returned 2 records >>> # 2 entries >>> # 0 referrals >>> >>> ====== output of ldap query against directory for search used in the >>> sssd_domain.log =========== >>> >>> [root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree # >>> filter: >>> (&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=p >>> o >>> si >>> xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) >>> # requesting: ALL >>> # >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 1 >>> >>> [root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree # >>> filter: >>> (&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup) >>> ) >>> (c >>> n=*)(&(gidNumber=*)(!(gidNumber=0)))) >>> # requesting: ALL >>> # >>> >> LDAP searches confirmed that it's not possible to find groups: >> deployment_engineer and sysadmins. But you used anonymous search. >> >> It would be good if you could provide an output of for groups using ipa command. >> >> e.g. >> kinit admin >> ipa group-show --all deployment_engineer ipa group-show --all >> sysadmins ipa group-show --raw deployment_engineer ipa group-show >> --raw sysadmins >> >> LS > From rcritten at redhat.com Mon Jun 13 22:06:00 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Jun 2016 18:06:00 -0400 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> <20160613205701.GA9992@hendrix> <575F2378.1020703@redhat.com> Message-ID: <575F2E48.9040306@redhat.com> Nathan Peters wrote: > I have confirmed that on both CentOS 6.8 and CentOS 6.7 that if the group is a POSIX group, it can be used in sudo rules. > If the group is a 'normal' group it will fail when used in sudo rules. > > This is really silly because in a previous version of CentOS (6.3) sudo rules would fail if the group was POSIX, and work if the group was 'normal'. > > I'm not sure when this changed because we still have CentOS 6.7 machines that are working fine with the non posix groups. > I did notice that in sssd 1.13.3-22.el6 sudo fails with non posix groups > And with 1.12.4-47.el6_7.7 sudo works with non posix groups > > So now FreeIPA exists in a really funky state where if you are below CentOS 6.4 you MUST use non POSIX groups and If you are on CentOS 6.7 and above, you must use POSIX groups. > > So basically, you need to roll forward your entire infrastructure to CentOS 6.7 or above or else your old machines will suddently start failing sudo logins when you udate the groups or your new machines will simply fail with groups that worked on your old ones. > > Can you please confirm what the intended behavior is because I would rather not go through the trouble of re-creating all our sudo / hbac rules and user groups... Jakub already stated that this would be bug if it only worked with POSIX groups, so you've confirmed that. If you have a Red Hat subscription I'd open a support case and ask to be added to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1336548 rob > > > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Monday, June 13, 2016 2:20 PM > To: Nathan Peters; Jakub Hrozek > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails > > Nathan Peters wrote: >> There doesn't seem to be an option to add POSIX attributes to my sudo rules. >> >> Which attributes should I be adding and how? > > Not the sudo rule, the group. I'd create a new test group similar to one of your existing groups, add that to your sudo rule and try that. > > rob > >> >> -----Original Message----- >> From: Jakub Hrozek [mailto:jhrozek at redhat.com] >> Sent: Monday, June 13, 2016 1:57 PM >> To: Nathan Peters >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails >> >> On Mon, Jun 13, 2016 at 05:30:16PM +0000, Nathan Peters wrote: >>> All group lists return correctly when using the ipa group-show command. >>> >>> Like I said, there is definitely something wrong with CentOS 6.8 because all group lists are correct. This was done on one of the CentOS 6.8 servers so we know that the server can retrieve the group lists properly. >> >> We had a similar report (untriaged yet) where adding POSIX attributes made the difference. Could you test if also in your environment adding the POSIX attributes makes the rules work? >> >> >> (It would be a bug nonetheless, but it's worth trying so that we >> pinpoint the issue) >> >>> >>> [nathan.peters at cass1 ~]$ klist >>> Ticket cache: FILE:/tmp/krb5cc_756600344 Default principal: >>> admin at DEV-MYDOMAIN.NET >>> >>> Valid starting Expires Service principal >>> 06/13/16 17:21:56 06/14/16 17:21:41 >>> krbtgt/DEV-MYDOMAIN.NET at DEV-MYDOMAIN.NET >>> [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer ipa >>> group-show --all sysadmins ipa group-show --raw deployment_engineer >>> ipa group-show --raw sysadmins >>> ipa: ERROR: command 'group_show' takes at most 1 argument >>> [nathan.peters at cass1 ~]$ ipa group-show --all deployment_engineer >>> dn: cn=deployment_engineer,cn=groups,cn=accounts,dc=dev-mydomain,dc=net >>> Group name: deployment_engineer >>> Description: deployment engineers >>> Member users: nathan.peters, >>> Member of groups: admins >>> Roles: DNS Administrator >>> Member of Sudo rule: s_allow_deployment_engineer_to_all >>> Member of HBAC rule: allow_deployment_engineer_to_all >>> ipauniqueid: 8bba7068-04c8-11e5-931d-005056b71d17 >>> objectclass: top, ipaobject, groupofnames, ipausergroup, >>> nestedgroup >>> [nathan.peters at cass1 ~]$ ipa group-show --all sysadmins >>> dn: cn=sysadmins,cn=groups,cn=accounts,dc=dev-mydomain,dc=net >>> Group name: sysadmins >>> Description: System Administrators >>> Member users: nathan.peters, >>> Member of groups: admins >>> Member of Sudo rule: s_allow_sysadmins_to_all >>> Member of HBAC rule: allow_sysadmins_to_all >>> ipauniqueid: 828754c0-04c8-11e5-988f-005056b71d17 >>> objectclass: top, ipaobject, groupofnames, ipausergroup, >>> nestedgroup >>> [nathan.peters at cass1 ~]$ ipa group-show --raw deployment_engineer >>> cn: deployment_engineer >>> description: deployment engineers >>> member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net >>> >>> [nathan.peters at cass1 ~]$ ipa group-show --raw sysadmins >>> cn: sysadmins >>> description: System Administrators >>> member: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net >>> >>> [nathan.peters at cass1 ~]$ >>> >>> -----Original Message----- >>> From: Lukas Slebodnik [mailto:lslebodn at redhat.com] >>> Sent: Saturday, June 11, 2016 2:02 AM >>> To: Nathan Peters >>> Cc: Jakub Hrozek; freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails >>> >>> On (08/06/16 18:14), Nathan Peters wrote: >>>> I'm pretty lost here. I tried following the directions on that page >>>> but the results still make no sense to me. From what I can see, the >>>> account is successfully authorized, and the groups that I am part of >>>> are found and some sudo rules are found, but then I am denied access >>>> for no reason. This is not working on any CentOS 6.8 server, and >>>> working properly on all previous versions of CentOS. I have tried >>>> several steps including deleting and re-creating the 6.8 hosts, and >>>> unjoining them and re-joining them to the domain. Nothing helps >>>> >>>> ========== /var/log/sudo_debug ====================== >>>> >>>> Jun 8 16:56:01 sudo[7277] <- sudo_pam_verify @ ./auth/pam.c:138 := >>>> 0 Jun 8 16:56:01 sudo[7277] <- verify_user @ ./auth/sudo_auth.c:282 >>>> := >>>> 1 Jun 8 16:56:01 sudo[7277] -> sudo_auth_cleanup @ >>>> ./auth/sudo_auth.c:160 Jun 8 16:56:01 sudo[7277] -> >>>> sudo_pam_cleanup @ >>>> ./auth/pam.c:185 Jun 8 16:56:01 sudo[7277] <- sudo_pam_cleanup @ >>>> ./auth/pam.c:189 := 0 Jun 8 16:56:01 sudo[7277] <- >>>> sudo_auth_cleanup @ >>>> ./auth/sudo_auth.c:177 := 0 Jun 8 16:56:01 sudo[7277] -> >>>> sudo_pw_delref @ ./pwutil.c:249 Jun 8 16:56:01 sudo[7277] -> >>>> sudo_pw_delref_item @ ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- >>>> sudo_pw_delref_item @ ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- >>>> sudo_pw_delref @ ./pwutil.c:251 Jun 8 16:56:01 sudo[7277] <- >>>> check_user @ ./check.c:189 := true Jun 8 16:56:01 sudo[7277] -> >>>> log_failure @ ./logging.c:318 Jun 8 16:56:01 sudo[7277] -> >>>> log_denial @ ./logging.c:256 Jun 8 16:56:01 sudo[7277] -> >>>> audit_failure @ >>>> ./audit.c:68 Jun 8 16:56:01 sudo[7277] -> linux_audit_command @ >>>> ./linux_audit.c:70 Jun 8 16:56:01 sudo[7277] -> linux_audit_open @ >>>> ./linux_audit.c:49 Jun 8 16:56:01 sudo[7277] <- linux_audit_open @ >>>> ./linux_audit.c:61 := 15 Jun 8 16:56:01 sudo[7277] <- >>>> linux_audit_command @ ./linux_audit.c:97 := 3 Jun 8 16:56:01 >>>> sudo[7277] <- audit_failure @ ./audit.c:81 Jun 8 16:56:01 >>>> sudo[7277] >>>> -> new_logline @ ./logging.c:746 Jun 8 16:56:01 sudo[7277] <- >>>> new_logline @ ./logging.c:867 := user NOT authorized on host ; >>>> TTY=pts/1 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su - >>>> Jun >>>> 8 16:56:01 sudo[7277] -> should_mail @ ./logging.c:712 Jun 8 >>>> 16:56:01 sudo[7277] <- should_mail @ ./logging.c:717 := false Jun 8 >>>> 16:56:01 sudo[7277] -> do_syslog @ ./logging.c:138 Jun 8 16:56:01 >>>> sudo[7277] -> mysyslog @ ./logging.c:96 Jun 8 16:56:01 sudo[7277] >>>> <- mysyslog @ >>>> ./logging.c:119 Jun 8 16:56:01 sudo[7277] <- do_syslog @ >>>> ./logging.c:185 Jun 8 16:56:01 sudo[7277] <- log_denial @ >>>> ./logging.c:309 Jun 8 16:56:01 sudo[7277] <- log_failure @ >>>> ./logging.c:341 Jun 8 16:56:01 sudo[7277] -> rewind_perms @ >>>> ./set_perms.c:90 Jun 8 16:56:01 sudo[7277] -> restore_perms @ >>>> ./set_perms.c:363 Jun 8 16:56:01 sudo[7277] restore_perms: uid: >>>> [756600344, 0, 0] -> [756600344, 0, 0] Jun 8 16:56:01 sudo[7277] >>>> restore_perms: gid: [756600344, 756600344, 756600344] -> [756600344, >>>> 756600344, 756600344] Jun 8 16:56:01 sudo[7277] -> >>>> sudo_grlist_delref @ ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> >>>> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] >>>> <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 >>>> sudo[7277] <- sudo_grlist_delref @ >>>> ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- restore_perms @ >>>> ./set_perms.c:407 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref @ >>>> ./pwutil.c:816 Jun 8 16:56:01 sudo[7277] -> sudo_grlist_delref_item >>>> @ >>>> ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref_item >>>> @ >>>> ./pwutil.c:810 Jun 8 16:56:01 sudo[7277] <- sudo_grlist_delref @ >>>> ./pwutil.c:818 Jun 8 16:56:01 sudo[7277] <- rewind_perms @ >>>> ./set_perms.c:96 Jun 8 16:56:01 sudo[7277] -> sudo_endpwent @ >>>> ./pwutil.c:443 Jun 8 16:56:01 sudo[7277] -> sudo_freepwcache @ >>>> ./pwutil.c:426 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >>>> ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >>>> ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_pw_delref_item @ >>>> ./pwutil.c:238 Jun 8 16:56:01 sudo[7277] <- sudo_pw_delref_item @ >>>> ./pwutil.c:243 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freepwcache @ >>>> ./pwutil.c:437 Jun 8 16:56:01 sudo[7277] <- sudo_endpwent @ >>>> ./pwutil.c:448 Jun 8 16:56:01 sudo[7277] -> sudo_endgrent @ >>>> ./pwutil.c:861 Jun 8 16:56:01 sudo[7277] -> sudo_freegrcache @ >>>> ./pwutil.c:840 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >>>> ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >>>> ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> sudo_gr_delref_item @ >>>> ./pwutil.c:657 Jun 8 16:56:01 sudo[7277] <- sudo_gr_delref_item @ >>>> ./pwutil.c:662 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] -> rbdestroy @ >>>> ./redblack.c:359 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> _rbdestroy @ >>>> ./redblack.c:341 Jun 8 16:56:01 sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> >>>> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] >>>> <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 >>>> sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] -> >>>> sudo_grlist_delref_item @ ./pwutil.c:805 Jun 8 16:56:01 sudo[7277] >>>> <- sudo_grlist_delref_item @ ./pwutil.c:810 Jun 8 16:56:01 >>>> sudo[7277] <- _rbdestroy @ >>>> ./redblack.c:349 Jun 8 16:56:01 sudo[7277] <- rbdestroy @ >>>> ./redblack.c:362 Jun 8 16:56:01 sudo[7277] <- sudo_freegrcache @ >>>> ./pwutil.c:855 Jun 8 16:56:01 sudo[7277] <- sudo_endgrent @ >>>> ./pwutil.c:866 Jun 8 16:56:01 sudo[7277] <- sudoers_policy_main @ >>>> ./sudoers.c:753 := false Jun 8 16:56:01 sudo[7277] <- >>>> sudoers_policy_check @ ./sudoers.c:766 := false Jun 8 16:56:01 >>>> sudo[7277] <- policy_check @ ./sudo.c:1204 := false Jun 8 16:56:01 >>>> sudo[7277] policy plugin returns 0 >>>> >>>> ============== /var/log/sssd/sssd_sudo.log ===================== >>>> >>>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! >>>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. >>>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. >>>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): >>>> Using protocol version [1] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >>>> [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >>>> without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >>>> [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name >>>> 'nathan.peters' matched without domain, user is nathan.peters (Wed >>>> Jun >>>> 8 17:39:12 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): >>>> Requesting default options for [nathan.peters] from [] (Wed Jun >>>> 8 >>>> 17:39:12 2016) [sssd[sudo]] [sss_ncache_check_str] (0x2000): >>>> Checking negative cache for >>>> [NCE/USER/dev-mydomain.net/nathan.peters] >>>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >>>> Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >>>> 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >>>> info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 >>>> 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default >>>> options for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 >>>> 17:39:12 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >>>> (0x0200): Searching sysdb with >>>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=na >>>> t >>>> ha >>>> n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admin >>>> s >>>> )( >>>> sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan. >>>> pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >>>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >>>> About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >>>> [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >>>> sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] >>>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >>>> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for >>>> [@dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >>>> [sssd[sudo]] [sudosrv_cmd] (0x2000): Using protocol version [1] (Wed >>>> Jun 8 17:39:12 2016) [sssd[sudo]] [sss_parse_name_for_domains] >>>> (0x0200): name 'nathan.peters' matched without domain, user is >>>> nathan.peters (Wed Jun 8 17:39:12 2016) [sssd[sudo]] >>>> [sss_parse_name_for_domains] (0x0200): name 'nathan.peters' matched >>>> without domain, user is nathan.peters (Wed Jun 8 17:39:12 2016) >>>> [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting >>>> rules for [nathan.peters] from [] (Wed Jun 8 17:39:12 2016) >>>> [sssd[sudo]] [sss_ncache_check_str] (0x2000): Checking negative >>>> cache for [NCE/USER/dev-mydomain.net/nathan.peters] >>>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200): >>>> Requesting info about [nathan.peters at dev-mydomain.net] (Wed Jun 8 >>>> 17:39:12 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >>>> info for user [nathan.peters at dev-mydomain.net] (Wed Jun 8 17:39:12 >>>> 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules >>>> for [nathan.peters] from [dev-mydomain.net] (Wed Jun 8 17:39:12 >>>> 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): >>>> Searching sysdb with >>>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=na >>>> t >>>> ha >>>> n.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admin >>>> s >>>> )( >>>> sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan. >>>> pe ters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))] >>>> (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): >>>> About to get sudo rules from cache (Wed Jun 8 17:39:12 2016) >>>> [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching >>>> sysdb with >>>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(su >>>> d >>>> oU >>>> ser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sy >>>> s >>>> ad >>>> mins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUs >>>> e >>>> r= >>>> +*)))] (Wed Jun 8 17:39:12 2016) [sssd[sudo]] [sort_sudo_rules] >>>> (0x0400): Sorting rules with higher-wins logic (Wed Jun 8 17:39:12 >>>> 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): >>>> Returning 2 rules for [nathan.peters at dev-mydomain.net] (Wed Jun 8 >>>> 17:39:16 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): >>>> Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed Jun 8 17:39:16 2016) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! >>>> (Wed Jun 8 17:39:17 2016) [sssd[sudo]] [client_destructor] (0x2000): >>>> Terminated client [0x1091360][17] (Wed Jun 8 17:39:26 2016) >>>> [sssd[sudo]] [sbus_message_handler] (0x2000): Received SBUS method >>>> org.freedesktop.sssd.service.ping on path >>>> /org/freedesktop/sssd/service (Wed Jun 8 17:39:26 2016) >>>> [sssd[sudo]] [sbus_get_sender_id_send] >>>> (0x2000): Not a sysbus message, quit >>>> >>>> ============= /var/log/sssd/sssd_mydomain.log ============== >>>> >>>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sbus_message_handler] (0x2000): Received SBUS method >>>> org.freedesktop.sssd.dataprovider.getAccountInfo on path >>>> /org/freedesktop/sssd/dataprovider >>>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed >>>> Jun >>>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >>>> (0x0200): Got request for [0x1002][FAST >>>> BE_REQ_GROUP][1][name=deployment_engineer] >>>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [be_req_set_domain] (0x0400): Changing request domain from >>>> [dev-mydomain.net] to [dev-mydomain.net] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_groups_next_base] (0x0400): >>>> Searching for groups with base [cn=accounts,dc=dev-mydomain,dc=net] >>>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >>>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >>>> [objectClass] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>>> Requesting attrs: [posixGroup] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>>> Requesting attrs: [cn] (Wed Jun >>>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >>>> [userPassword] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>>> Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>>> Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>>> Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xebb690], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operat! i! > o! >> n 14 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. >>> It looks like group deployment_engineer cannot be find in IPA. >>> >>>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >>>> 2016) [sssd[be[dev-mydomain.net]]] >>>> [ipa_id_get_account_info_orig_done] >>>> (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 >>>> 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >>>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sbus_message_handler] (0x2000): Received SBUS method >>>> org.freedesktop.sssd.dataprovider.getAccountInfo on path >>>> /org/freedesktop/sssd/dataprovider >>>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed >>>> Jun >>>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [be_get_account_info] >>>> (0x0200): Got request for [0x1002][FAST >>>> BE_REQ_GROUP][1][name=sysadmins] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [be_req_set_domain] (0x0400): Changing >>>> request domain from [dev-mydomain.net] to [dev-mydomain.net] (Wed >>>> Jun >>>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sdap_get_groups_next_base] (0x0400): Searching for groups with base >>>> [cn=accounts,dc=dev-mydomain,dc=net] >>>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sdap_print_server] (0x2000): Searching 10.178.0.98 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=dev-mydomain,dc=net]. >>>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >>>> [objectClass] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>>> Requesting attrs: [posixGroup] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>>> Requesting attrs: [cn] (Wed Jun >>>> 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: >>>> [userPassword] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>>> Requesting attrs: [gidNumber] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>>> Requesting attrs: [member] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): >>>> Requesting attrs: [ipaUniqueID] (Wed Jun 8 17:39:12 2016) >>>> [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_add] (0x2000): New operation 15 timeout 6 (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[0xeaaf30], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_op_destructor] (0x2000): Operat! i! > o! >> n 15 finished (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. >>> It looks like group sysadmins cannot be find in IPA. >>> >>>> (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] >>>> [sysdb_search_by_name] (0x0400): No such entry (Wed Jun 8 17:39:12 >>>> 2016) [sssd[be[dev-mydomain.net]]] >>>> [ipa_id_get_account_info_orig_done] >>>> (0x0080): Object not found, ending request (Wed Jun 8 17:39:12 >>>> 2016) [sssd[be[dev-mydomain.net]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: sh[0xea9a60], connected[1], ops[(nil)], ldap[0xea8500] (Wed Jun 8 17:39:12 2016) [sssd[be[dev-mydomain.net]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! >>>> >>>> ===== output of ldap query manually copied from the sssd_sudo.log >>>> first search returns nothing second search returns 2 rules >>>> ================== >>>> >>>> [root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*))(&(dataExpireTimestamp<=1465407552)))' >>>> asq: Unable to register control with rootdse! >>>> # returned 0 records >>>> # 0 entries >>>> # 0 referrals >>>> >>>> >>>> [root at cass1-msg-cpqa1-nvan sssd]# ldbsearch -H /var/lib/sss/db/cache_dev-mydomain.net.ldb -b cn=sysdb '(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=nathan.peters)(sudoUser=#756600344)(sudoUser=%developers)(sudoUser=%admins)(sudoUser=%sysadmins)(sudoUser=%deployment_engineer)(sudoUser=%nathan.peters)(sudoUser=+*)))' >>>> asq: Unable to register control with rootdse! >>>> # record 1 >>>> dn: >>>> name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=custom,cn=de >>>> v >>>> -m >>>> ydomain.net,cn=sysdb >>>> cn: s_allow_deployment_engineer_to_all >>>> dataExpireTimestamp: 1465412946 >>>> name: s_allow_deployment_engineer_to_all >>>> objectClass: sudoRule >>>> sudoCommand: ALL >>>> sudoHost: ALL >>>> sudoOption: !authenticate >>>> sudoRunAsGroup: ALL >>>> sudoRunAsUser: ALL >>>> sudoUser: %deployment_engineer >>>> distinguishedName: >>>> name=s_allow_deployment_engineer_to_all,cn=sudorules,cn=cus >>>> tom,cn=dev-mydomain.net,cn=sysdb >>>> >>>> # record 2 >>>> dn: >>>> name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev-mydomain. >>>> ne >>>> t,cn=sysdb >>>> cn: s_allow_sysadmins_to_all >>>> dataExpireTimestamp: 1465412946 >>>> name: s_allow_sysadmins_to_all >>>> objectClass: sudoRule >>>> sudoCommand: ALL >>>> sudoHost: ALL >>>> sudoOption: !authenticate >>>> sudoRunAsGroup: ALL >>>> sudoRunAsUser: ALL >>>> sudoUser: %sysadmins >>>> distinguishedName: >>>> name=s_allow_sysadmins_to_all,cn=sudorules,cn=custom,cn=dev >>>> -mydomain.net,cn=sysdb >>>> >>>> # returned 2 records >>>> # 2 entries >>>> # 0 referrals >>>> >>>> ====== output of ldap query against directory for search used in the >>>> sssd_domain.log =========== >>>> >>>> [root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base with scope subtree # >>>> filter: >>>> (&(cn=deployment_engineer)(|(objectClass=ipaUserGroup)(objectClass=p >>>> o >>>> si >>>> xGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0)))) >>>> # requesting: ALL >>>> # >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 1 >>>> >>>> [root at cass1-msg-cpqa1-nvan sssd]# ldapsearch -x -H ldap://10.178.0.98 -b cn=accounts,dc=dev-mydomain,dc=net '(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))' >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base with scope subtree # >>>> filter: >>>> (&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup) >>>> ) >>>> (c >>>> n=*)(&(gidNumber=*)(!(gidNumber=0)))) >>>> # requesting: ALL >>>> # >>>> >>> LDAP searches confirmed that it's not possible to find groups: >>> deployment_engineer and sysadmins. But you used anonymous search. >>> >>> It would be good if you could provide an output of for groups using ipa command. >>> >>> e.g. >>> kinit admin >>> ipa group-show --all deployment_engineer ipa group-show --all >>> sysadmins ipa group-show --raw deployment_engineer ipa group-show >>> --raw sysadmins >>> >>> LS >> > From rmeggins at redhat.com Mon Jun 13 22:30:59 2016 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 13 Jun 2016 16:30:59 -0600 Subject: [Freeipa-users] ns-slapd hangs for 2-3 minutes, then resumes. In-Reply-To: References: <8b452beb-09fe-8183-319a-02f51a2153de@redhat.com> Message-ID: <7cda6ee5-fac5-bd8f-d23f-bcc54c92318d@redhat.com> On 06/13/2016 01:13 PM, Guillermo Fuentes wrote: > Hi Rich, > > After I started running the stack traces, the problem hasn't happen as > frequently as it use to but today I was able to get the stack traces. > As they aren't similar I'll send them over to you in a separate email. > > This is what I did to start the stack traces (CentOS 7): > # yum install -y --enablerepo=base-debuginfo 389-ds-base-debuginfo > ipa-debuginfo slapi-nis-debuginfo nspr-debuginfo > # yum install -y gdb > # systemctl stop ipa.service ; sleep 10; systemctl start ipa.service > # mkdir -p /var/log/stacktraces > > Setup crontab to run the following every minute: > gdb -ex 'set confirm off' -ex 'set pagination off' -ex 'thread apply > all bt full' -ex 'quit' /usr/sbin/ns-slapd `pidof ns-slapd` > > /var/log/stacktraces/stacktrace.`date +%s`.txt 2>&1 It looks similar to https://fedorahosted.org/389/ticket/48341 but you already have that fix. One of the problems is that ids_sasl_check_bind acquires the connection lock and holds it for a very long time, which causes the main loop to block on that connection, which is similar to the above problem, and also similar to https://fedorahosted.org/389/ticket/48882. Basically, anything which holds the connection c_mutex lock too long can hang the server. In your case, this stack trace: poll sss_cli_make_request_nochecks sss_cli_check_socket sss_pac_make_request sssdpac_verify krb5int_authdata_verify rd_req_decoded_opt krb5_rd_req_decoded kg_accept_krb5 krb5_gss_accept_sec_context_ext krb5_gss_accept_sec_context gss_accept_sec_context gssapi_server_mech_step sasl_server_step sasl_server_start ids_sasl_check_bind do_bind connection_dispatch_operation _pt_root start_thread clone I'm not sure if this particular situation is known/fixed. Perhaps there is a way to make the poll() called by sss_cli_make_request_nochecks() have a smaller timeout? Does this look familiar to any ipa/sssd developer? > > Thank you so much for your help, > > Guillermo > > > > > > > On Wed, Jun 1, 2016 at 6:52 PM, Guillermo Fuentes > wrote: >> I'm now taking stack traces every minute and waiting for it to hang >> again to check it. It happens usually under load but it's >> unpredictable. Must likely tomorrow. >> GUILLERMO FUENTES >> SR. SYSTEMS ADMINISTRATOR >> >> 561-880-2998 x1337 >> >> guillermo.fuentes at modmed.com >> >> >> >> >> >> >> On Wed, Jun 1, 2016 at 2:03 PM, Rich Megginson wrote: >>> On 06/01/2016 10:37 AM, Guillermo Fuentes wrote: >>>> Hi all, >>>> >>>> We are experiencing a similar issue like the one discussed in the >>>> following thread but we are running FreeIPA 4.2 on CentOS 7.2: >>>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00205.html >>> >>> Are your stack traces similar? >>> >>> >>>> LDAP service stops responding to queries (hangs). LDAP connections on >>>> the server climb sometimes up to 10 times the normal amount and load >>>> goes to 0. Then, the connections start to drop until they get to a >>>> normal level and the LDAP service starts to respond to queries again. >>>> This happens in between 3-5 minutes: >>>> >>>> Time,LDAP conn, Opened files(ns-slapd), File >>>> Desc(ns-slapd),Threads(ns-slapd),Load1,Load5,Load15 >>>> 8:54:03,101,353,216,142,0.43,0.20,0.16 >>>> 8:55:02,108,359,221,142,0.19,0.18,0.15 >>>> 8:56:03,110,361,224,142,0.07,0.15,0.14 >>>> 8:57:14,117,383,246,142,0.15,0.16,0.15 >>>> 8:58:04,276,371,234,142,0.05,0.13,0.14 >>>> 8:59:05,469,371,234,142,0.02,0.11,0.13 >>>> 9:00:08,719,371,234,142,0.01,0.09,0.12 >>>> 9:01:18,1060,371,234,142,0.00,0.07,0.12 >>>> 9:02:10,742,371,233,142,0.10,0.09,0.12 >>>> 9:03:06,365,372,235,142,0.13,0.10,0.13 >>>> 9:04:04,262,379,242,142,0.87,0.29,0.19 >>>> 9:05:02,129,371,233,142,0.51,0.31,0.20 >>>> 9:06:03,126,377,240,142,0.42,0.33,0.22 >>>> 9:07:03,125,377,238,142,0.17,0.27,0.21 >>>> >>>> Nothing is logged in the errors log file of the server having the >>>> problem (ipa1 as an example). >>>> In the replicas this is logged: >>>> 8:59:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" >>>> (ipa1:389): Unable to receive the response for a startReplication >>>> extended operation to consumer (Timed out). Will retry later. >>>> 9:01:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" >>>> (ipa1:389): Unable to receive the response for a startReplication >>>> extended operation to consumer (Timed out). Will retry later. >>>> >>>> Nothing is logged in the access log file until after ns-slapd starts >>>> responding again: >>>> ... >>>> 8:57:00 -0400] conn=12384 fd=234 slot=234 connection from 172.20.0.1 >>>> to 172.20.2.45 >>>> 8:57:00 -0400] conn=12385 fd=235 slot=235 connection from 172.20.0.1 >>>> to 172.20.2.45 >>>> 8:57:00 -0400] conn=12386 fd=236 slot=236 connection from 172.20.0.1 >>>> to 172.20.2.45 >>>> 8:57:00 -0400] conn=12387 fd=237 slot=237 connection from 172.20.0.1 >>>> to 172.20.2.45 >>>> 8:57:00 -0400] conn=10384 op=1227 EXT oid="2.16.840.1.113730.3.5.12" >>>> name="replication-multimaster-extop" >>>> 8:57:00 -0400] conn=12324 op=8 RESULT err=0 tag=101 nentries=1 etime=0 >>>> 8:57:00 -0400] conn=8838 op=2545 EXT oid="2.16.840.1.113730.3.5.12" >>>> name="replication-multimaster-extop" >>>> 8:57:00 -0400] conn=8838 op=2545 RESULT err=0 tag=120 nentries=0 etime=0 >>>> 8:57:00 -0400] conn=10384 op=1227 RESULT err=0 tag=120 nentries=0 etime=0 >>>> 8:57:00 -0400] conn=12382 op=-1 fd=170 closed - B1 >>>> 8:57:00 -0400] conn=12383 op=0 SRCH base="" scope=0 >>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>> 8:57:00 -0400] conn=12384 op=-1 fd=234 closed - B1 >>>> 8:57:00 -0400] conn=12385 op=0 SRCH base="" scope=0 >>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>> 8:57:00 -0400] conn=12383 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>> 8:57:00 -0400] conn=12386 op=-1 fd=236 closed - B1 >>>> 8:57:00 -0400] conn=12385 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>> 8:57:00 -0400] conn=12387 op=0 SRCH base="" scope=0 >>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>> 8:57:00 -0400] conn=12387 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>> 8:57:00 -0400] conn=12385 op=1 BIND dn="" method=sasl version=3 >>>> mech=GSSAPI >>>> 8:57:00 -0400] conn=12387 op=1 BIND dn="" method=sasl version=3 >>>> mech=GSSAPI >>>> 8:57:00 -0400] conn=12385 op=1 RESULT err=14 tag=97 nentries=0 >>>> etime=0, SASL bind in progress >>>> 8:57:00 -0400] conn=12383 op=1 BIND dn="" method=sasl version=3 >>>> mech=GSSAPI >>>> 8:57:00 -0400] conn=10384 op=1228 EXT oid="2.16.840.1.113730.3.5.5" >>>> name="Netscape Replication End Session" >>>> 8:57:00 -0400] conn=10384 op=1228 RESULT err=0 tag=120 nentries=0 etime=0 >>>> 8:57:00 -0400] conn=12383 op=1 RESULT err=14 tag=97 nentries=0 >>>> etime=0, SASL bind in progress >>>> 9:02:00 -0400] conn=12388 fd=170 slot=170 connection from 172.20.0.1 >>>> to 172.20.2.45 >>>> 9:02:00 -0400] conn=12389 fd=234 slot=234 SSL connection from >>>> 172.20.0.24 to 172.20.2.45 >>>> 9:02:00 -0400] conn=12390 fd=236 slot=236 connection from local to >>>> /var/run/slapd-EXAMPLE-COM.socket >>>> 9:02:00 -0400] conn=12391 fd=238 slot=238 connection from 172.20.0.1 >>>> to 172.20.2.45 >>>> 9:02:00 -0400] conn=12392 fd=239 slot=239 SSL connection from >>>> 172.20.0.24 to 172.20.2.45 >>>> 9:02:00 -0400] conn=12393 fd=240 slot=240 connection from local to >>>> /var/run/slapd-EXAMPLE-COM.socket >>>> 9:02:00 -0400] conn=12394 fd=241 slot=241 connection from 172.20.0.1 >>>> to 172.20.2.45 >>>> 9:02:00 -0400] conn=12395 fd=242 slot=242 SSL connection from >>>> 172.20.0.24 to 172.20.2.45 >>>> 9:02:00 -0400] conn=12396 fd=243 slot=243 connection from 172.20.0.1 >>>> to 172.20.2.45 >>>> 9:02:00 -0400] conn=12397 fd=244 slot=244 SSL connection from >>>> 172.20.0.24 to 172.20.2.45 >>>> 9:02:00 -0400] conn=12398 fd=245 slot=245 connection from 172.20.0.1 >>>> to 172.20.2.45 >>>> 9:02:00 -0400] conn=12400 fd=247 slot=247 connection from 172.20.0.1 >>>> to 172.20.2.45 >>>> 9:02:00 -0400] conn=12401 fd=248 slot=248 connection from 172.20.0.1 >>>> to 172.20.2.45 >>>> ... >>>> 9:02:00 -0400] conn=12390 op=0 BIND dn="" method=sasl version=3 >>>> mech=GSSAPI >>>> 9:02:00 -0400] conn=12388 op=-1 fd=170 closed - B1 >>>> 9:02:00 -0400] conn=12393 op=0 BIND dn="" method=sasl version=3 >>>> mech=GSSAPI >>>> 9:02:00 -0400] conn=12391 op=0 SRCH base="" scope=0 >>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>> 9:02:00 -0400] conn=12394 op=-1 fd=241 closed - B1 >>>> 9:02:00 -0400] conn=12391 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>> 9:02:00 -0400] conn=12396 op=0 SRCH base="" scope=0 >>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>> 9:02:00 -0400] conn=12396 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>> 9:02:00 -0400] conn=12398 op=-1 fd=245 closed - B1 >>>> 9:02:00 -0400] conn=12400 op=0 SRCH base="" scope=0 >>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>> 9:02:00 -0400] conn=12400 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>> 9:02:00 -0400] conn=12401 op=-1 fd=248 closed - B1 >>>> 9:02:00 -0400] conn=12391 op=1 ABANDON targetop=NOTFOUND msgid=1 >>>> 9:02:00 -0400] conn=12396 op=1 ABANDON targetop=NOTFOUND msgid=1 >>>> 9:02:00 -0400] conn=12400 op=1 ABANDON targetop=NOTFOUND msgid=1 >>>> 9:02:00 -0400] conn=12391 op=2 UNBIND >>>> 9:02:00 -0400] conn=12396 op=2 UNBIND >>>> 9:02:00 -0400] conn=12391 op=2 fd=238 closed - U1 >>>> 9:02:00 -0400] conn=12396 op=2 fd=243 closed - U1 >>>> 9:02:00 -0400] conn=12400 op=2 UNBIND >>>> 9:02:00 -0400] conn=12400 op=2 fd=247 closed - U1 >>>> ... >>>> >>>> >>>> Environment: >>>> # cat /etc/redhat-release >>>> CentOS Linux release 7.2.1511 (Core) >>>> >>>> # rpm -qa ipa* >>>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>> ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>> ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>> ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>> ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>> >>>> # rpm -qa 389* >>>> 389-ds-base-libs-1.3.4.0-30.el7_2.x86_64 >>>> 389-ds-base-1.3.4.0-30.el7_2.x86_64 >>>> >>>> We have 4 FreeIPA servers with replication working fine between them. >>>> ipa1 is handling LDAP authentication for +400 clients and has been >>>> tunned as recommended per >>>> >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html >>>> >>>> Is this a known issue? >>>> Any idea what can be causing ns-slapd to hang? >>>> >>>> Thanks in advance! >>>> >>>> Guillermo >>>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project From ender at kofeina.net Tue Jun 14 05:52:19 2016 From: ender at kofeina.net (=?iso-8859-2?Q?=A3ukasz_Jaworski?=) Date: Tue, 14 Jun 2016 07:52:19 +0200 Subject: [Freeipa-users] ipa: ERROR: invalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-' Message-ID: <0CAD466A-7F23-43D7-9D25-512EE8965614@kofeina.net> Hi, freeipa-client-4.2.4-1.fc23.x86_64 freeipa-server-4.2.4-1.fc23.x86_64 I've tried add hostname with multiple hyphens. Sth like: example--name-of-host.example.com. Output is: ipa: ERROR: invalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-' IMHO hyphens are not allowed: the first and last characters of a label (RFC 952 and 1123) If I'm right, in validate_dns_label (util.py) should be something like this: diff util.py util.py.corrected 225c225 < label_regex = r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]?[%(base)s%(extra)s])*$' \ --- > label_regex = r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]+?[%(base)s%(extra)s])*$' \ Best regards, ?ukasz Jaworski "Ender" -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Tue Jun 14 06:05:28 2016 From: bentech4you at gmail.com (Ben .T.George) Date: Tue, 14 Jun 2016 09:05:28 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: References: <1006530.1464281903871.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> <20160527040554.dglitdvlfcg2asif@redhat.com> <20160527075339.3adp5oodpzup62qe@redhat.com> Message-ID: HI sorry it was issue with DNS (SRV records was missing) and it's been fixed now. i have created one way forest trust While issuing trust from IPA server, i have used shared key and the process was successful. But after validating the trust from AD side, it's asking for some username and password.I have gave below password combinations: IPA "admin" user and password IPA admin user and IPA directory password AD "Administrator" and password. but still it's not accepting that. So which username and password it is expecting? This is if i create one way trust. If i create two way trust, this password is not asking. and my AD admin will only allow one way trust. Thanks & Regards, Ben On Wed, Jun 1, 2016 at 8:20 AM, Ben .T.George wrote: > HI > > sorry it was issue with DNS (SRV records was missing) and it's been fixed > now. i have created one way forest trust > > While issuing trust from IPA server, i have used shared key and the > process was successful. > > But after validating the trust from AD side, it's asking for some username > and password.I have gave below password combinations: > > IPA "admin" user and password > IPA admin user and IPA directory password > AD "Administrator" and password. > > but still it's not accepting that. So which username and password it is > expecting? > > This is if i create one way trust. If i create two way trust, this > password is not asking. and my AD admin will only allow one way trust. > > > > Thanks & Regards, > Ben > > > On Fri, May 27, 2016 at 11:04 AM, Ben .T.George > wrote: > >> HI Alex, >> >> Thanks for the information >> >> i have removed old trust and recreating agan >> >> [image: Inline image 1] >> [image: Inline image 2] >> [image: Inline image 4] >> >> And with PA domain (idm.local) also same, it's not creating trust. >> >> Regards, >> Ben >> >> >> >> On Fri, May 27, 2016 at 10:53 AM, Alexander Bokovoy >> wrote: >> >>> On Fri, 27 May 2016, Ben .T.George wrote: >>> >>>> This is what i am getting >>>> >>>> [image: Inline image 1] >>>> [image: Inline image 3] >>>> [image: Inline image 4] >>>> >>>> And that wizand end with nothing. Please anyone share more info >>>> regarding >>>> this >>>> >>> The wizard asks you to enter the name of the domain, forest, or realm >>> for the trust. You are entering hostname of IPA master. This is never >>> going to fly. >>> >>> In Active Directory terms: >>> - forest is a set of AD domains >>> - it is named after the first AD domain created in the forest >>> - this domain is called 'forest root domain' >>> >>> In FreeIPA we have a single 'domain' from Active Directory perspective: >>> - this is the domain corresponding to Kerberos realm name, (ipa.local >>> in your case) >>> - Forest name = forest root domain name = ipa.local >>> >>> The wizard will then use DNS SRV records to discover IPA masters (AD DCs >>> for Active Directory view). >>> >>> >>> >>>> Regards, >>>> Ben >>>> >>>> On Fri, May 27, 2016 at 10:24 AM, Ben .T.George >>>> wrote: >>>> >>>> HI Alex. >>>>> >>>>> I Am using windows 2008 R2. >>>>> >>>>> when i am giving IPA's DNS name and click next, the trust wizard is not >>>>> going through. But if i am selecting realm trust , atleast the wizard >>>>> completes. >>>>> >>>>> So which AD version is recommended ? >>>>> >>>>> Regards, >>>>> Ben >>>>> >>>>> On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy < >>>>> abokovoy at redhat.com> >>>>> wrote: >>>>> >>>>> On Fri, 27 May 2016, Ben .T.George wrote: >>>>>> >>>>>> HI >>>>>>> >>>>>>> i ran some commands from AD side and the Trust status got >>>>>>> changed.Below >>>>>>> is >>>>>>> the command i used on AD >>>>>>> >>>>>>> netdom trust /d: /verify >>>>>>> >>>>>>> >>>>>>> Before it was : "waiting for confirmation by remote side" and not it >>>>>>> got >>>>>>> changed to "Trust type: Active Directory domain" >>>>>>> >>>>>>> But when i am trying to map AD group, it not going through >>>>>>> >>>>>>> >>>>>>> root at zkwipamstr01 ~]# ipa group-add-member ad_admins_external >>>>>>> --external >>>>>>> 'MTC_TABS\Domain Users' >>>>>>> [member user]: >>>>>>> [member group]: >>>>>>> Group name: ad_admins_external >>>>>>> Description: ad_domain admins external map >>>>>>> Failed members: >>>>>>> member user: >>>>>>> *member group: MTC_TABS\Domain Users: trusted domain object not >>>>>>> found * >>>>>>> ------------------------- >>>>>>> Number of members added 0 >>>>>>> ------------------------- >>>>>>> >>>>>>> This is what my trust properties from AD. Trust type is showing as >>>>>>> realm >>>>>>> >>>>>>> It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos >>>>>> realm trust which is *not* what IPA provides. >>>>>> >>>>>> [image: Inline image 1] >>>>>> >>>>>>> >>>>>>> How can i fix this issue. >>>>>>> >>>>>>> Use correct type of trust when establishing trust on AD side. If your >>>>>> Windows version does not allow to specify proper trust type, I'm >>>>>> afraid, >>>>>> there is nothing we can help with. >>>>>> >>>>>> -- >>>>>> / Alexander Bokovoy >>>>>> >>>>>> >>>>> >>>>> >>> >>> >>> >>> >>> -- >>> / Alexander Bokovoy >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 21928 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 55244 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 28160 bytes Desc: not available URL: From matrix.zj at qq.com Tue Jun 14 06:23:23 2016 From: matrix.zj at qq.com (=?ISO-8859-1?B?TWF0cml4?=) Date: Tue, 14 Jun 2016 14:23:23 +0800 Subject: [Freeipa-users] How to renew kerberos tickets without user intervation? Message-ID: HI, All IPA server was installed on ipaserver.dev.example.net A user 'ads' in IPA will periodically 'rsync' files from ipaclient1 to ipaclient2. I found that rsync cronjobs will be failed once 'ads' kerberos ticket has been expired. I would like to renew kerberos tickets before expiration without user intervation, but failed. krb configuration: # cat /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.NET dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} renew_lifetime = 7d [realms] EXAMPLE.NET = { kdc = ipaserver.dev.example.net:88 master_kdc = ipaserver.dev.example.net:88 admin_server = ipaserver.dev.example.net:749 default_domain = example.net pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .example.net = EXAMPLE.NET example.net = EXAMPLE.NET [dbmodules] EXAMPLE.NET = { db_library = ipadb.so } When I was trying to renew kerberos ticket from client1, error message was shown as : $ kinit -R kinit: KDC can't fulfill requested option while renewing credentials And logs from ipa server: # tailf /var/log/krb5kdc.log ...... Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.11.235: TICKET NOT RENEWABLE: authtime 0, ads at EXAMPLE.NET for krbtgt/EXAMPLE.NET at EXAMPLE.NET, KDC can't fulfill requested option Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): closing down fd 10 ...... any suggestions would be appreciated. Best Regards Matrix -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Jun 14 06:56:40 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 14 Jun 2016 08:56:40 +0200 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: <575F2E48.9040306@redhat.com> References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> <20160613205701.GA9992@hendrix> <575F2378.1020703@redhat.com> <575F2E48.9040306@redhat.com> Message-ID: <20160614065640.GG9992@hendrix> On Mon, Jun 13, 2016 at 06:06:00PM -0400, Rob Crittenden wrote: > Nathan Peters wrote: > > I have confirmed that on both CentOS 6.8 and CentOS 6.7 that if the group is a POSIX group, it can be used in sudo rules. > > If the group is a 'normal' group it will fail when used in sudo rules. > > > > This is really silly because in a previous version of CentOS (6.3) sudo rules would fail if the group was POSIX, and work if the group was 'normal'. > > > > I'm not sure when this changed because we still have CentOS 6.7 machines that are working fine with the non posix groups. > > I did notice that in sssd 1.13.3-22.el6 sudo fails with non posix groups > > And with 1.12.4-47.el6_7.7 sudo works with non posix groups > > > > So now FreeIPA exists in a really funky state where if you are below CentOS 6.4 you MUST use non POSIX groups and If you are on CentOS 6.7 and above, you must use POSIX groups. > > > > So basically, you need to roll forward your entire infrastructure to CentOS 6.7 or above or else your old machines will suddently start failing sudo logins when you udate the groups or your new machines will simply fail with groups that worked on your old ones. > > > > Can you please confirm what the intended behavior is because I would rather not go through the trouble of re-creating all our sudo / hbac rules and user groups... > > Jakub already stated that this would be bug if it only worked with POSIX > groups, so you've confirmed that. > > If you have a Red Hat subscription I'd open a support case and ask to be > added to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1336548 Because that bug is private (sorry, there's some RH customer data there) and because you also confirmed it's an issue, I cloned the bugzilla to our upstream Trac: https://fedorahosted.org/sssd/ticket/3046 I'm sceptical we will have a fix this week, we're trying to meet a deadline at the moment, but we will try to come up with a fix either late next week or the one after. I'm sorry about the inconvenience. I wonder if, as a temporary workaround, you could point sssd to the compat tree using ldap_sudo_search_base? From abokovoy at redhat.com Tue Jun 14 07:10:25 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Jun 2016 10:10:25 +0300 Subject: [Freeipa-users] What id my AD domain user password not available In-Reply-To: References: <1006530.1464281903871.JavaMail.wam@elwamui-ovcar.atl.sa.earthlink.net> <20160527040554.dglitdvlfcg2asif@redhat.com> <20160527075339.3adp5oodpzup62qe@redhat.com> Message-ID: <20160614071025.nx6fa667heos2vsn@redhat.com> On Tue, 14 Jun 2016, Ben .T.George wrote: >HI > >sorry it was issue with DNS (SRV records was missing) and it's been fixed >now. i have created one way forest trust > >While issuing trust from IPA server, i have used shared key and the process >was successful. It will always be successful because IPA server talks to itself. >But after validating the trust from AD side, it's asking for some username >and password.I have gave below password combinations: > >IPA "admin" user and password >IPA admin user and IPA directory password >AD "Administrator" and password. > >but still it's not accepting that. So which username and password it is >expecting? > >This is if i create one way trust. If i create two way trust, this password >is not asking. and my AD admin will only allow one way trust. There is a bug right now where shared secret one-way trust is broken with the symptoms your setup is showing. You have four options: - one-way trust established using credentials of AD administrator who is member of Enterprise Admins or Domain admins group from the forest root domain. This options works just fine. - one-way trust established using shared secret. This doesn't currently work. https://bugzilla.redhat.com/show_bug.cgi?id=1345975 - two-way trust established using credentials of AD administrator who is member of Enterprise Admins of Domain admins group from the forest root domain. This option works just fine. - two-way trust established using shared secret. This option works just fine. I'm currently looking into bug #1345975. -- / Alexander Bokovoy From ipa at border.nuneshiggs.com Tue Jun 14 11:01:56 2016 From: ipa at border.nuneshiggs.com (Nuno Higgs) Date: Tue, 14 Jun 2016 12:01:56 +0100 Subject: [Freeipa-users] Error with DNS forwarding on replica. In-Reply-To: <0ce001d1c553$f62da900$e288fb00$@border.nuneshiggs.com> References: <0c6701d1c4da$d5e36820$81aa3860$@border.nuneshiggs.com> <34c49430-1745-8814-1535-6b0ecf18ce64@redhat.com> <0ce001d1c553$f62da900$e288fb00$@border.nuneshiggs.com> Message-ID: Hello, Found it: It appears that my forwarder is NOT DNSSEC happy: in: /var/named/data/named.run validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53 So, i changed the /etc/named.conf from: dnssec-enable yes; dnssec-validation yes; to: dnssec-enable yes; dnssec-validation no; Everything is working fine now. Thanks for your help! Nuno > On 13 Jun 2016, at 10:14, Nuno Higgs wrote: > > Hello again, > > [root at ipa01 ~]# kinit user > Password for user at DOMAIN.LOCAL: > [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu > Zone name: domain.eu. > Active zone: TRUE > Zone forwarders: 194.65.3.20 195.65.3.21 > Forward policy: only > [root at ipa01 ~]# > > > [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu > Zone name: domain.eu. > Active zone: TRUE > Zone forwarders: 194.65.3.20 195.65.3.21 > Forward policy: only > [root at ipa02 ~]# > > On both servers the return is the same. > I haven't touched the DNS config besides deleting the zone and recreating > it. > > I am at a loss. What can be the issue here? > > Thanks, > Nuno > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek > Sent: segunda-feira, 13 de junho de 2016 06:50 > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Error with DNS forwarding on replica. > > On 12.6.2016 20:47, Nuno Higgs wrote: >> Hello all, >> >> >> >> I have a IPA server - IPA 4.2 - and i have added a new IPA to >> geographic replication. >> >> >> >> I have added it as stated in the documentation here: >> > x/7/ht >> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the- >> replic >> a.html#replica-install-with-dns> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux >> /7/htm >> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r >> eplica >> .html#replica-install-with-dns >> >> >> >> All was replicated correctly, and i can do a kinit user at DOMAIN with >> success within the replica. >> >> However there is a problem with the DNS sections: >> >> >> >> Although it DNS is ok, my configuration within IPA on the first server >> regarding DNS zones that are set on forward only are not. >> >> In my first server, i can do a forward of domain - let's say >> domain.eu. On the second server (replica) the >> forward is shown configured correctly within the webgui but it does >> not work, giving a NX error on query >> www.domain.eu (the A Record exists and is shown on the first server). >> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it > isn't a network permissions issue. >> >> >> >> I have deleted the zone on the master (and replica), and recreated it. >> On the first server, it worked fine. On the replica the problem persisted. >> >> >> >> Am I missing anything? Is there a undocumented trick, or have i missed >> something? > > Hello, > > it could be either a DNS configuration problem or a LDAP replication > problem. > > Please show us output from command: > $ ipa dnsforwardzone-show domain.eu > from all IPA servers you have. > > The output should be the same. If it is not the same then you are most > likely facing an replication problem, please see > http://www.freeipa.org/page/Troubleshooting#Replication_issues > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jun 14 11:56:38 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2016 07:56:38 -0400 Subject: [Freeipa-users] ipa: ERROR: invalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-' In-Reply-To: <0CAD466A-7F23-43D7-9D25-512EE8965614@kofeina.net> References: <0CAD466A-7F23-43D7-9D25-512EE8965614@kofeina.net> Message-ID: <575FF0F6.3010109@redhat.com> ?ukasz Jaworski wrote: > Hi, > > freeipa-client-4.2.4-1.fc23.x86_64 freeipa-server-4.2.4-1.fc23.x86_64 > > I've tried add hostname with multiple hyphens. Sth like: > example--name-of-host.example.com. Output is: ipa: ERROR: invalid > ?hostname?: invalid domain-name: only letters, numbers, ?-? are allowed. > DNS label may not start or end with ?-? > > IMHO hyphens are not allowed: the first and last characters of a label > (RFC 952 and 1123) > > If I'm right, in validate_dns_label (util.py) should be something like this: > > > diff util.py util.py.corrected 225c225 < label_regex = > r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]?[%(base)s%(extra)s])*$' > \ > > label_regex = > r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]+?[%(base)s%(extra)s])*$' > \ See https://fedorahosted.org/freeipa/ticket/4710 rob From rcritten at redhat.com Tue Jun 14 11:57:56 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2016 07:57:56 -0400 Subject: [Freeipa-users] How to renew kerberos tickets without user intervation? In-Reply-To: References: Message-ID: <575FF144.6000803@redhat.com> Matrix wrote: > HI, All > > IPA server was installed on ipaserver.dev.example.net > > A user 'ads' in IPA will periodically 'rsync' files from ipaclient1 to > ipaclient2. I found that rsync cronjobs will be failed once 'ads' > kerberos ticket has been expired. > > I would like to renew kerberos tickets before expiration without user > intervation, but failed. > > krb configuration: > > # cat /etc/krb5.conf > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = EXAMPLE.NET > dns_lookup_realm = false > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > renew_lifetime = 7d > > [realms] > EXAMPLE.NET = { > kdc = ipaserver.dev.example.net:88 > master_kdc = ipaserver.dev.example.net:88 > admin_server = ipaserver.dev.example.net:749 > default_domain = example.net > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .example.net = EXAMPLE.NET > example.net = EXAMPLE.NET > > [dbmodules] > EXAMPLE.NET = { > db_library = ipadb.so > } > > When I was trying to renew kerberos ticket from client1, error message > was shown as : > $ kinit -R > kinit: KDC can't fulfill requested option while renewing credentials > > And logs from ipa server: > # tailf /var/log/krb5kdc.log > ...... > Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): TGS_REQ > (6 etypes {18 17 16 23 25 26}) 192.168.11.235: TICKET NOT RENEWABLE: > authtime 0, ads at EXAMPLE.NET for krbtgt/EXAMPLE.NET at EXAMPLE.NET, KDC > can't fulfill requested option > Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): closing > down fd 10 > ...... > > any suggestions would be appreciated. > Please see the list archives, for example https://www.redhat.com/archives/freeipa-users/2016-June/msg00176.html rob From ender at kofeina.net Tue Jun 14 12:00:55 2016 From: ender at kofeina.net (=?windows-1250?Q?=A3ukasz_Jaworski?=) Date: Tue, 14 Jun 2016 14:00:55 +0200 Subject: [Freeipa-users] ipa: ERROR: invalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-' In-Reply-To: <575FF0F6.3010109@redhat.com> References: <0CAD466A-7F23-43D7-9D25-512EE8965614@kofeina.net> <575FF0F6.3010109@redhat.com> Message-ID: Thanks. Best regards, Ender Wiadomo?? napisana przez Rob Crittenden w dniu 14 cze 2016, o godz. 13:56: > ?ukasz Jaworski wrote: >> Hi, >> >> freeipa-client-4.2.4-1.fc23.x86_64 freeipa-server-4.2.4-1.fc23.x86_64 >> >> I've tried add hostname with multiple hyphens. Sth like: >> example--name-of-host.example.com. Output is: ipa: ERROR: invalid >> ?hostname?: invalid domain-name: only letters, numbers, ?-? are allowed. >> DNS label may not start or end with ?-? >> >> IMHO hyphens are not allowed: the first and last characters of a label >> (RFC 952 and 1123) >> >> If I'm right, in validate_dns_label (util.py) should be something like this: >> >> >> diff util.py util.py.corrected 225c225 < label_regex = >> r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]?[%(base)s%(extra)s])*$' >> \ >> >> label_regex = >> r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]+?[%(base)s%(extra)s])*$' >> \ > > See https://u2049412.ct.sendgrid.net/wf/click?upn=d8cswn-2BnEH-2B7WbzLTEgT0E1WY4setDHks-2BN0BaUeSRkffPOVmnu1j4NL5AZQSJz11-2BIlHFn-2BrzA2teewCcbEdg-3D-3D_an4-2Fi8Vk1W4hjXglTw5zijKXOIRderaI8LFDnF-2FT8B3V92yGlXo2OZHI8jnDj-2F4GSfoAeql5dkDdLpSdNoo-2BLrNmlfLJCTDqx2vIUS5iVOhvTPQEdtjoftVAz03IHNlO5HSli58l2DF6kpdgY7paaTVkbt70zgAI2bXtgtCjg1m7g7VRTyPTS9YXtJTrNXb-2B9GVDSMNn-2B8MiT-2FDUXEFjYucsxyrrqi7VrCmfGQOtuEM-3D > > rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Tue Jun 14 13:27:41 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Tue, 14 Jun 2016 15:27:41 +0200 Subject: [Freeipa-users] LDAP "mail" from User Message-ID: <3253694.VMncdTnI5A@techz> Hello, Is there a way to differ the Mail addresses from a user. I setup a User with with 3 Mail addresses in IPA UI User: Peter peter at xxx.net peter at yyyy.com peter at aaaa.bbb for me, I can't found a way to setup this correct in a dovecot way? I mean I must have a "aliases" field in Ldap ? I am not a Ldap Profi ;-), but why I can insert more EMail addresses when I can't found this later. Have any a answer for my problem, Thanks -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From pspacek at redhat.com Tue Jun 14 14:28:38 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Jun 2016 16:28:38 +0200 Subject: [Freeipa-users] Error with DNS forwarding on replica. In-Reply-To: References: <0c6701d1c4da$d5e36820$81aa3860$@border.nuneshiggs.com> <34c49430-1745-8814-1535-6b0ecf18ce64@redhat.com> <0ce001d1c553$f62da900$e288fb00$@border.nuneshiggs.com> Message-ID: On 14.6.2016 13:01, Nuno Higgs wrote: > Hello, > > Found it: > > It appears that my forwarder is NOT DNSSEC happy: > > in: /var/named/data/named.run > > validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure > error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53 > > So, i changed the /etc/named.conf > > from: > > dnssec-enable yes; > dnssec-validation yes; > > to: > > dnssec-enable yes; > dnssec-validation no; > > Everything is working fine now. Okay, it explains a lot. Please note that configuration "dnssec-validation no;" lowers security bar for attackers and is strongly discouraged! The issue is most likely caused by non-compliant forwarder which mangles DNS data somehow before they reach your IPA DNS server. I would recommend you to check DNS forwarder on 10.0.157.35 and see it is configured with its equivalent of "dnssec-enable yes;". I strongly recommend returning back to "dnssec-validation yes;" after fixing the forwarder config. IPA 4.3 or newer should print a warning about such broken forwarders whenever you try to configure them using IPA commands. What version of IPA do you use? How did you configure the forwarder in IPA? Petr^2 Spacek > > Thanks for your help! > Nuno > >> On 13 Jun 2016, at 10:14, Nuno Higgs wrote: >> >> Hello again, >> >> [root at ipa01 ~]# kinit user >> Password for user at DOMAIN.LOCAL: >> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu >> Zone name: domain.eu. >> Active zone: TRUE >> Zone forwarders: 194.65.3.20 195.65.3.21 >> Forward policy: only >> [root at ipa01 ~]# >> >> >> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu >> Zone name: domain.eu. >> Active zone: TRUE >> Zone forwarders: 194.65.3.20 195.65.3.21 >> Forward policy: only >> [root at ipa02 ~]# >> >> On both servers the return is the same. >> I haven't touched the DNS config besides deleting the zone and recreating >> it. >> >> I am at a loss. What can be the issue here? >> >> Thanks, >> Nuno >> >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >> Sent: segunda-feira, 13 de junho de 2016 06:50 >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica. >> >> On 12.6.2016 20:47, Nuno Higgs wrote: >>> Hello all, >>> >>> >>> >>> I have a IPA server - IPA 4.2 - and i have added a new IPA to >>> geographic replication. >>> >>> >>> >>> I have added it as stated in the documentation here: >>> >> x/7/ht >>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the- >>> replic >>> a.html#replica-install-with-dns> >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux >>> /7/htm >>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r >>> eplica >>> .html#replica-install-with-dns >>> >>> >>> >>> All was replicated correctly, and i can do a kinit user at DOMAIN with >>> success within the replica. >>> >>> However there is a problem with the DNS sections: >>> >>> >>> >>> Although it DNS is ok, my configuration within IPA on the first server >>> regarding DNS zones that are set on forward only are not. >>> >>> In my first server, i can do a forward of domain - let's say >>> domain.eu. On the second server (replica) the >>> forward is shown configured correctly within the webgui but it does >>> not work, giving a NX error on query >>> www.domain.eu (the A Record exists and is shown on the first server). >>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it >> isn't a network permissions issue. >>> >>> >>> >>> I have deleted the zone on the master (and replica), and recreated it. >>> On the first server, it worked fine. On the replica the problem persisted. >>> >>> >>> >>> Am I missing anything? Is there a undocumented trick, or have i missed >>> something? >> >> Hello, >> >> it could be either a DNS configuration problem or a LDAP replication >> problem. >> >> Please show us output from command: >> $ ipa dnsforwardzone-show domain.eu >> from all IPA servers you have. >> >> The output should be the same. If it is not the same then you are most >> likely facing an replication problem, please see >> http://www.freeipa.org/page/Troubleshooting#Replication_issues >> >> -- >> Petr^2 Spacek From rcritten at redhat.com Tue Jun 14 15:22:58 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Jun 2016 11:22:58 -0400 Subject: [Freeipa-users] CA: IPA certificates not renewing In-Reply-To: References: Message-ID: <57602152.9090104@redhat.com> Marc Wiatrowski wrote: > Hello, I'm having issues with the 3 ipa certificates of type CA: IPA > renewing on 2 of 3 replicas. Particularly on the 2 that are not the CA > master. The other 5 certificates from getcert list do renew and all > certificates on the CA master do look to renew. > > Both servers running ipa-server-3.0.0-50.el6.centos.1.x86_64 I've done > full updates and rebooted. Can you check on the replication status for each CA? $ ipa-csreplica-manage list -v ipa.example.com The hostname is important because including that will show the agreements that host has. Do this for each master with a CA. The CA being asked to do the renewal is unaware of the current serial number so it is refusing to proceed. rob > > The failed renews look like: > > [root at spider01a]$ getcert list -i 20141202144354 > Number of certificates and requests being tracked: 8. > Request ID '20141202144354': > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe0010 not found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01a.iglass.net > ,O=IGLASS.NET > expires: 2016-12-02 14:38:45 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA > track: yes > auto-renew: yes > > [root at spider01a]$ getcert list -i 20141202144616 > Number of certificates and requests being tracked: 8. > Request ID '20141202144616': > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe000f not found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01a.iglass.net > ,O=IGLASS.NET > expires: 2016-12-02 14:38:43 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv IGLASS-NET > track: yes > auto-renew: yes > > [root at spider01a]$ getcert list -i 20141202144733 > Number of certificates and requests being tracked: 8. > Request ID '20141202144733': > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe0011 not found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > subject: CN=spider01a.iglass.net > ,O=IGLASS.NET > expires: 2016-12-02 14:38:46 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > > From > [root at spider01a]$ getcert resubmit -i 20141202144354 > > On the replica issuing the resubmit > > ==> /var/log/httpd/access_log <== > 192.168.176.2 - - [13/Jun/2016:15:49:32 -0400] "POST /ipa/xml HTTP/1.1" > 401 1370 > > ==> /var/log/httpd/error_log <== > [Mon Jun 13 15:49:33 2016] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Certificate > serial number 0x3ffe0010 not found) > [Mon Jun 13 15:49:33 2016] [error] ipa: INFO: > host/spider01a.iglass.net at IGLASS.NET > : > cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', > principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET > ', add=True): > CertificateOperationError > > ==> /var/log/httpd/access_log <== > 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST > /ca/agent/ca/displayBySerial HTTP/1.1" 200 262 > 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET > [13/Jun/2016:15:49:32 -0400] > "POST /ipa/xml HTTP/1.1" 200 376 > > ==> /var/log/pki-ca/system <== > 2508.TP-Processor6 - [13/Jun/2016:15:49:33 EDT] [3] [3] Servlet > caDisplayBySerial: Error encountered in DisplayBySerial. Error Record > not found. > > > On the CA master spider01o: > > ==> /var/log/httpd/access_log <== > 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST /ipa/xml HTTP/1.1" > 401 1370 > > ==> krb5kdc.log <== > Jun 13 15:49:34 spider01o.iglass.net > krb5kdc[1963](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.177.2 > : ISSUE: authtime 1465847372, etypes {rep=18 > tkt=18 ses=18}, host/spider01a.iglass.net at IGLASS.NET > for > ldap/spider01o.iglass.net at IGLASS.NET > > > ==> /var/log/httpd/error_log <== > [Mon Jun 13 15:49:34 2016] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Invalid > Credential.) > [Mon Jun 13 15:49:34 2016] [error] ipa: INFO: > host/spider01a.iglass.net at IGLASS.NET > : > cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', > principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET > ', add=True): > CertificateOperationError > > ==> /var/log/httpd/access_log <== > 192.168.177.2 - - [13/Jun/2016:15:49:34 -0400] "POST > /ca/agent/ca/displayBySerial HTTP/1.1" 200 235 > 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET > [13/Jun/2016:15:49:33 -0400] > "POST /ipa/xml HTTP/1.1" 200 349 > > ==> /var/log/pki-ca/system <== > 2231.TP-Processor3 - [13/Jun/2016:15:49:34 EDT] [6] [3] Cannot > authenticate agent with certificate Serial 0x5ffc0008 Subject DN CN=IPA > RA,O=IGLASS.NET . Error: User not found > > > I realize they expire at the end of the year, but I've had my > certificates expire before and would rather not go through that again. > Any idea on what's wrong or suggestions on where to look would be > appreciated. > > Thanks, > Marc > > > From freeipa at 0xc0dedbad.com Tue Jun 14 15:17:02 2016 From: freeipa at 0xc0dedbad.com (Peter Fern) Date: Wed, 15 Jun 2016 01:17:02 +1000 Subject: [Freeipa-users] LDAP "mail" from User In-Reply-To: <3253694.VMncdTnI5A@techz> References: <3253694.VMncdTnI5A@techz> Message-ID: <57601FEE.1000100@0xc0dedbad.com> I wrote a plugin a long time ago for this, just put it on Github for you: https://github.com/pdf/freeipa-user-mailalternateaddress This adds support for the mailAlternateAddress (AKA alias) schema to the GUI/CLI. On 14/06/16 23:27, G?nther J. Niederwimmer wrote: > Hello, > > Is there a way to differ the Mail addresses from a user. > > I setup a User with with 3 Mail addresses in IPA UI > > User: Peter > > peter at xxx.net > peter at yyyy.com > peter at aaaa.bbb > > for me, I can't found a way to setup this correct in a dovecot way? > > I mean I must have a "aliases" field in Ldap ? > > I am not a Ldap Profi ;-), but why I can insert more EMail addresses when I > can't found this later. > > Have any a answer for my problem, > > Thanks > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ipa at border.nuneshiggs.com Tue Jun 14 15:29:29 2016 From: ipa at border.nuneshiggs.com (Nuno Higgs) Date: Tue, 14 Jun 2016 16:29:29 +0100 Subject: [Freeipa-users] Error with DNS forwarding on replica. In-Reply-To: References: <0c6701d1c4da$d5e36820$81aa3860$@border.nuneshiggs.com> <34c49430-1745-8814-1535-6b0ecf18ce64@redhat.com> <0ce001d1c553$f62da900$e288fb00$@border.nuneshiggs.com> Message-ID: <895FA1EB-17EB-4ADC-8CE5-008A740ACB3D@border.nuneshiggs.com> Hello, I am running CentOS7: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 I configured my dos forward when i did the install process of the secondary node of IPA: [root at slave ~]# ipa-replica-install --setup-ca --setup-dns --forwarder 10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg Thanks, Nuno > On 14 Jun 2016, at 15:28, Petr Spacek wrote: > > On 14.6.2016 13:01, Nuno Higgs wrote: >> Hello, >> >> Found it: >> >> It appears that my forwarder is NOT DNSSEC happy: >> >> in: /var/named/data/named.run >> >> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure >> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53 >> >> So, i changed the /etc/named.conf >> >> from: >> >> dnssec-enable yes; >> dnssec-validation yes; >> >> to: >> >> dnssec-enable yes; >> dnssec-validation no; >> >> Everything is working fine now. > > Okay, it explains a lot. > > Please note that configuration "dnssec-validation no;" lowers security bar for > attackers and is strongly discouraged! > > The issue is most likely caused by non-compliant forwarder which mangles DNS > data somehow before they reach your IPA DNS server. > > I would recommend you to check DNS forwarder on 10.0.157.35 and see it is > configured with its equivalent of "dnssec-enable yes;". I strongly recommend > returning back to "dnssec-validation yes;" after fixing the forwarder config. > > IPA 4.3 or newer should print a warning about such broken forwarders whenever > you try to configure them using IPA commands. > > What version of IPA do you use? > > How did you configure the forwarder in IPA? > > Petr^2 Spacek > >> >> Thanks for your help! >> Nuno >> >>> On 13 Jun 2016, at 10:14, Nuno Higgs wrote: >>> >>> Hello again, >>> >>> [root at ipa01 ~]# kinit user >>> Password for user at DOMAIN.LOCAL: >>> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu >>> Zone name: domain.eu. >>> Active zone: TRUE >>> Zone forwarders: 194.65.3.20 195.65.3.21 >>> Forward policy: only >>> [root at ipa01 ~]# >>> >>> >>> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu >>> Zone name: domain.eu. >>> Active zone: TRUE >>> Zone forwarders: 194.65.3.20 195.65.3.21 >>> Forward policy: only >>> [root at ipa02 ~]# >>> >>> On both servers the return is the same. >>> I haven't touched the DNS config besides deleting the zone and recreating >>> it. >>> >>> I am at a loss. What can be the issue here? >>> >>> Thanks, >>> Nuno >>> >>> >>> -----Original Message----- >>> From: freeipa-users-bounces at redhat.com >>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >>> Sent: segunda-feira, 13 de junho de 2016 06:50 >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica. >>> >>> On 12.6.2016 20:47, Nuno Higgs wrote: >>>> Hello all, >>>> >>>> >>>> >>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to >>>> geographic replication. >>>> >>>> >>>> >>>> I have added it as stated in the documentation here: >>>> >>> x/7/ht >>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the- >>>> replic >>>> a.html#replica-install-with-dns> >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux >>>> /7/htm >>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r >>>> eplica >>>> .html#replica-install-with-dns >>>> >>>> >>>> >>>> All was replicated correctly, and i can do a kinit user at DOMAIN with >>>> success within the replica. >>>> >>>> However there is a problem with the DNS sections: >>>> >>>> >>>> >>>> Although it DNS is ok, my configuration within IPA on the first server >>>> regarding DNS zones that are set on forward only are not. >>>> >>>> In my first server, i can do a forward of domain - let's say >>>> domain.eu. On the second server (replica) the >>>> forward is shown configured correctly within the webgui but it does >>>> not work, giving a NX error on query >>>> www.domain.eu (the A Record exists and is shown on the first server). >>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it >>> isn't a network permissions issue. >>>> >>>> >>>> >>>> I have deleted the zone on the master (and replica), and recreated it. >>>> On the first server, it worked fine. On the replica the problem persisted. >>>> >>>> >>>> >>>> Am I missing anything? Is there a undocumented trick, or have i missed >>>> something? >>> >>> Hello, >>> >>> it could be either a DNS configuration problem or a LDAP replication >>> problem. >>> >>> Please show us output from command: >>> $ ipa dnsforwardzone-show domain.eu >>> from all IPA servers you have. >>> >>> The output should be the same. If it is not the same then you are most >>> likely facing an replication problem, please see >>> http://www.freeipa.org/page/Troubleshooting#Replication_issues >>> >>> -- >>> Petr^2 Spacek -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Tue Jun 14 16:24:23 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 14 Jun 2016 18:24:23 +0200 Subject: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails In-Reply-To: <20160614065640.GG9992@hendrix> References: <20160607204327.GA6308@hendrix> <20160611090142.GA18966@10.4.128.1> <20160613205701.GA9992@hendrix> <575F2378.1020703@redhat.com> <575F2E48.9040306@redhat.com> <20160614065640.GG9992@hendrix> Message-ID: <20160614162422.GA30426@10.4.128.1> On (14/06/16 08:56), Jakub Hrozek wrote: >On Mon, Jun 13, 2016 at 06:06:00PM -0400, Rob Crittenden wrote: >> Nathan Peters wrote: >> > I have confirmed that on both CentOS 6.8 and CentOS 6.7 that if the group is a POSIX group, it can be used in sudo rules. >> > If the group is a 'normal' group it will fail when used in sudo rules. >> > >> > This is really silly because in a previous version of CentOS (6.3) sudo rules would fail if the group was POSIX, and work if the group was 'normal'. >> > >> > I'm not sure when this changed because we still have CentOS 6.7 machines that are working fine with the non posix groups. >> > I did notice that in sssd 1.13.3-22.el6 sudo fails with non posix groups >> > And with 1.12.4-47.el6_7.7 sudo works with non posix groups >> > >> > So now FreeIPA exists in a really funky state where if you are below CentOS 6.4 you MUST use non POSIX groups and If you are on CentOS 6.7 and above, you must use POSIX groups. >> > >> > So basically, you need to roll forward your entire infrastructure to CentOS 6.7 or above or else your old machines will suddently start failing sudo logins when you udate the groups or your new machines will simply fail with groups that worked on your old ones. >> > >> > Can you please confirm what the intended behavior is because I would rather not go through the trouble of re-creating all our sudo / hbac rules and user groups... >> >> Jakub already stated that this would be bug if it only worked with POSIX >> groups, so you've confirmed that. >> >> If you have a Red Hat subscription I'd open a support case and ask to be >> added to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1336548 > >Because that bug is private (sorry, there's some RH customer data there) >and because you also confirmed it's an issue, I cloned the bugzilla to >our upstream Trac: > https://fedorahosted.org/sssd/ticket/3046 > >I'm sceptical we will have a fix this week, we're trying to meet a >deadline at the moment, but we will try to come up with a fix either late >next week or the one after. > >I'm sorry about the inconvenience. I wonder if, as a temporary >workaround, you could point sssd to the compat tree using >ldap_sudo_search_base? > Yes, it worth a try. We switched from compat search base to native search base for sudo in 1.13.x But many things were changed in sudo; it neend't help. LS From ladner.danila at gmail.com Tue Jun 14 17:51:13 2016 From: ladner.danila at gmail.com (Danila Ladner) Date: Tue, 14 Jun 2016 13:51:13 -0400 Subject: [Freeipa-users] Best practices on securing freeipa Message-ID: Greetings Folks. I could not find any information on best practices of securing free ipa servers and its replicas. Since the hosts become an important part of IT IM infrastructure, wanted to see if anyone can point me to the right sources beyond default configuration. Thank you, Danila -------------- next part -------------- An HTML attachment was scrubbed... URL: From wia at iglass.net Tue Jun 14 18:07:53 2016 From: wia at iglass.net (Marc Wiatrowski) Date: Tue, 14 Jun 2016 14:07:53 -0400 Subject: [Freeipa-users] CA: IPA certificates not renewing In-Reply-To: <57602152.9090104@redhat.com> References: <57602152.9090104@redhat.com> Message-ID: On Tue, Jun 14, 2016 at 11:22 AM, Rob Crittenden wrote: > Marc Wiatrowski wrote: > >> Hello, I'm having issues with the 3 ipa certificates of type CA: IPA >> renewing on 2 of 3 replicas. Particularly on the 2 that are not the CA >> master. The other 5 certificates from getcert list do renew and all >> certificates on the CA master do look to renew. >> >> Both servers running ipa-server-3.0.0-50.el6.centos.1.x86_64 I've done >> full updates and rebooted. >> > > Can you check on the replication status for each CA? > > $ ipa-csreplica-manage list -v ipa.example.com > > The hostname is important because including that will show the agreements > that host has. Do this for each master with a CA. > > The CA being asked to do the renewal is unaware of the current serial > number so it is refusing to proceed. > > rob > > [root at spider01o]$ ipa-csreplica-manage list -v spider01a.iglass.net Directory Manager password: spider01b.iglass.net last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-06-14 17:49:16+00:00 spider01o.iglass.net last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: 2016-06-14 17:55:20+00:00 [root at spider01o]$ ipa-csreplica-manage list -v spider01o.iglass.net Directory Manager password: spider01a.iglass.net last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: 2016-06-14 17:57:44+00:00 spider01b.iglass.net last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: 2016-06-14 17:57:41+00:00 [root at spider01o]$ ipa-csreplica-manage list -v spider01b.iglass.net Directory Manager password: spider01a.iglass.net last init status: 0 Total update succeeded last init ended: 2016-06-03 19:43:12+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-06-14 17:44:17+00:00 spider01o.iglass.net last init status: 0 Total update succeeded last init ended: 2016-06-03 19:44:38+00:00 last update status: 0 Replica acquired successfully: Incremental update started last update ended: 2016-06-14 17:57:53+00:00 spider01a.iglass.net last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2016-06-14 17:44:13+00:00 spider01o.iglass.net last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: 2016-06-14 17:57:54+00:00 Not sure what this is telling... This an issue with the last being doubled? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From DFischer at PetSmart.com Tue Jun 14 18:22:48 2016 From: DFischer at PetSmart.com (David Fischer) Date: Tue, 14 Jun 2016 11:22:48 -0700 Subject: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users In-Reply-To: <20160613190729.evh3ykgmz7yvgiom@redhat.com> References: <1465842048.20989.37.camel@petsmart.com> <20160613190729.evh3ykgmz7yvgiom@redhat.com> Message-ID: <264C67C6145722439414DB6176F5A6E147594CE714@EXMBX02.ssg.petsmart.com> Alexander, One of the things I am seeing is that our AD has groups that are 5 deep and IPA is not able to enumerate all the groups Is there away to help IPA in search depth or scope? -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Monday, June 13, 2016 12:07 PM To: David Fischer Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users On Mon, 13 Jun 2016, David Fischer wrote: >(Note: versions below) > >All, >I am getting password failures for accounts coming from a sub-ad domain. >I originally was not able to do 'getent' lookups of random users or groups and found that it was timing out during ldap scan. I upped the timeout on the 'IPA Configuration' tab in the web interface and this solved the 'getent' issue. Now I am able to do 'getent' passwd on all users in a sub-ad domain > >My new problem is that I am now unable to use password to login. If I grab a kerberos ticket I am able to just ssh into any IPA unix system, but fails when trying to do a password lookup. > >the layout of systems are as follows: > >1) forest domain with no users or groups >2) child domain with all users and groups. >3) IPA Realm/Domain trusted to forest domain > >All users are in a sub-OU below the top of the domain in a OU called Users. There are about 11K users in this OU. but lookups seam really slow. > >I have added to sssd.conf the following >1) lookup_family_order = ipv4_only >2) ignore_group_members=True >3) ldap_purge_cache_timeout=0 >4) subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout >5) debug_level=9 > >Could anyone help direct me to a place to start looking for why lookups are slow and passwords are not being allowed? Start with http://scanmail.trustwave.com/?c=6406&d=9ITf1_A7P_gkm18DVpKbEy7lQ6ga7hwK2wRD_04F5w&u=https%3a%2f%2ffedorahosted%2eorg%2fsssd%2fwiki%2fTroubleshooting -- / Alexander Bokovoy ##################################################################################### The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. ##################################################################################### From abokovoy at redhat.com Tue Jun 14 20:02:47 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Jun 2016 23:02:47 +0300 Subject: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users In-Reply-To: <264C67C6145722439414DB6176F5A6E147594CE714@EXMBX02.ssg.petsmart.com> References: <1465842048.20989.37.camel@petsmart.com> <20160613190729.evh3ykgmz7yvgiom@redhat.com> <264C67C6145722439414DB6176F5A6E147594CE714@EXMBX02.ssg.petsmart.com> Message-ID: <20160614200247.oaw5bn6zag7xvlko@redhat.com> On Tue, 14 Jun 2016, David Fischer wrote: >Alexander, >One of the things I am seeing is that our AD has groups that are 5 deep >and IPA is not able to enumerate all the groups Is there away to help >IPA in search depth or scope? SSSD should be able to handle that. If not, show the logs that demonstrate specific issues with a model group. -- / Alexander Bokovoy From steve.viola at criticalmedia.com Tue Jun 14 21:11:24 2016 From: steve.viola at criticalmedia.com (Steve Viola) Date: Tue, 14 Jun 2016 17:11:24 -0400 Subject: [Freeipa-users] Replicas in different AWS Regions Message-ID: Hello, I'm setting up a freeIPA replica topology in AWS, and need to have replicas in different regions, and clients will be in different regions. The IPA servers will have an external IP, but the hostname of the servers are going to resolve to the internal IP. I am going to have a domain name for both the internal and external address, such as ipa01.internal.example.com and ipa01.public.example.com respectivly. When preparing the replica for a server in another region, I make sure the connection check works when using the public domain name ( ipa01.public.example.com), and create the replica file. When installing the file on the replica, it stops, with the following error message: This replica was created for 'ipa01.public.example.com' but this machine is > named ipa01.internal.example.com' I can get around this by editing /etc/hosts, and I guess I could set up different DNS Views for different regions, but in reading the freeIPA documentation , DNS Views / Split Horizon are not recommended. What's the recommended procedure for a setup like this? Can anyone point me to documentation that will solve my problem? Has anyone done a cross-region AWS replication setup? Thanks -- Steven Viola -------------- next part -------------- An HTML attachment was scrubbed... URL: From DFischer at PetSmart.com Tue Jun 14 23:19:22 2016 From: DFischer at PetSmart.com (David Fischer) Date: Tue, 14 Jun 2016 16:19:22 -0700 Subject: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users In-Reply-To: <20160614200247.oaw5bn6zag7xvlko@redhat.com> References: <1465842048.20989.37.camel@petsmart.com> <20160613190729.evh3ykgmz7yvgiom@redhat.com> <264C67C6145722439414DB6176F5A6E147594CE714@EXMBX02.ssg.petsmart.com> <20160614200247.oaw5bn6zag7xvlko@redhat.com> Message-ID: <264C67C6145722439414DB6176F5A6E147594CE718@EXMBX02.ssg.petsmart.com> Alexander, I am getting the windows admin to refresh our DR AD setup and I should be able to give you an idea on some of our groups layouts. So a quick understanding is that a single user can have 15-20+ groups those groups might have all users in them plus groups. The groups of groups can link back to groups that the user may have already assigned. We do know that we have atleast one circular group in our environment. I have used the 'ignore_group_members' with some success. Ref: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Tuesday, June 14, 2016 1:03 PM To: David Fischer Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users On Tue, 14 Jun 2016, David Fischer wrote: >Alexander, >One of the things I am seeing is that our AD has groups that are 5 deep >and IPA is not able to enumerate all the groups Is there away to help >IPA in search depth or scope? SSSD should be able to handle that. If not, show the logs that demonstrate specific issues with a model group. -- / Alexander Bokovoy ##################################################################################### The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. ##################################################################################### From akasurde at redhat.com Wed Jun 15 04:40:23 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Wed, 15 Jun 2016 10:10:23 +0530 Subject: [Freeipa-users] Unable to install replica using replica file Message-ID: <5760DC37.2070300@redhat.com> Hi All, I am creating master replica setup using following commands and getting error on replica server 2016-06-15T03:53:31Z DEBUG The ipa-replica-install command failed, exception: NetworkError: cannot connect to 'ldaps://dhcp201-141.testrelm.test:636': TLS error -8157:Certificate extension not found. Can anyone explain me what does this error is trying to say ? I am performing following steps $ mkdir /tmp/nssdb $ vim /tmp/nssdb/password.txt $ vim /tmp/nssdb/noise.txt $ certutil -d /tmp/nssdb/ -N -f /tmp/nssdb/password.txt $ certutil -d /tmp/nssdb -S -n ca -s cn=Test_CA -x -t CTu,Cu,Cu -g 2048 -v 60 -z /tmp/nssdb/noise.txt -2 -f /tmp/nssdb/passwd.txt $ certutil -d /tmp/nssdb -S -n server -s cn=dhcp201-172.testrelm.test -t ,, -z /tmp/nssdb/noise.txt -c ca -f /tmp/nssdb/passwd.txt $ /usr/bin/pk12util -o /tmp/nssdb/server.p12 -n server -d /tmp/nssdb -k /tmp/nssdb/passwd.txt -W Secret123 $ ipa-server-install --http-cert-file /tmp/nssdb/server.p12 --dirsrv-cert-file /tmp/nssdb/server.p12 --ip-address 10.65.210.89 -r TESTRELM.TEST -p Secret123 -a Secret123 --setup-dns --forwarder 10.11.5.19 --http-pin Secret123 --dirsrv-pin Secret123 -U $ certutil -d /tmp/nssdb -S -n ca -s cn=Test_CA -x -t CTu,Cu,Cu -g 2048 -v 60 -z /tmp/nssdb/noise.txt -2 -f /tmp/nssdb/passwd.txt -m 3 $ certutil -d /tmp/nssdb -S -n replica -s cn=dhcp201-141.testrelm.test -t ,, -z /tmp/nssdb/noise.txt -c ca -f /tmp/nssdb/passwd.txt -m 4 $ /usr/bin/pk12util -o /tmp/nssdb/replica.p12 -n replica -d /tmp/nssdb -k /tmp/nssdb/passwd.txt -W Secret123? $ ipa-replica-prepare dhcp201-141.testrelm.test --http_pkcs12 /tmp/nssdb/replica.p12 --http_pin Secret123 --dirsrv_pkcs12 /tmp/nssdb/replica.p12 --dirsrv_pin Secret123 --ip-address 10.65.210.91 --reverse-zone=210.65.10.in-addr.arpa. $ scp /var/lib/ipa/replica-info-dhcp201-141.testrelm.test.gpg root at dhcp201-141.testrelm.test:/root/ Attaching console.log and replicainstall.log -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- A non-text attachment was scrubbed... Name: console.log Type: text/x-log Size: 2932 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipareplica-install.log Type: text/x-log Size: 84311 bytes Desc: not available URL: From pspacek at redhat.com Wed Jun 15 06:45:15 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 15 Jun 2016 08:45:15 +0200 Subject: [Freeipa-users] Error with DNS forwarding on replica. In-Reply-To: <895FA1EB-17EB-4ADC-8CE5-008A740ACB3D@border.nuneshiggs.com> References: <0c6701d1c4da$d5e36820$81aa3860$@border.nuneshiggs.com> <34c49430-1745-8814-1535-6b0ecf18ce64@redhat.com> <0ce001d1c553$f62da900$e288fb00$@border.nuneshiggs.com> <895FA1EB-17EB-4ADC-8CE5-008A740ACB3D@border.nuneshiggs.com> Message-ID: <9d28e841-f8e1-0bce-f32c-d75b8c790965@redhat.com> On 14.6.2016 17:29, Nuno Higgs wrote: > Hello, > > I am running CentOS7: > > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > I configured my dos forward when i did the install process of the secondary node of IPA: > > [root at slave ~]# ipa-replica-install --setup-ca --setup-dns --forwarder 10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg Interesting, 4.2.0 should checks to detect this problem. Could you check /var/log/ipareplica-install.log for warnings related to DNSSEC? It should be something like "DNS server does not support DNSSEC" Thanks. Petr^2 Spacek > > Thanks, > Nuno > >> On 14 Jun 2016, at 15:28, Petr Spacek wrote: >> >> On 14.6.2016 13:01, Nuno Higgs wrote: >>> Hello, >>> >>> Found it: >>> >>> It appears that my forwarder is NOT DNSSEC happy: >>> >>> in: /var/named/data/named.run >>> >>> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure >>> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53 >>> >>> So, i changed the /etc/named.conf >>> >>> from: >>> >>> dnssec-enable yes; >>> dnssec-validation yes; >>> >>> to: >>> >>> dnssec-enable yes; >>> dnssec-validation no; >>> >>> Everything is working fine now. >> >> Okay, it explains a lot. >> >> Please note that configuration "dnssec-validation no;" lowers security bar for >> attackers and is strongly discouraged! >> >> The issue is most likely caused by non-compliant forwarder which mangles DNS >> data somehow before they reach your IPA DNS server. >> >> I would recommend you to check DNS forwarder on 10.0.157.35 and see it is >> configured with its equivalent of "dnssec-enable yes;". I strongly recommend >> returning back to "dnssec-validation yes;" after fixing the forwarder config. >> >> IPA 4.3 or newer should print a warning about such broken forwarders whenever >> you try to configure them using IPA commands. >> >> What version of IPA do you use? >> >> How did you configure the forwarder in IPA? >> >> Petr^2 Spacek >> >>> >>> Thanks for your help! >>> Nuno >>> >>>> On 13 Jun 2016, at 10:14, Nuno Higgs wrote: >>>> >>>> Hello again, >>>> >>>> [root at ipa01 ~]# kinit user >>>> Password for user at DOMAIN.LOCAL: >>>> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu >>>> Zone name: domain.eu. >>>> Active zone: TRUE >>>> Zone forwarders: 194.65.3.20 195.65.3.21 >>>> Forward policy: only >>>> [root at ipa01 ~]# >>>> >>>> >>>> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu >>>> Zone name: domain.eu. >>>> Active zone: TRUE >>>> Zone forwarders: 194.65.3.20 195.65.3.21 >>>> Forward policy: only >>>> [root at ipa02 ~]# >>>> >>>> On both servers the return is the same. >>>> I haven't touched the DNS config besides deleting the zone and recreating >>>> it. >>>> >>>> I am at a loss. What can be the issue here? >>>> >>>> Thanks, >>>> Nuno >>>> >>>> >>>> -----Original Message----- >>>> From: freeipa-users-bounces at redhat.com >>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >>>> Sent: segunda-feira, 13 de junho de 2016 06:50 >>>> To: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica. >>>> >>>> On 12.6.2016 20:47, Nuno Higgs wrote: >>>>> Hello all, >>>>> >>>>> >>>>> >>>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to >>>>> geographic replication. >>>>> >>>>> >>>>> >>>>> I have added it as stated in the documentation here: >>>>> >>>> x/7/ht >>>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the- >>>>> replic >>>>> a.html#replica-install-with-dns> >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux >>>>> /7/htm >>>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r >>>>> eplica >>>>> .html#replica-install-with-dns >>>>> >>>>> >>>>> >>>>> All was replicated correctly, and i can do a kinit user at DOMAIN with >>>>> success within the replica. >>>>> >>>>> However there is a problem with the DNS sections: >>>>> >>>>> >>>>> >>>>> Although it DNS is ok, my configuration within IPA on the first server >>>>> regarding DNS zones that are set on forward only are not. >>>>> >>>>> In my first server, i can do a forward of domain - let's say >>>>> domain.eu. On the second server (replica) the >>>>> forward is shown configured correctly within the webgui but it does >>>>> not work, giving a NX error on query >>>>> www.domain.eu (the A Record exists and is shown on the first server). >>>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it >>>> isn't a network permissions issue. >>>>> >>>>> >>>>> >>>>> I have deleted the zone on the master (and replica), and recreated it. >>>>> On the first server, it worked fine. On the replica the problem persisted. >>>>> >>>>> >>>>> >>>>> Am I missing anything? Is there a undocumented trick, or have i missed >>>>> something? >>>> >>>> Hello, >>>> >>>> it could be either a DNS configuration problem or a LDAP replication >>>> problem. >>>> >>>> Please show us output from command: >>>> $ ipa dnsforwardzone-show domain.eu >>>> from all IPA servers you have. >>>> >>>> The output should be the same. If it is not the same then you are most >>>> likely facing an replication problem, please see >>>> http://www.freeipa.org/page/Troubleshooting#Replication_issues >>>> >>>> -- >>>> Petr^2 Spacek > > -- Petr Spacek @ Red Hat From abokovoy at redhat.com Wed Jun 15 06:52:36 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 15 Jun 2016 09:52:36 +0300 Subject: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users In-Reply-To: <264C67C6145722439414DB6176F5A6E147594CE718@EXMBX02.ssg.petsmart.com> References: <1465842048.20989.37.camel@petsmart.com> <20160613190729.evh3ykgmz7yvgiom@redhat.com> <264C67C6145722439414DB6176F5A6E147594CE714@EXMBX02.ssg.petsmart.com> <20160614200247.oaw5bn6zag7xvlko@redhat.com> <264C67C6145722439414DB6176F5A6E147594CE718@EXMBX02.ssg.petsmart.com> Message-ID: <20160615065236.emmia6tf22jkxigy@redhat.com> On Tue, 14 Jun 2016, David Fischer wrote: >Alexander, > >I am getting the windows admin to refresh our DR AD setup and I should >be able to give you an idea on some of our groups layouts. > >So a quick understanding is that a single user can have 15-20+ groups >those groups might have all users in them plus groups. The groups of >groups can link back to groups that the user may have already assigned. >We do know that we have atleast one circular group in our environment. >I have used the 'ignore_group_members' with some success. Ref: >https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ That article is what Jakub and I wrote. Jakub may have more suggestions and there are some improvements in recent SSSD releases in RHEL 7.2.4. -- / Alexander Bokovoy From ipa at border.nuneshiggs.com Wed Jun 15 07:37:05 2016 From: ipa at border.nuneshiggs.com (Nuno Higgs) Date: Wed, 15 Jun 2016 08:37:05 +0100 Subject: [Freeipa-users] Error with DNS forwarding on replica. In-Reply-To: <9d28e841-f8e1-0bce-f32c-d75b8c790965@redhat.com> References: <0c6701d1c4da$d5e36820$81aa3860$@border.nuneshiggs.com> <34c49430-1745-8814-1535-6b0ecf18ce64@redhat.com> <0ce001d1c553$f62da900$e288fb00$@border.nuneshiggs.com> <895FA1EB-17EB-4ADC-8CE5-008A740ACB3D@border.nuneshiggs.com> <9d28e841-f8e1-0bce-f32c-d75b8c790965@redhat.com> Message-ID: <21214622-2D27-4C44-A391-4500497776BD@border.nuneshiggs.com> Hello Petr, [root at slave ~]# cat /var/log/ipareplica-install.log | grep -i DNSSEC | grep -i not | grep -i support It?s empty. Thanks Nuno > On 15 Jun 2016, at 07:45, Petr Spacek wrote: > > On 14.6.2016 17:29, Nuno Higgs wrote: >> Hello, >> >> I am running CentOS7: >> >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> >> I configured my dos forward when i did the install process of the secondary node of IPA: >> >> [root at slave ~]# ipa-replica-install --setup-ca --setup-dns --forwarder 10.0.157.35 /var/lib/ipa/replica-info-slave.ipa.domain.local.gpg > > Interesting, 4.2.0 should checks to detect this problem. > > Could you check /var/log/ipareplica-install.log for warnings related to DNSSEC? > > It should be something like > "DNS server does not support DNSSEC" > > Thanks. > > Petr^2 Spacek > > >> >> Thanks, >> Nuno >> >>> On 14 Jun 2016, at 15:28, Petr Spacek wrote: >>> >>> On 14.6.2016 13:01, Nuno Higgs wrote: >>>> Hello, >>>> >>>> Found it: >>>> >>>> It appears that my forwarder is NOT DNSSEC happy: >>>> >>>> in: /var/named/data/named.run >>>> >>>> validating @0x7f2c40044910: . DNSKEY: got insecure response; parent indicates it should be secure >>>> error (insecurity proof failed) resolving './DNSKEY/IN': 10.0.157.35#53 >>>> >>>> So, i changed the /etc/named.conf >>>> >>>> from: >>>> >>>> dnssec-enable yes; >>>> dnssec-validation yes; >>>> >>>> to: >>>> >>>> dnssec-enable yes; >>>> dnssec-validation no; >>>> >>>> Everything is working fine now. >>> >>> Okay, it explains a lot. >>> >>> Please note that configuration "dnssec-validation no;" lowers security bar for >>> attackers and is strongly discouraged! >>> >>> The issue is most likely caused by non-compliant forwarder which mangles DNS >>> data somehow before they reach your IPA DNS server. >>> >>> I would recommend you to check DNS forwarder on 10.0.157.35 and see it is >>> configured with its equivalent of "dnssec-enable yes;". I strongly recommend >>> returning back to "dnssec-validation yes;" after fixing the forwarder config. >>> >>> IPA 4.3 or newer should print a warning about such broken forwarders whenever >>> you try to configure them using IPA commands. >>> >>> What version of IPA do you use? >>> >>> How did you configure the forwarder in IPA? >>> >>> Petr^2 Spacek >>> >>>> >>>> Thanks for your help! >>>> Nuno >>>> >>>>> On 13 Jun 2016, at 10:14, Nuno Higgs wrote: >>>>> >>>>> Hello again, >>>>> >>>>> [root at ipa01 ~]# kinit user >>>>> Password for user at DOMAIN.LOCAL: >>>>> [root at ipa01 ~]# ipa dnsforwardzone-show domain.eu >>>>> Zone name: domain.eu. >>>>> Active zone: TRUE >>>>> Zone forwarders: 194.65.3.20 195.65.3.21 >>>>> Forward policy: only >>>>> [root at ipa01 ~]# >>>>> >>>>> >>>>> [root at ipa02 ~]# ipa dnsforwardzone-show domain.eu >>>>> Zone name: domain.eu. >>>>> Active zone: TRUE >>>>> Zone forwarders: 194.65.3.20 195.65.3.21 >>>>> Forward policy: only >>>>> [root at ipa02 ~]# >>>>> >>>>> On both servers the return is the same. >>>>> I haven't touched the DNS config besides deleting the zone and recreating >>>>> it. >>>>> >>>>> I am at a loss. What can be the issue here? >>>>> >>>>> Thanks, >>>>> Nuno >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: freeipa-users-bounces at redhat.com >>>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek >>>>> Sent: segunda-feira, 13 de junho de 2016 06:50 >>>>> To: freeipa-users at redhat.com >>>>> Subject: Re: [Freeipa-users] Error with DNS forwarding on replica. >>>>> >>>>> On 12.6.2016 20:47, Nuno Higgs wrote: >>>>>> Hello all, >>>>>> >>>>>> >>>>>> >>>>>> I have a IPA server - IPA 4.2 - and i have added a new IPA to >>>>>> geographic replication. >>>>>> >>>>>> >>>>>> >>>>>> I have added it as stated in the documentation here: >>>>>> >>>>> x/7/ht >>>>>> ml/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the- >>>>>> replic >>>>>> a.html#replica-install-with-dns> >>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux >>>>>> /7/htm >>>>>> l/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-r >>>>>> eplica >>>>>> .html#replica-install-with-dns >>>>>> >>>>>> >>>>>> >>>>>> All was replicated correctly, and i can do a kinit user at DOMAIN with >>>>>> success within the replica. >>>>>> >>>>>> However there is a problem with the DNS sections: >>>>>> >>>>>> >>>>>> >>>>>> Although it DNS is ok, my configuration within IPA on the first server >>>>>> regarding DNS zones that are set on forward only are not. >>>>>> >>>>>> In my first server, i can do a forward of domain - let's say >>>>>> domain.eu. On the second server (replica) the >>>>>> forward is shown configured correctly within the webgui but it does >>>>>> not work, giving a NX error on query >>>>>> www.domain.eu (the A Record exists and is shown on the first server). >>>>>> It also shows on dig on the replica (dig @x.x.x.x www.domain.eu), so it >>>>> isn't a network permissions issue. >>>>>> >>>>>> >>>>>> >>>>>> I have deleted the zone on the master (and replica), and recreated it. >>>>>> On the first server, it worked fine. On the replica the problem persisted. >>>>>> >>>>>> >>>>>> >>>>>> Am I missing anything? Is there a undocumented trick, or have i missed >>>>>> something? >>>>> >>>>> Hello, >>>>> >>>>> it could be either a DNS configuration problem or a LDAP replication >>>>> problem. >>>>> >>>>> Please show us output from command: >>>>> $ ipa dnsforwardzone-show domain.eu >>>>> from all IPA servers you have. >>>>> >>>>> The output should be the same. If it is not the same then you are most >>>>> likely facing an replication problem, please see >>>>> http://www.freeipa.org/page/Troubleshooting#Replication_issues >>>>> >>>>> -- >>>>> Petr^2 Spacek >> >> > > > -- > Petr Spacek @ Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Jun 15 11:31:34 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2016 13:31:34 +0200 Subject: [Freeipa-users] Best practices on securing freeipa In-Reply-To: References: Message-ID: On 06/14/2016 07:51 PM, Danila Ladner wrote: > Greetings Folks. > I could not find any information on best practices of securing free ipa servers > and its replicas. > Since the hosts become an important part of IT IM infrastructure, wanted to see > if anyone can point me to the right sources beyond default configuration. > Thank you, > Danila Hello Danila, I am now not sure if we have something like that. We are working on making FreeIPA secure in the default configuration :-) In any case, this is most complete guide for configuring FreeIPA that I know about: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html Martin From mkosek at redhat.com Wed Jun 15 11:34:28 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2016 13:34:28 +0200 Subject: [Freeipa-users] Unable to install replica using replica file In-Reply-To: <5760DC37.2070300@redhat.com> References: <5760DC37.2070300@redhat.com> Message-ID: <73f2dbbd-83aa-264d-f333-39a680cf8e48@redhat.com> On 06/15/2016 06:40 AM, Abhijeet Kasurde wrote: > Hi All, > > I am creating master replica setup using following commands and getting error > on replica server > > 2016-06-15T03:53:31Z DEBUG The ipa-replica-install command failed, exception: > NetworkError: cannot connect to 'ldaps://dhcp201-141.testrelm.test:636': TLS > error -8157:Certificate extension not found. > > Can anyone explain me what does this error is trying to say ? > > I am performing following steps > > $ mkdir /tmp/nssdb > $ vim /tmp/nssdb/password.txt > $ vim /tmp/nssdb/noise.txt > $ certutil -d /tmp/nssdb/ -N -f /tmp/nssdb/password.txt > $ certutil -d /tmp/nssdb -S -n ca -s cn=Test_CA -x -t CTu,Cu,Cu -g 2048 -v 60 > -z /tmp/nssdb/noise.txt -2 -f /tmp/nssdb/passwd.txt > $ certutil -d /tmp/nssdb -S -n server -s cn=dhcp201-172.testrelm.test -t ,, -z > /tmp/nssdb/noise.txt -c ca -f /tmp/nssdb/passwd.txt > $ /usr/bin/pk12util -o /tmp/nssdb/server.p12 -n server -d /tmp/nssdb -k > /tmp/nssdb/passwd.txt -W Secret123 > $ ipa-server-install --http-cert-file /tmp/nssdb/server.p12 --dirsrv-cert-file > /tmp/nssdb/server.p12 --ip-address 10.65.210.89 -r TESTRELM.TEST -p Secret123 > -a Secret123 --setup-dns --forwarder 10.11.5.19 --http-pin Secret123 > --dirsrv-pin Secret123 -U > $ certutil -d /tmp/nssdb -S -n ca -s cn=Test_CA -x -t CTu,Cu,Cu -g 2048 -v 60 > -z /tmp/nssdb/noise.txt -2 -f /tmp/nssdb/passwd.txt -m 3 > $ certutil -d /tmp/nssdb -S -n replica -s cn=dhcp201-141.testrelm.test -t ,, -z > /tmp/nssdb/noise.txt -c ca -f /tmp/nssdb/passwd.txt -m 4 > $ /usr/bin/pk12util -o /tmp/nssdb/replica.p12 -n replica -d /tmp/nssdb -k > /tmp/nssdb/passwd.txt -W Secret123? > $ ipa-replica-prepare dhcp201-141.testrelm.test --http_pkcs12 > /tmp/nssdb/replica.p12 --http_pin Secret123 --dirsrv_pkcs12 > /tmp/nssdb/replica.p12 --dirsrv_pin Secret123 --ip-address 10.65.210.91 > --reverse-zone=210.65.10.in-addr.arpa. > $ scp /var/lib/ipa/replica-info-dhcp201-141.testrelm.test.gpg > root at dhcp201-141.testrelm.test:/root/ > > Attaching console.log and replicainstall.log CCing Jan, he may have some CA-less related commands handy (or know if installer is lacking some check). Martin From rcritten at redhat.com Wed Jun 15 13:48:51 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Jun 2016 09:48:51 -0400 Subject: [Freeipa-users] Unable to install replica using replica file In-Reply-To: <5760DC37.2070300@redhat.com> References: <5760DC37.2070300@redhat.com> Message-ID: <57615CC3.4030100@redhat.com> Abhijeet Kasurde wrote: > Hi All, > > I am creating master replica setup using following commands and getting > error on replica server > > 2016-06-15T03:53:31Z DEBUG The ipa-replica-install command failed, > exception: NetworkError: cannot connect to > 'ldaps://dhcp201-141.testrelm.test:636': TLS error -8157:Certificate > extension not found. > > Can anyone explain me what does this error is trying to say ? I think the server certs you created are lacking one or more extensions, I'm just not entirely sure which ones. > I am performing following steps > > $ mkdir /tmp/nssdb > $ vim /tmp/nssdb/password.txt > $ vim /tmp/nssdb/noise.txt > $ certutil -d /tmp/nssdb/ -N -f /tmp/nssdb/password.txt > $ certutil -d /tmp/nssdb -S -n ca -s cn=Test_CA -x -t CTu,Cu,Cu -g 2048 > -v 60 -z /tmp/nssdb/noise.txt -2 -f /tmp/nssdb/passwd.txt You are answering Y, , Y here right, for: CA certificate, no length, critical? I'd also add: --keyUsage digitalSignature,nonRepudiation,certSigning,critical > $ certutil -d /tmp/nssdb -S -n server -s cn=dhcp201-172.testrelm.test -t > ,, -z /tmp/nssdb/noise.txt -c ca -f /tmp/nssdb/passwd.txt I'd add in: --extKeyUsage serverAuth,clientAuth --keyUsage digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment You pass in a serial # elsewhere, you may want -m 2 for consistency. > $ /usr/bin/pk12util -o /tmp/nssdb/server.p12 -n server -d /tmp/nssdb -k > /tmp/nssdb/passwd.txt -W Secret123 > $ ipa-server-install --http-cert-file /tmp/nssdb/server.p12 > --dirsrv-cert-file /tmp/nssdb/server.p12 --ip-address 10.65.210.89 -r > TESTRELM.TEST -p Secret123 -a Secret123 --setup-dns --forwarder > 10.11.5.19 --http-pin Secret123 --dirsrv-pin Secret123 -U > $ certutil -d /tmp/nssdb -S -n ca -s cn=Test_CA -x -t CTu,Cu,Cu -g 2048 > -v 60 -z /tmp/nssdb/noise.txt -2 -f /tmp/nssdb/passwd.txt -m 3 No need to re-create the CA certificate. > $ certutil -d /tmp/nssdb -S -n replica -s cn=dhcp201-141.testrelm.test > -t ,, -z /tmp/nssdb/noise.txt -c ca -f /tmp/nssdb/passwd.txt -m 4 > $ /usr/bin/pk12util -o /tmp/nssdb/replica.p12 -n replica -d /tmp/nssdb > -k /tmp/nssdb/passwd.txt -W Secret123? > $ ipa-replica-prepare dhcp201-141.testrelm.test --http_pkcs12 > /tmp/nssdb/replica.p12 --http_pin Secret123 --dirsrv_pkcs12 > /tmp/nssdb/replica.p12 --dirsrv_pin Secret123 --ip-address 10.65.210.91 > --reverse-zone=210.65.10.in-addr.arpa. > $ scp /var/lib/ipa/replica-info-dhcp201-141.testrelm.test.gpg > root at dhcp201-141.testrelm.test:/root/ > > Attaching console.log and replicainstall.log > > > From akasurde at redhat.com Wed Jun 15 13:54:33 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Wed, 15 Jun 2016 19:24:33 +0530 Subject: [Freeipa-users] Unable to install replica using replica file In-Reply-To: <57615CC3.4030100@redhat.com> References: <5760DC37.2070300@redhat.com> <57615CC3.4030100@redhat.com> Message-ID: <57615E19.2060106@redhat.com> Thanks Rob, find my comment inline, On 06/15/2016 07:18 PM, Rob Crittenden wrote: > Abhijeet Kasurde wrote: >> Hi All, >> >> I am creating master replica setup using following commands and getting >> error on replica server >> >> 2016-06-15T03:53:31Z DEBUG The ipa-replica-install command failed, >> exception: NetworkError: cannot connect to >> 'ldaps://dhcp201-141.testrelm.test:636': TLS error -8157:Certificate >> extension not found. >> >> Can anyone explain me what does this error is trying to say ? > > I think the server certs you created are lacking one or more > extensions, I'm just not entirely sure which ones. > >> I am performing following steps >> >> $ mkdir /tmp/nssdb >> $ vim /tmp/nssdb/password.txt >> $ vim /tmp/nssdb/noise.txt >> $ certutil -d /tmp/nssdb/ -N -f /tmp/nssdb/password.txt >> $ certutil -d /tmp/nssdb -S -n ca -s cn=Test_CA -x -t CTu,Cu,Cu -g 2048 >> -v 60 -z /tmp/nssdb/noise.txt -2 -f /tmp/nssdb/passwd.txt > > You are answering Y, , Y here right, for: CA certificate, no > length, critical? > Yes I am passing 'Y', 0, 'Y' for CA Certificate, no length, Critical. > I'd also add: --keyUsage > digitalSignature,nonRepudiation,certSigning,critical > OK I will try this. >> $ certutil -d /tmp/nssdb -S -n server -s cn=dhcp201-172.testrelm.test -t >> ,, -z /tmp/nssdb/noise.txt -c ca -f /tmp/nssdb/passwd.txt > > I'd add in: --extKeyUsage serverAuth,clientAuth --keyUsage > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > OK I will add this too. > You pass in a serial # elsewhere, you may want -m 2 for consistency. > OK >> $ /usr/bin/pk12util -o /tmp/nssdb/server.p12 -n server -d /tmp/nssdb -k >> /tmp/nssdb/passwd.txt -W Secret123 >> $ ipa-server-install --http-cert-file /tmp/nssdb/server.p12 >> --dirsrv-cert-file /tmp/nssdb/server.p12 --ip-address 10.65.210.89 -r >> TESTRELM.TEST -p Secret123 -a Secret123 --setup-dns --forwarder >> 10.11.5.19 --http-pin Secret123 --dirsrv-pin Secret123 -U >> $ certutil -d /tmp/nssdb -S -n ca -s cn=Test_CA -x -t CTu,Cu,Cu -g 2048 >> -v 60 -z /tmp/nssdb/noise.txt -2 -f /tmp/nssdb/passwd.txt -m 3 > > No need to re-create the CA certificate. > I am trying to update serial number of CA certificate. >> $ certutil -d /tmp/nssdb -S -n replica -s cn=dhcp201-141.testrelm.test >> -t ,, -z /tmp/nssdb/noise.txt -c ca -f /tmp/nssdb/passwd.txt -m 4 >> $ /usr/bin/pk12util -o /tmp/nssdb/replica.p12 -n replica -d /tmp/nssdb >> -k /tmp/nssdb/passwd.txt -W Secret123? >> $ ipa-replica-prepare dhcp201-141.testrelm.test --http_pkcs12 >> /tmp/nssdb/replica.p12 --http_pin Secret123 --dirsrv_pkcs12 >> /tmp/nssdb/replica.p12 --dirsrv_pin Secret123 --ip-address 10.65.210.91 >> --reverse-zone=210.65.10.in-addr.arpa. >> $ scp /var/lib/ipa/replica-info-dhcp201-141.testrelm.test.gpg >> root at dhcp201-141.testrelm.test:/root/ >> >> Attaching console.log and replicainstall.log >> >> >> > I will try above modification and let you know, Rob. Thanks. -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io From harald.dunkel at aixigo.de Wed Jun 15 13:55:39 2016 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Wed, 15 Jun 2016 15:55:39 +0200 Subject: [Freeipa-users] ldapsearch in cron job woes about no credentials In-Reply-To: <20160613081827.iavj772u2bodypqe@redhat.com> References: <5c3574d0-a2a8-b792-bf82-5476d700b0f2@aixigo.de> <05d03f1e-8f9b-4a35-10bc-1cbb5c9616c6@aixigo.de> <20160613081827.iavj772u2bodypqe@redhat.com> Message-ID: Hi Alexander, thanx very much for your detailed answer. There is one problem, though: gss-proxy is not available for most of my systems (Debian, Ubuntu, RedHat 6, ...). Its not in sssd 1.13.4, so I wonder if gss-proxy a part of the most recent freeipa releases? Regards Harri From abokovoy at redhat.com Wed Jun 15 14:53:54 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 15 Jun 2016 17:53:54 +0300 Subject: [Freeipa-users] ldapsearch in cron job woes about no credentials In-Reply-To: References: <5c3574d0-a2a8-b792-bf82-5476d700b0f2@aixigo.de> <05d03f1e-8f9b-4a35-10bc-1cbb5c9616c6@aixigo.de> <20160613081827.iavj772u2bodypqe@redhat.com> Message-ID: <20160615145354.izt7l5zclfeb3i63@redhat.com> On Wed, 15 Jun 2016, Harald Dunkel wrote: >Hi Alexander, > >thanx very much for your detailed answer. There is one problem, >though: gss-proxy is not available for most of my systems (Debian, >Ubuntu, RedHat 6, ...). > >Its not in sssd 1.13.4, so I wonder if gss-proxy a part of the >most recent freeipa releases? It is a separate project and a separate package (gssproxy). It is available for RHEL 7 and Fedora and since you said you are running RHEL 7 environment, I mentioned it. -- / Alexander Bokovoy From saqib.n.ali at seagate.com Wed Jun 15 18:34:10 2016 From: saqib.n.ali at seagate.com (Saqib N Ali) Date: Wed, 15 Jun 2016 11:34:10 -0700 Subject: [Freeipa-users] =?utf-8?q?FreeIPA_=E2=80=93_AD_Trust_Integration_?= =?utf-8?q?Option?= Message-ID: Greetings, If we want to use the FreeIPA Active Directory Trust Integration Option, can we use an existing implementation of SunLDAP to store the Policies (e.g. sudo, hbac etc.) Essentially we don't to create another LDAP Directory just for storing the Policies. Saqib -------------- next part -------------- An HTML attachment was scrubbed... URL: From hindsn at gmail.com Wed Jun 15 20:56:20 2016 From: hindsn at gmail.com (Nicholas Hinds) Date: Wed, 15 Jun 2016 20:56:20 +0000 Subject: [Freeipa-users] Service account for host enrolment needs permission to read itself Message-ID: Hi all, I have been exploring using a service account with restricted permissions to add and enrol hosts, rather than using an administrative user. I based the account details on an earlier posting to this list ( https://www.redhat.com/archives/freeipa-users/2016-January/msg00524.html), but ran into a couple of things that I found odd: 1. The service account needs to be explicitly granted permission to read itself. When a host was previously enrolled with FreeIPA and has run `ipa-client-install --uninstall`, a fresh `ipa-client-install` using a service user fails unless the host is manually deleted with `ipa host-del`, or the service user is explicitly granted permission to read itself. Without either of the above, `ipa-client-install` fails with an error "Joining realm failed: RPC failed at server. host with name "my.hostname.domain" already exists". On the server side, for some reason the service user tries to look itself up to check if it's got permissions to modify the host (which it does). It does not seem to have permissions to look itself up by default in the cn=sysaccounts,cn=etc tree, so the permission check fails, and throws the error above. I'm granting the service account the following permission to work around this, but I'm a little confused as to why it's required: ipa permission-add 'Read Host Join User' --target=uid=my-join-user,cn=sysaccounts,cn=etc,dc=example,dc=com --right=read --right=search --right=compare --attrs='*' Is that permission going to cause the service account to be able to do anything it shouldn't, or does it look okay? 2. The service account's password expiry must be set in a separate ldapmodify call I tried to create the service account with a password that does not expire by setting "krbPasswordExpiration: 20380119031407Z" on the account when it is created, but it seems to be immediately overwritten. If I create the account in one ldapmodify call, and set the password expiration in a separate call, the expiration seems to stick. Is that expected, or am I setting the expiration incorrectly? I've included the full set of commands I'm using the setup my service account for host enrolment, in case something I'm doing wrong is causing the above strangeness. I'm running FreeIPA 4.2.0 on CentOS 7. I'd be keen for some feedback on this approach, and whether it's normal to have to use the workarounds above. Thanks, Nicholas. ## Configure the account used by hosts to join the domain # Authenticate so the ipa commands can run kinit admin # (System account needs special permissions to read itself) ipa permission-add 'Read Host Join User' --target=uid=my-join-user,cn=sysaccounts,cn=etc,dc=example,dc=com --right=read --right=search --right=compare --attrs='*' ipa privilege-add 'Read Host Join User' ipa privilege-add-permission --permissions='Read Host Join User' 'Read Host Join User' ipa privilege-add 'Add Hosts' ipa privilege-add-permission --permissions='System: Add Hosts' 'Add Hosts' # Role to assign to the system account, with permissions to enrol hosts, add hosts, and read itself ipa role-add --desc="Host Joining" 'Host Joining' ipa role-add-privilege --privileges='Host Enrollment' 'Host Joining' ipa role-add-privilege --privileges='Add Hosts' 'Host Joining' ipa role-add-privilege --privileges='Read Host Join User' 'Host Joining' # Drop admin permissions kdestroy # Create the system account in LDAP and add it to the new role cat < From Dan.Finkelstein at high5games.com Wed Jun 15 23:15:22 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Wed, 15 Jun 2016 23:15:22 +0000 Subject: [Freeipa-users] CentOS 7, FreeIPA 4.2: slapd crashes soon after launch Message-ID: Our FreeIPA master was working fine for about a day and then, apropos of nothing, the LDAP component started to crash with nary an error message. Obviously, with it down we can log into the WebUI nor can we query the status of the components or retrieve data. In /var/log/dirsrv/slapd-EXAMPLE-COM/errors we see: [15/Jun/2016:18:50:28 -0400] NSMMReplicationPlugin - agmt="cn=meToipa-replica.example.com" (ipa-replica:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) [15/Jun/2016:18:50:28 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 2 (No such file or directory) [15/Jun/2016:18:50:28 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [15/Jun/2016:18:50:28 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [15/Jun/2016:18:50:28 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [15/Jun/2016:18:50:28 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [15/Jun/2016:18:50:28 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [15/Jun/2016:18:50:30 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=h5c,dc=local [15/Jun/2016:18:50:30 -0400] schema-compat-plugin - Finished plugin initialization. [15/Jun/2016:18:50:34 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [15/Jun/2016:18:50:34 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error 49 (Invalid credentials) It appears not to have been replicating for at least a day with our 4 other replicas, none of which have the data we'd entered into this master. Is there a way we can bring ldap back to life? Thanks, Dan [cid:image001.jpg at 01D1C73A.4309EE90] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: From outbackdingo at gmail.com Thu Jun 16 04:40:32 2016 From: outbackdingo at gmail.com (Outback Dingo) Date: Thu, 16 Jun 2016 00:40:32 -0400 Subject: [Freeipa-users] CentOS 7.2 Certificate Issue with chrome Message-ID: Freshly installed IPA went to the web ui and got this in google chrome This site can?t provide a secure connection ipa3.optimcloud.com doesn't adhere to security standards. ERR_SSL_SERVER_CERT_BAD_FORMAT -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Jun 16 05:31:45 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 16 Jun 2016 08:31:45 +0300 Subject: [Freeipa-users] =?utf-8?q?FreeIPA_=E2=80=93_AD_Trust_Integration_?= =?utf-8?q?Option?= In-Reply-To: References: Message-ID: <20160616053145.e646p33mvjivyjab@redhat.com> On Wed, 15 Jun 2016, Saqib N Ali wrote: >Greetings, > >If we want to use the FreeIPA Active Directory Trust Integration Option, >can we use an existing implementation of SunLDAP to store the Policies >(e.g. sudo, hbac etc.) > >Essentially we don't to create another LDAP Directory just for storing the >Policies. FreeIPA cannot work with another LDAP Directory. It is integrated solution that relies on the set of plugins in 389-ds directory, there are about dozen specialized plugins that come with FreeIPA itself. Trust to Active Directory option is part of that setup and cannot be done against another LDAP directory because it also relies on the specific plugins to 389-ds that don't exist in your SunLDAP. If you deploy FreeIPA, you cannot have it 'just for storing the policies'. It will be used for all kinds of objects. With trust to Active Directory you may opt to not create native IPA users but then these wouldn't be coming from your SunLDAP directory either, AD users would be coming from AD. -- / Alexander Bokovoy From wdh at dds.nl Thu Jun 16 08:28:41 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Thu, 16 Jun 2016 10:28:41 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: <20160609165109.GN3302@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> <1465394017.2599.3.camel@redhat.com> <1465406113.2599.25.camel@redhat.com> <6fc25458-745c-51a5-0d1a-c28d3e18331b@dds.nl> <20160609084645.GB15524@p.Speedport_W_724V_Typ_A_05011603_00_009> <1465476179.2969.8.camel@redhat.com> <20160609165109.GN3302@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: Hi all, "So it looks a bit like a libverto 32bit issue"; any news or progress on this? Bugzilla? Winny Op 09-06-16 om 18:51 schreef Sumit Bose: > On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum wrote: >> On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote: >>> On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote: >>>> Hi all, >>>> >>>> I can install libvert-libev but removing libverto-tevent will >>>> remove 123 >>>> dependencies also. (wget, tomcat and much more...) >>>> >>>> Hence, I installed libverto-libev, but dit not remove libverto- >>>> tevent to give >>>> it a try. After ipactl restart still the same problem: >>> fyi, I think I can reproduce the issue on 32bit Fedora. I tried >>> libverto-libev as well but I removed libverto-tevent after installing >>> libverto-libev with 'rpm -e --nodeps ....' to make sure libverto has >>> no >>> other chance. >>> >>> So it looks a bit like a libverto 32bit issue. I used >>> libverto-0.2.6-4.fc22. Since I knew that is was working before on >>> 32bits >>> I tried libverto-0.2.5 and libverto-0.2.4 as well with no lock. >>> >>> Nathaniel, do you have any suggestions what to check with gdb? >> It may not be a libverto issue at all. Just to summarize, krb5kdc sends >> the otp request to ipa-otpd using RADIUS-over-UNIX-socket. >> >> It appears that ipa-otpd receives the request and sends the appropriate >> response. However, krb5kdc never appears to receive the request and >> times out. Once it times out, it closes the socket and ipa-otpd exits. >> >> The question is: why? >> >> This could be a bug in krb5kdc, libkrad or libverto. Does the event >> actually fire from libverto? Does libkrad process it correctly? Does >> krb5kdc process it correctly? >> >> There are lots of places to attach gdb. I would probably start here: >> https://github.com/krb5/krb5/blob/master/src/lib/krad/client.c#L193 > It looks like the 3rd argument of recv(), the buffer length, becomes > negative aka very big in on_io_read() > > i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length, > pktlen - rr->buffer.length, 0); > > because pktlen is 4 and rr->buffer.length is 16 on my 32bit system. I > wonder if pktlen isn't sufficient here because it already is the result > of 'len - buffer->length' which is calculated in > krad_packet_bytes_needed() ? > > bye, > Sumit > From detlev.habicht at ims.uni-hannover.de Thu Jun 16 08:47:22 2016 From: detlev.habicht at ims.uni-hannover.de (Detlev Habicht) Date: Thu, 16 Jun 2016 10:47:22 +0200 Subject: [Freeipa-users] IPA, Samba and how can a Windows client access it Message-ID: Hi, first i thought, it is an awkward question, but my smart colleague here also cannot help me, so i try it: I read this and i have installed it: "Howto/Integrating a Samba File Server With IPA" http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA This is working as described. But this works only for Linux so far. We are not able to find a configuration, so a single Windows client have access to the Samba Server. Only with his IPA account (username and password)! I don?t want to use something like trusted AD. As i said, for the Windows clients i want only to use an username and password for Samba, using IPA. Well, this is the configuration as described in the docu: [global] workgroup = MY realm = MY.REALM dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m security = ads Any idea what i can do for my wishes? Thank you! Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Thu Jun 16 08:55:41 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 16 Jun 2016 10:55:41 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: References: <1465319719.2595.7.camel@redhat.com> <1465394017.2599.3.camel@redhat.com> <1465406113.2599.25.camel@redhat.com> <6fc25458-745c-51a5-0d1a-c28d3e18331b@dds.nl> <20160609084645.GB15524@p.Speedport_W_724V_Typ_A_05011603_00_009> <1465476179.2969.8.camel@redhat.com> <20160609165109.GN3302@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160616085541.GC17733@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, Jun 16, 2016 at 10:28:41AM +0200, Winfried de Heiden wrote: > Hi all, > > "So it looks a bit like a libverto 32bit issue"; any news or progress on > this? Bugzilla? sorry for the delay, but I'm currently busy with other items. I can come back to you on this issue early next week. Btw, so far I would say it is an issue in libkrad. bye, Sumit > > Winny > > > Op 09-06-16 om 18:51 schreef Sumit Bose: > > On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum wrote: > > > On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote: > > > > On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote: > > > > > Hi all, > > > > > > > > > > I can install libvert-libev but removing libverto-tevent will > > > > > remove 123 > > > > > dependencies also. (wget, tomcat and much more...) > > > > > > > > > > Hence, I installed libverto-libev, but dit not remove libverto- > > > > > tevent to give > > > > > it a try. After ipactl restart still the same problem: > > > > fyi, I think I can reproduce the issue on 32bit Fedora. I tried > > > > libverto-libev as well but I removed libverto-tevent after installing > > > > libverto-libev with 'rpm -e --nodeps ....' to make sure libverto has > > > > no > > > > other chance. > > > > > > > > So it looks a bit like a libverto 32bit issue. I used > > > > libverto-0.2.6-4.fc22. Since I knew that is was working before on > > > > 32bits > > > > I tried libverto-0.2.5 and libverto-0.2.4 as well with no lock. > > > > > > > > Nathaniel, do you have any suggestions what to check with gdb? > > > It may not be a libverto issue at all. Just to summarize, krb5kdc sends > > > the otp request to ipa-otpd using RADIUS-over-UNIX-socket. > > > > > > It appears that ipa-otpd receives the request and sends the appropriate > > > response. However, krb5kdc never appears to receive the request and > > > times out. Once it times out, it closes the socket and ipa-otpd exits. > > > > > > The question is: why? > > > > > > This could be a bug in krb5kdc, libkrad or libverto. Does the event > > > actually fire from libverto? Does libkrad process it correctly? Does > > > krb5kdc process it correctly? > > > > > > There are lots of places to attach gdb. I would probably start here: > > > https://github.com/krb5/krb5/blob/master/src/lib/krad/client.c#L193 > > It looks like the 3rd argument of recv(), the buffer length, becomes > > negative aka very big in on_io_read() > > > > i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length, > > pktlen - rr->buffer.length, 0); > > > > because pktlen is 4 and rr->buffer.length is 16 on my 32bit system. I > > wonder if pktlen isn't sufficient here because it already is the result > > of 'len - buffer->length' which is calculated in > > krad_packet_bytes_needed() ? > > > > bye, > > Sumit > > > From prashant at apigee.com Thu Jun 16 09:00:48 2016 From: prashant at apigee.com (Prashant Bapat) Date: Thu, 16 Jun 2016 14:30:48 +0530 Subject: [Freeipa-users] Read-only access to enforce OTP Message-ID: Hi, I'm writing a small script which will scan all the users and check if each one has setup an OTP. It will send out an email to the user if OTP is missing. I added a new entry * uid=otp-check-ro,cn=sysaccounts,cn=etc,dc=example,dc=com*. Problem is I'm able to read all the users attributes but not able to read anything under *cn=otp,dc=example,dc=com* tree. What are the permissions or ACI I need to add to give read-only access to this user? Thanks. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Thu Jun 16 09:54:56 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 16 Jun 2016 11:54:56 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? Message-ID: <3253760.hiacI6SPC6@techz> Hello on my system the ods-exporter i mean have a problem. I have this in the logs CentOS 7.(2) ipa 4.3.1 Jun 16 11:37:25 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 16 11:37:25 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 16 11:37:25 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 16 11:37:25 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 16 11:37:26 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 11:37:26 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 16 11:37:26 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 16 11:37:26 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 16 11:37:26 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 16 11:37:26 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 16 11:37:26 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 11:37:26 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 16 11:37:26 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 16 11:37:26 ipa systemd: ipa-ods-exporter.service failed. Jun 16 11:38:26 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 16 11:38:26 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 16 11:38:26 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 16 11:38:27 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 16 11:38:28 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 11:38:28 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 16 11:38:28 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 16 11:38:28 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 16 11:38:28 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 16 11:38:28 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 11:38:28 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 16 11:38:28 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 16 11:38:28 ipa systemd: ipa-ods-exporter.service failed. -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From christopher.lamb at ch.ibm.com Thu Jun 16 10:52:32 2016 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Thu, 16 Jun 2016 12:52:32 +0200 Subject: [Freeipa-users] IPA, Samba and how can a Windows client access it In-Reply-To: References: Message-ID: Hi Detlev If I have understood you correctly, you want to let Windows users access Samba "shares" using their IPA username/passwords? If so it is possible. We have both Windows and OSX workstations accessing unix fileshares like that. We did it more or less along the lines described here: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ If you search the archives of this forum with FreeIPA Samba Lamb you will find some previous threads on this topic. Chris From: Detlev Habicht To: freeipa-users at redhat.com Date: 06/16/2016 10:49 Subject: [Freeipa-users] IPA, Samba and how can a Windows client access it Sent by: freeipa-users-bounces at redhat.com Hi, first i thought, it is an awkward question, but my smart colleague here also cannot help me, so i try it: I read this and i have installed it: "Howto/Integrating a Samba File Server With IPA" http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA This is working as described. But this works only for Linux so far. We are not able to find a configuration, so a single Windows client have access to the Samba Server. Only with his IPA account (username and password)! I don?t want to use something like trusted AD. As i said, for the Windows clients i want only to use an username and password for Samba, using IPA. Well, this is the configuration as described in the docu: [global] workgroup = MY realm = MY.REALM dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m security = ads Any idea what i can do for my wishes? Thank you! Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From detlev.habicht at ims.uni-hannover.de Thu Jun 16 12:07:48 2016 From: detlev.habicht at ims.uni-hannover.de (Detlev Habicht) Date: Thu, 16 Jun 2016 14:07:48 +0200 Subject: [Freeipa-users] IPA, Samba and how can a Windows client access it In-Reply-To: References: Message-ID: <5741DF4D-1458-48A5-8D0B-F8DE81234E72@ims.uni-hannover.de> Thank you, i found an old post from you with this smb.conf: security = user passdb backend = ldapsam:ldap://ldap.my.example.com ldap suffix = dc=my,dc=example,dc=com ldap admin dn = cn=Directory Manager ldap ssl = off Is this still working with Samba 4.x und IPA 4.x? I will try it soon. Will "ipa-adtrust-install --add-sids" do all the config i need for this? I think, your hint with techslaves is good, but not uptodate. Detlev P.S.: Yes, i want the same, this clients are not a member of a domain ... -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- Am 16.06.2016 um 12:52 schrieb Christopher Lamb : > Hi Detlev > > If I have understood you correctly, you want to let Windows users access Samba "shares" using their IPA username/passwords? > > If so it is possible. We have both Windows and OSX workstations accessing unix fileshares like that. > > We did it more or less along the lines described here: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ > > If you search the archives of this forum with FreeIPA Samba Lamb you will find some previous threads on this topic. > > Chris > > Detlev Habicht ---06/16/2016 10:49:49---Hi, first i thought, it is an awkward question, but my smart colleague here also > > From: Detlev Habicht > To: freeipa-users at redhat.com > Date: 06/16/2016 10:49 > Subject: [Freeipa-users] IPA, Samba and how can a Windows client access it > Sent by: freeipa-users-bounces at redhat.com > > > > > Hi, > > first i thought, it is an awkward question, but my smart colleague here also > cannot help me, so i try it: > > I read this and i have installed it: > > "Howto/Integrating a Samba File Server With IPA" > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > This is working as described. But this works only for Linux so far. > > We are not able to find a configuration, so a single Windows client have access > to the Samba Server. Only with his IPA account (username and password)! > I don?t want to use something like trusted AD. As i said, for the Windows clients > i want only to use an username and password for Samba, using IPA. > > Well, this is the configuration as described in the docu: > > [global] > workgroup = MY > realm = MY.REALM > dedicated keytab file = FILE:/etc/samba/samba.keytab > kerberos method = dedicated keytab > log file = /var/log/samba/log.%m > security = ads > > Any idea what i can do for my wishes? > > Thank you! > > Detlev > > > -- > Detlev | Institut fuer Mikroelektronische Systeme > Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de > --------+-------- Handy +49 172 5415752 --------------------------- > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wia at iglass.net Thu Jun 16 12:48:48 2016 From: wia at iglass.net (Marc Wiatrowski) Date: Thu, 16 Jun 2016 08:48:48 -0400 Subject: [Freeipa-users] CA: IPA certificates not renewing In-Reply-To: References: <57602152.9090104@redhat.com> Message-ID: Thanks Rob, Any suggestions on how make the CA aware of the current serial number? Also started seeing the following error from two of the servers, spider01b and spider01o, but not spider01a when to navigate in the web gui. Though it doesn't appear to stop me from doing anything. IPA Error 4301 Certificate operation cannot be completed: EXCEPTION (Invalid Crential.) Marc On Tue, Jun 14, 2016 at 2:07 PM, Marc Wiatrowski wrote: > > > On Tue, Jun 14, 2016 at 11:22 AM, Rob Crittenden > wrote: > >> Marc Wiatrowski wrote: >> >>> Hello, I'm having issues with the 3 ipa certificates of type CA: IPA >>> renewing on 2 of 3 replicas. Particularly on the 2 that are not the CA >>> master. The other 5 certificates from getcert list do renew and all >>> certificates on the CA master do look to renew. >>> >>> Both servers running ipa-server-3.0.0-50.el6.centos.1.x86_64 I've done >>> full updates and rebooted. >>> >> >> Can you check on the replication status for each CA? >> >> $ ipa-csreplica-manage list -v ipa.example.com >> >> The hostname is important because including that will show the agreements >> that host has. Do this for each master with a CA. >> >> The CA being asked to do the renewal is unaware of the current serial >> number so it is refusing to proceed. >> >> rob >> >> > > [root at spider01o]$ ipa-csreplica-manage list -v spider01a.iglass.net > Directory Manager password: > > spider01b.iglass.net > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental update > succeeded > last update ended: 2016-06-14 17:49:16+00:00 > spider01o.iglass.net > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental update > started > last update ended: 2016-06-14 17:55:20+00:00 > > [root at spider01o]$ ipa-csreplica-manage list -v spider01o.iglass.net > Directory Manager password: > > spider01a.iglass.net > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental update > started > last update ended: 2016-06-14 17:57:44+00:00 > spider01b.iglass.net > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental update > started > last update ended: 2016-06-14 17:57:41+00:00 > > [root at spider01o]$ ipa-csreplica-manage list -v spider01b.iglass.net > Directory Manager password: > > spider01a.iglass.net > last init status: 0 Total update succeeded > last init ended: 2016-06-03 19:43:12+00:00 > last update status: 0 Replica acquired successfully: Incremental update > succeeded > last update ended: 2016-06-14 17:44:17+00:00 > spider01o.iglass.net > last init status: 0 Total update succeeded > last init ended: 2016-06-03 19:44:38+00:00 > last update status: 0 Replica acquired successfully: Incremental update > started > last update ended: 2016-06-14 17:57:53+00:00 > spider01a.iglass.net > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental update > succeeded > last update ended: 2016-06-14 17:44:13+00:00 > spider01o.iglass.net > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental update > started > last update ended: 2016-06-14 17:57:54+00:00 > > > Not sure what this is telling... This an issue with the last being > doubled? Thanks > > > > The failed renews look like: > > [root at spider01a]$ getcert list -i 20141202144354 > Number of certificates and requests being tracked: 8. > Request ID '20141202144354': > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe0010 not found)). > stuck: no > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET < > http://IGLASS.NET > > subject: CN=spider01a.iglass.net > ,O=IGLASS.NET < > http://IGLASS.NET > > expires: 2016-12-02 14:38:45 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA > track: yes > auto-renew: yes > > [root at spider01a]$ getcert list -i 20141202144616 > Number of certificates and requests being tracked: 8. > Request ID '20141202144616': > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe000f not found)). > stuck: no > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET < > http://IGLASS.NET > > subject: CN=spider01a.iglass.net > ,O=IGLASS.NET < > http://IGLASS.NET > > expires: 2016-12-02 14:38:43 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv IGLASS-NET > track: yes > auto-renew: yes > > [root at spider01a]$ getcert list -i 20141202144733 > Number of certificates and requests being tracked: 8. > Request ID '20141202144733': > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe0011 not found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET < > http://IGLASS.NET > > subject: CN=spider01a.iglass.net > ,O=IGLASS.NET < > http://IGLASS.NET > > expires: 2016-12-02 14:38:46 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > > From > [root at spider01a]$ getcert resubmit -i 20141202144354 > > On the replica issuing the resubmit > > ==> /var/log/httpd/access_log <== > 192.168.176.2 - - [13/Jun/2016:15:49:32 -0400] "POST /ipa/xml HTTP/1.1" > 401 1370 > > ==> /var/log/httpd/error_log <== > [Mon Jun 13 15:49:33 2016] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Certificate > serial number 0x3ffe0010 not found) > [Mon Jun 13 15:49:33 2016] [error] ipa: INFO: > host/spider01a.iglass.net at IGLASS.NET > : > > cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', > principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET > ', add=True): > CertificateOperationError > > ==> /var/log/httpd/access_log <== > 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST > /ca/agent/ca/displayBySerial HTTP/1.1" 200 262 > 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET > [13/Jun/2016:15:49:32 -0400] > "POST /ipa/xml HTTP/1.1" 200 376 > > ==> /var/log/pki-ca/system <== > 2508.TP-Processor6 - [13/Jun/2016:15:49:33 EDT] [3] [3] Servlet > caDisplayBySerial: Error encountered in DisplayBySerial. Error Record > not found. > > > On the CA master spider01o: > > ==> /var/log/httpd/access_log <== > 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST /ipa/xml HTTP/1.1" > 401 1370 > > ==> krb5kdc.log <== > Jun 13 15:49:34 spider01o.iglass.net > krb5kdc[1963](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.177.2 > : ISSUE: authtime 1465847372, etypes {rep=18 > tkt=18 ses=18}, host/spider01a.iglass.net at IGLASS.NET > for > ldap/spider01o.iglass.net at IGLASS.NET > > > ==> /var/log/httpd/error_log <== > [Mon Jun 13 15:49:34 2016] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Invalid > Credential.) > [Mon Jun 13 15:49:34 2016] [error] ipa: INFO: > host/spider01a.iglass.net at IGLASS.NET > : > > cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', > principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET > ', add=True): > CertificateOperationError > > ==> /var/log/httpd/access_log <== > 192.168.177.2 - - [13/Jun/2016:15:49:34 -0400] "POST > /ca/agent/ca/displayBySerial HTTP/1.1" 200 235 > 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET > [13/Jun/2016:15:49:33 -0400] > "POST /ipa/xml HTTP/1.1" 200 349 > > ==> /var/log/pki-ca/system <== > 2231.TP-Processor3 - [13/Jun/2016:15:49:34 EDT] [6] [3] Cannot > authenticate agent with certificate Serial 0x5ffc0008 Subject DN CN=IPA > RA,O=IGLASS.NET >. Error: User not found > > > I realize they expire at the end of the year, but I've had my > certificates expire before and would rather not go through that again. > Any idea on what's wrong or suggestions on where to look would be > appreciated. > > Thanks, > Marc > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Thu Jun 16 13:21:27 2016 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Thu, 16 Jun 2016 15:21:27 +0200 Subject: [Freeipa-users] IPA, Samba and how can a Windows client access it In-Reply-To: <5741DF4D-1458-48A5-8D0B-F8DE81234E72@ims.uni-hannover.de> References: <5741DF4D-1458-48A5-8D0B-F8DE81234E72@ims.uni-hannover.de> Message-ID: HI Detlev Yes we have it working with Samba 4.x and IPA 4.x, pretty much as described in the techslaves article. I did intend to write a "how-to", but 1000 other things took over ... I made some notes at the time, which I will try and dig out. We did not use ipa-adtrust-install, so I can't comment on that. Chris From: Detlev Habicht To: freeipa-users at redhat.com Date: 16.06.2016 14:10 Subject: Re: [Freeipa-users] IPA, Samba and how can a Windows client access it Sent by: freeipa-users-bounces at redhat.com Thank you, i found an old post from you with this smb.conf: security = user passdb backend = ldapsam:ldap://ldap.my.example.com ldap suffix = dc=my,dc=example,dc=com ldap admin dn = cn=Directory Manager ldap ssl = off Is this still working with Samba 4.x und IPA 4.x? I will try it soon. Will "ipa-adtrust-install --add-sids" do all the config i need for this? I think, your hint with techslaves is good, but not uptodate. Detlev P.S.: Yes, i want the same, this clients are not a member of a domain ... -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- Am 16.06.2016 um 12:52 schrieb Christopher Lamb < christopher.lamb at ch.ibm.com>: Hi Detlev If I have understood you correctly, you want to let Windows users access Samba "shares" using their IPA username/passwords? If so it is possible. We have both Windows and OSX workstations accessing unix fileshares like that. We did it more or less along the lines described here: http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ If you search the archives of this forum with FreeIPA Samba Lamb you will find some previous threads on this topic. Chris Detlev Habicht ---06/16/2016 10:49:49---Hi, first i thought, it is an awkward question, but my smart colleague here also From: Detlev Habicht To: freeipa-users at redhat.com Date: 06/16/2016 10:49 Subject: [Freeipa-users] IPA, Samba and how can a Windows client access it Sent by: freeipa-users-bounces at redhat.com Hi, first i thought, it is an awkward question, but my smart colleague here also cannot help me, so i try it: I read this and i have installed it: "Howto/Integrating a Samba File Server With IPA" http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA This is working as described. But this works only for Linux so far. We are not able to find a configuration, so a single Windows client have access to the Samba Server. Only with his IPA account (username and password)! I don?t want to use something like trusted AD. As i said, for the Windows clients i want only to use an username and password for Samba, using IPA. Well, this is the configuration as described in the docu: [global] workgroup = MY realm = MY.REALM dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m security = ads Any idea what i can do for my wishes? Thank you! Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 16 13:30:46 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Jun 2016 15:30:46 +0200 Subject: [Freeipa-users] CentOS 7.2 Certificate Issue with chrome In-Reply-To: References: Message-ID: <109c6bf4-9e09-64c0-efcf-e3e47d432bca@redhat.com> On 16.06.2016 06:40, Outback Dingo wrote: > Freshly installed IPA went to the web ui and got this in google chrome > > This site can?t provide a secure connection > > ipa3.optimcloud.com doesn't adhere to > security standards. > ERR_SSL_SERVER_CERT_BAD_FORMAT > > Hello, I was able to show login page in my chrome browser version 51.0.2704.79 Maybe something is wrong with your chrome browser -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu Jun 16 14:18:15 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 16 Jun 2016 16:18:15 +0200 Subject: [Freeipa-users] Read-only access to enforce OTP In-Reply-To: References: Message-ID: <108f29da-0a55-d7b6-f55f-28e638129938@redhat.com> On 06/16/2016 11:00 AM, Prashant Bapat wrote: > Hi, > > I'm writing a small script which will scan all the users and check if each one > has setup an OTP. It will send out an email to the user if OTP is missing. > > I added a new entry / uid=otp-check-ro,cn=sysaccounts,cn=etc,dc=example,dc=com/. > Problem is I'm able to read all the users attributes but not able to read > anything under /cn=otp,dc=example,dc=com/ tree. > > What are the permissions or ACI I need to add to give read-only access to this user? > > Thanks. > --Prashant > > > I would recommend creating read permission for the tree & attribute/objects you need to allow. Doc is here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html#creating-perms-cli You cannot apply this permission to system user with API, you would need to use ldapmodify and add the right membership. But you could create service account (service-add), create keytab for the authentication and then assign it a role that has a privilege that has your permission. I hope that makes sense. Martin From rcritten at redhat.com Thu Jun 16 14:22:29 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jun 2016 10:22:29 -0400 Subject: [Freeipa-users] CA: IPA certificates not renewing In-Reply-To: References: <57602152.9090104@redhat.com> Message-ID: <5762B625.7060803@redhat.com> Marc Wiatrowski wrote: > Thanks Rob, > > Any suggestions on how make the CA aware of the current serial number? Serial numbers are dolled out like uid numbers, by the 389-ds DNA Plugin. So each CA that has ever issued a certificate has its own range, hence the quite different serial number values. Given that some issued certificates are unknown it stands to reason that replication is broken between one or more masters. Fixing that should resolve (most of) the other issues. > Also started seeing the following error from two of the servers, > spider01b and spider01o, but not spider01a when to navigate in the web > gui. Though it doesn't appear to stop me from doing anything. > > IPA Error 4301 > Certificate operation cannot be completed: EXCEPTION (Invalid Crential.) Dogtag does some of its access control by comparing the incoming client certificate with an expected value in its LDAP database, in this case uid=ipara,ou=People,o=ipaca. There you'll find a copy of the client certificate and a description field that contains the expected serial #, subject and issuer. These are out-of-whack if you're getting Invalid Credentials. It could be a number of things so I'd proceed cautiously. Given you have a working master I'd use that as a starting point. Look at the the RA cert is in /etc/httpd/alias: # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial See if it is the same on all masters, it should be. If it is, look at the uid=ipara entry on all the masters. Again, should be the same. Note that fixing this won't address any replication issues. rob > > Marc > > On Tue, Jun 14, 2016 at 2:07 PM, Marc Wiatrowski > wrote: > > > > On Tue, Jun 14, 2016 at 11:22 AM, Rob Crittenden > > wrote: > > Marc Wiatrowski wrote: > > Hello, I'm having issues with the 3 ipa certificates of type > CA: IPA > renewing on 2 of 3 replicas. Particularly on the 2 that are > not the CA > master. The other 5 certificates from getcert list do renew > and all > certificates on the CA master do look to renew. > > Both servers running > ipa-server-3.0.0-50.el6.centos.1.x86_64 I've done > full updates and rebooted. > > > Can you check on the replication status for each CA? > > $ ipa-csreplica-manage list -v ipa.example.com > > > The hostname is important because including that will show the > agreements that host has. Do this for each master with a CA. > > The CA being asked to do the renewal is unaware of the current > serial number so it is refusing to proceed. > > rob > > > > [root at spider01o]$ ipa-csreplica-manage list -v spider01a.iglass.net > > Directory Manager password: > > spider01b.iglass.net > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2016-06-14 17:49:16+00:00 > spider01o.iglass.net > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update started > last update ended: 2016-06-14 17:55:20+00:00 > > [root at spider01o]$ ipa-csreplica-manage list -v spider01o.iglass.net > > Directory Manager password: > > spider01a.iglass.net > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update started > last update ended: 2016-06-14 17:57:44+00:00 > spider01b.iglass.net > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update started > last update ended: 2016-06-14 17:57:41+00:00 > > [root at spider01o]$ ipa-csreplica-manage list -v spider01b.iglass.net > > Directory Manager password: > > spider01a.iglass.net > last init status: 0 Total update succeeded > last init ended: 2016-06-03 19:43:12+00:00 > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2016-06-14 17:44:17+00:00 > spider01o.iglass.net > last init status: 0 Total update succeeded > last init ended: 2016-06-03 19:44:38+00:00 > last update status: 0 Replica acquired successfully: Incremental > update started > last update ended: 2016-06-14 17:57:53+00:00 > spider01a.iglass.net > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2016-06-14 17:44:13+00:00 > spider01o.iglass.net > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update started > last update ended: 2016-06-14 17:57:54+00:00 > > > Not sure what this is telling... This an issue with the last being > doubled? Thanks > > > > The failed renews look like: > > [root at spider01a]$ getcert list -i 20141202144354 > Number of certificates and requests being tracked: 8. > Request ID '20141202144354': > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe0010 not found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > > > subject: CN=spider01a.iglass.net > >,O=IGLASS.NET > > > expires: 2016-12-02 14:38:45 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA > track: yes > auto-renew: yes > > [root at spider01a]$ getcert list -i 20141202144616 > Number of certificates and requests being tracked: 8. > Request ID '20141202144616': > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe000f not found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > > > subject: CN=spider01a.iglass.net > >,O=IGLASS.NET > > > expires: 2016-12-02 14:38:43 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv IGLASS-NET > track: yes > auto-renew: yes > > [root at spider01a]$ getcert list -i 20141202144733 > Number of certificates and requests being tracked: 8. > Request ID '20141202144733': > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe0011 not found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > > > subject: CN=spider01a.iglass.net > >,O=IGLASS.NET > > > expires: 2016-12-02 14:38:46 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > > From > [root at spider01a]$ getcert resubmit -i 20141202144354 > > On the replica issuing the resubmit > > ==> /var/log/httpd/access_log <== > 192.168.176.2 - - [13/Jun/2016:15:49:32 -0400] "POST /ipa/xml HTTP/1.1" > 401 1370 > > ==> /var/log/httpd/error_log <== > [Mon Jun 13 15:49:33 2016] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Certificate > serial number 0x3ffe0010 not found) > [Mon Jun 13 15:49:33 2016] [error] ipa: INFO: > host/spider01a.iglass.net at IGLASS.NET > > >: > cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', > principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET > > >', add=True): > CertificateOperationError > > ==> /var/log/httpd/access_log <== > 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST > /ca/agent/ca/displayBySerial HTTP/1.1" 200 262 > 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET > > > [13/Jun/2016:15:49:32 -0400] > "POST /ipa/xml HTTP/1.1" 200 376 > > ==> /var/log/pki-ca/system <== > 2508.TP-Processor6 - [13/Jun/2016:15:49:33 EDT] [3] [3] Servlet > caDisplayBySerial: Error encountered in DisplayBySerial. Error Record > not found. > > > On the CA master spider01o: > > ==> /var/log/httpd/access_log <== > 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST /ipa/xml HTTP/1.1" > 401 1370 > > ==> krb5kdc.log <== > Jun 13 15:49:34 spider01o.iglass.net > > > krb5kdc[1963](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.177.2 > >: ISSUE: authtime > 1465847372, etypes {rep=18 > tkt=18 ses=18}, host/spider01a.iglass.net at IGLASS.NET > > > for > ldap/spider01o.iglass.net at IGLASS.NET > > > > > ==> /var/log/httpd/error_log <== > [Mon Jun 13 15:49:34 2016] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Invalid > Credential.) > [Mon Jun 13 15:49:34 2016] [error] ipa: INFO: > host/spider01a.iglass.net at IGLASS.NET > > >: > cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', > principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET > > >', add=True): > CertificateOperationError > > ==> /var/log/httpd/access_log <== > 192.168.177.2 - - [13/Jun/2016:15:49:34 -0400] "POST > /ca/agent/ca/displayBySerial HTTP/1.1" 200 235 > 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET > > > [13/Jun/2016:15:49:33 -0400] > "POST /ipa/xml HTTP/1.1" 200 349 > > ==> /var/log/pki-ca/system <== > 2231.TP-Processor3 - [13/Jun/2016:15:49:34 EDT] [6] [3] Cannot > authenticate agent with certificate Serial 0x5ffc0008 Subject DN CN=IPA > RA,O=IGLASS.NET >. Error: User not found > > > I realize they expire at the end of the year, but I've had my > certificates expire before and would rather not go through that again. > Any idea on what's wrong or suggestions on where to look would be > appreciated. > > Thanks, > Marc > > > > From saqib.n.ali at seagate.com Thu Jun 16 15:41:56 2016 From: saqib.n.ali at seagate.com (Saqib N Ali) Date: Thu, 16 Jun 2016 08:41:56 -0700 Subject: [Freeipa-users] =?utf-8?q?FreeIPA_=E2=80=93_AD_Trust_Integration_?= =?utf-8?q?Option?= In-Reply-To: <20160616053145.e646p33mvjivyjab@redhat.com> References: <20160616053145.e646p33mvjivyjab@redhat.com> Message-ID: Hi Alexander, I understand that with Trust to AD, we can use AD for System of Records for the User Accounts. We do want IPA to maintain the policies, but just want to use SunLDAP instead of 389 Directory Server for storing the policies. From Enterprise Architecture point of view, 389 Directory Server would be Yet Another Directory Server in our environment. It seems an overkill if we already have SunLDAP. Thanks, Saqib On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy wrote: > On Wed, 15 Jun 2016, Saqib N Ali wrote: > >> Greetings, >> >> If we want to use the FreeIPA Active Directory Trust Integration Option, >> can we use an existing implementation of SunLDAP to store the Policies >> (e.g. sudo, hbac etc.) >> >> Essentially we don't to create another LDAP Directory just for storing the >> Policies. >> > FreeIPA cannot work with another LDAP Directory. It is integrated > solution that relies on the set of plugins in 389-ds directory, there > are about dozen specialized plugins that come with FreeIPA itself. > > Trust to Active Directory option is part of that setup and cannot be > done against another LDAP directory because it also relies on the > specific plugins to 389-ds that don't exist in your SunLDAP. > > If you deploy FreeIPA, you cannot have it 'just for storing the > policies'. It will be used for all kinds of objects. With trust to > Active Directory you may opt to not create native IPA users but then > these wouldn't be coming from your SunLDAP directory either, AD users > would be coming from AD. > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 16 16:08:27 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jun 2016 12:08:27 -0400 Subject: [Freeipa-users] =?utf-8?q?FreeIPA_=E2=80=93_AD_Trust_Integration_?= =?utf-8?q?Option?= In-Reply-To: References: <20160616053145.e646p33mvjivyjab@redhat.com> Message-ID: <5762CEFB.7030502@redhat.com> Saqib N Ali wrote: > Hi Alexander, > > I understand that with Trust to AD, we can use AD for System of Records > for the User Accounts. > > We do want IPA to maintain the policies, but just want to use SunLDAP > instead of 389 Directory Server for storing the policies. From > Enterprise Architecture point of view, 389 Directory Server would be Yet > Another Directory Server in our environment. It seems an overkill if we > already have SunLDAP. 389-ds is an integral part of IPA, it isn't just a data sink. rob > Thanks, > Saqib > > On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy > wrote: > > On Wed, 15 Jun 2016, Saqib N Ali wrote: > > Greetings, > > If we want to use the FreeIPA Active Directory Trust Integration > Option, > can we use an existing implementation of SunLDAP to store the > Policies > (e.g. sudo, hbac etc.) > > Essentially we don't to create another LDAP Directory just for > storing the > Policies. > > FreeIPA cannot work with another LDAP Directory. It is integrated > solution that relies on the set of plugins in 389-ds directory, there > are about dozen specialized plugins that come with FreeIPA itself. > > Trust to Active Directory option is part of that setup and cannot be > done against another LDAP directory because it also relies on the > specific plugins to 389-ds that don't exist in your SunLDAP. > > If you deploy FreeIPA, you cannot have it 'just for storing the > policies'. It will be used for all kinds of objects. With trust to > Active Directory you may opt to not create native IPA users but then > these wouldn't be coming from your SunLDAP directory either, AD users > would be coming from AD. > > > -- > / Alexander Bokovoy > > > > From saqib.n.ali at seagate.com Thu Jun 16 16:15:32 2016 From: saqib.n.ali at seagate.com (Saqib N Ali) Date: Thu, 16 Jun 2016 09:15:32 -0700 Subject: [Freeipa-users] =?utf-8?q?FreeIPA_=E2=80=93_AD_Trust_Integration_?= =?utf-8?q?Option?= In-Reply-To: <5762CEFB.7030502@redhat.com> References: <20160616053145.e646p33mvjivyjab@redhat.com> <5762CEFB.7030502@redhat.com> Message-ID: Rob, is there a architecture document/diagram that describes how 389-ds in the FreeIPA w/ AD Trust setup? On Thu, Jun 16, 2016 at 9:08 AM, Rob Crittenden wrote: > Saqib N Ali wrote: > >> Hi Alexander, >> >> I understand that with Trust to AD, we can use AD for System of Records >> for the User Accounts. >> >> We do want IPA to maintain the policies, but just want to use SunLDAP >> instead of 389 Directory Server for storing the policies. From >> Enterprise Architecture point of view, 389 Directory Server would be Yet >> Another Directory Server in our environment. It seems an overkill if we >> already have SunLDAP. >> > > 389-ds is an integral part of IPA, it isn't just a data sink. > > rob > > Thanks, >> Saqib >> >> On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy > > wrote: >> >> On Wed, 15 Jun 2016, Saqib N Ali wrote: >> >> Greetings, >> >> If we want to use the FreeIPA Active Directory Trust Integration >> Option, >> can we use an existing implementation of SunLDAP to store the >> Policies >> (e.g. sudo, hbac etc.) >> >> Essentially we don't to create another LDAP Directory just for >> storing the >> Policies. >> >> FreeIPA cannot work with another LDAP Directory. It is integrated >> solution that relies on the set of plugins in 389-ds directory, there >> are about dozen specialized plugins that come with FreeIPA itself. >> >> Trust to Active Directory option is part of that setup and cannot be >> done against another LDAP directory because it also relies on the >> specific plugins to 389-ds that don't exist in your SunLDAP. >> >> If you deploy FreeIPA, you cannot have it 'just for storing the >> policies'. It will be used for all kinds of objects. With trust to >> Active Directory you may opt to not create native IPA users but then >> these wouldn't be coming from your SunLDAP directory either, AD users >> would be coming from AD. >> >> >> -- >> / Alexander Bokovoy >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 16 18:11:53 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jun 2016 14:11:53 -0400 Subject: [Freeipa-users] =?utf-8?q?FreeIPA_=E2=80=93_AD_Trust_Integration_?= =?utf-8?q?Option?= In-Reply-To: References: <20160616053145.e646p33mvjivyjab@redhat.com> <5762CEFB.7030502@redhat.com> Message-ID: <5762EBE9.8060102@redhat.com> Saqib N Ali wrote: > Rob, is there a architecture document/diagram that describes how 389-ds > in the FreeIPA w/ AD Trust setup? You'll find a number of pages on freeipa.org. rob > > On Thu, Jun 16, 2016 at 9:08 AM, Rob Crittenden > wrote: > > Saqib N Ali wrote: > > Hi Alexander, > > I understand that with Trust to AD, we can use AD for System of > Records > for the User Accounts. > > We do want IPA to maintain the policies, but just want to use > SunLDAP > instead of 389 Directory Server for storing the policies. From > Enterprise Architecture point of view, 389 Directory Server > would be Yet > Another Directory Server in our environment. It seems an > overkill if we > already have SunLDAP. > > > 389-ds is an integral part of IPA, it isn't just a data sink. > > rob > > Thanks, > Saqib > > On Wed, Jun 15, 2016 at 10:31 PM, Alexander Bokovoy > > >> wrote: > > On Wed, 15 Jun 2016, Saqib N Ali wrote: > > Greetings, > > If we want to use the FreeIPA Active Directory Trust > Integration > Option, > can we use an existing implementation of SunLDAP to > store the > Policies > (e.g. sudo, hbac etc.) > > Essentially we don't to create another LDAP Directory > just for > storing the > Policies. > > FreeIPA cannot work with another LDAP Directory. It is > integrated > solution that relies on the set of plugins in 389-ds > directory, there > are about dozen specialized plugins that come with FreeIPA > itself. > > Trust to Active Directory option is part of that setup and > cannot be > done against another LDAP directory because it also relies > on the > specific plugins to 389-ds that don't exist in your SunLDAP. > > If you deploy FreeIPA, you cannot have it 'just for storing the > policies'. It will be used for all kinds of objects. With > trust to > Active Directory you may opt to not create native IPA users > but then > these wouldn't be coming from your SunLDAP directory > either, AD users > would be coming from AD. > > > -- > / Alexander Bokovoy > > > > > > From DFischer at PetSmart.com Thu Jun 16 18:41:30 2016 From: DFischer at PetSmart.com (David Fischer) Date: Thu, 16 Jun 2016 11:41:30 -0700 Subject: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users In-Reply-To: <20160615065236.emmia6tf22jkxigy@redhat.com> References: <1465842048.20989.37.camel@petsmart.com> <20160613190729.evh3ykgmz7yvgiom@redhat.com> <264C67C6145722439414DB6176F5A6E147594CE714@EXMBX02.ssg.petsmart.com> <20160614200247.oaw5bn6zag7xvlko@redhat.com> <264C67C6145722439414DB6176F5A6E147594CE718@EXMBX02.ssg.petsmart.com> <20160615065236.emmia6tf22jkxigy@redhat.com> Message-ID: <1466102490.20989.123.camel@petsmart.com> Alexander, Ok I figured most of my issues were ldap search time out and also ldap_idmap_range_size was to small. So I am left with one last problem is that any new users can login via password but existing users passwords do not work but kerberos tickets do. So is there another setting I am missing. getent and id -a both work fine and there are no HBAC. Any thought would be helpfull. Thanks -----Original Message----- From: Alexander Bokovoy > To: David Fischer > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users Date: Tue, 14 Jun 2016 23:52:36 -0700 On Tue, 14 Jun 2016, David Fischer wrote: Alexander, I am getting the windows admin to refresh our DR AD setup and I should be able to give you an idea on some of our groups layouts. So a quick understanding is that a single user can have 15-20+ groups those groups might have all users in them plus groups. The groups of groups can link back to groups that the user may have already assigned. We do know that we have atleast one circular group in our environment. I have used the 'ignore_group_members' with some success. Ref: http://scanmail.trustwave.com/?c=6406&d=t_vg1_n-LHIZctaFe8SPSnNlXH2FMlsMdw7rWgmT1Q&u=https%3a%2f%2fjhrozek%2ewordpress%2ecom%2f2015%2f08%2f19%2fperformance-tuning-sssd-for-large-ipa-ad-trust-deployments%2f That article is what Jakub and I wrote. Jakub may have more suggestions and there are some improvements in recent SSSD releases in RHEL 7.2.4. ________________________________ ##################################################################################### The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. ##################################################################################### From lslebodn at redhat.com Thu Jun 16 19:51:59 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 16 Jun 2016 21:51:59 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: <3253760.hiacI6SPC6@techz> References: <3253760.hiacI6SPC6@techz> Message-ID: <20160616195158.GH24826@10.4.128.1> On (16/06/16 11:54), G?nther J. Niederwimmer wrote: >Hello > >on my system the ods-exporter i mean have a problem. > >I have this in the logs >CentOS 7.(2) ipa 4.3.1 > >Jun 16 11:37:25 ipa systemd: ipa-ods-exporter.service holdoff time over, >scheduling restart. >Jun 16 11:37:25 ipa systemd: Started IPA OpenDNSSEC Signer replacement. >Jun 16 11:37:25 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... >Jun 16 11:37:25 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers >not running >Jun 16 11:37:26 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code >may provide more information (Ticket expired) >Jun 16 11:37:26 ipa ipa-ods-exporter: Traceback (most recent call last): >Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- >exporter", line 656, in >Jun 16 11:37:26 ipa ipa-ods-exporter: ldap.gssapi_bind() >Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ >ipapython/ipaldap.py", line 1085, in gssapi_bind >Jun 16 11:37:26 ipa ipa-ods-exporter: '', auth_tokens, server_controls, >client_controls) >Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ >contextlib.py", line 35, in __exit__ >Jun 16 11:37:26 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) >Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ >ipapython/ipaldap.py", line 992, in error_handler >Jun 16 11:37:26 ipa ipa-ods-exporter: raise errors.ACIError(info=info) >Jun 16 11:37:26 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient >access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >Minor code may provide more information (Ticket expired) >Jun 16 11:37:26 ipa systemd: ipa-ods-exporter.service: main process exited, >code=exited, status=1/FAILURE >Jun 16 11:37:26 ipa systemd: Unit ipa-ods-exporter.service entered failed >state. >Jun 16 11:37:26 ipa systemd: ipa-ods-exporter.service failed. >Jun 16 11:38:26 ipa systemd: ipa-ods-exporter.service holdoff time over, >scheduling restart. >Jun 16 11:38:26 ipa systemd: Started IPA OpenDNSSEC Signer replacement. >Jun 16 11:38:26 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... >Jun 16 11:38:27 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers >not running >Jun 16 11:38:28 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code >may provide more information (Ticket expired) >Jun 16 11:38:28 ipa ipa-ods-exporter: Traceback (most recent call last): >Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- >exporter", line 656, in >Jun 16 11:38:28 ipa ipa-ods-exporter: ldap.gssapi_bind() >Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ >ipapython/ipaldap.py", line 1085, in gssapi_bind >Jun 16 11:38:28 ipa ipa-ods-exporter: '', auth_tokens, server_controls, >client_controls) >Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ >contextlib.py", line 35, in __exit__ >Jun 16 11:38:28 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) >Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ >ipapython/ipaldap.py", line 992, in error_handler >Jun 16 11:38:28 ipa ipa-ods-exporter: raise errors.ACIError(info=info) >Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient >access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >Minor code may provide more information (Ticket expired) ^^^^^^^^^^^^^^ Here seems to be a reason why it failed. But I can't help you more. LS From rcritten at redhat.com Thu Jun 16 19:54:34 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 16 Jun 2016 15:54:34 -0400 Subject: [Freeipa-users] CentOS 7, FreeIPA 4.2: slapd crashes soon after launch In-Reply-To: References: Message-ID: <576303FA.3020303@redhat.com> Dan.Finkelstein at high5games.com wrote: > Our FreeIPA master was working fine for about a day and then, apropos of > nothing, the LDAP component started to crash with nary an error message. > Obviously, with it down we can log into the WebUI nor can we query the > status of the components or retrieve data. > > In /var/log/dirsrv/slapd-EXAMPLE-COM/errors we see: > > [15/Jun/2016:18:50:28 -0400] NSMMReplicationPlugin - > agmt="cn=meToipa-replica.example.com" (ipa-replica:389): Replication > bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) > (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) > > [15/Jun/2016:18:50:28 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 2 (No such file or directory) > > [15/Jun/2016:18:50:28 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > > [15/Jun/2016:18:50:28 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > > [15/Jun/2016:18:50:28 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > > [15/Jun/2016:18:50:28 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > > [15/Jun/2016:18:50:28 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error -2 > (Local error) > > [15/Jun/2016:18:50:30 -0400] schema-compat-plugin - warning: no entries > set up under cn=computers, cn=compat,dc=h5c,dc=local > > [15/Jun/2016:18:50:30 -0400] schema-compat-plugin - Finished plugin > initialization. > > [15/Jun/2016:18:50:34 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI > Failure: gss_accept_sec_context) errno 0 (Success) > > [15/Jun/2016:18:50:34 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] authentication mechanism [GSSAPI]: error 49 > (Invalid credentials) > > It appears not to have been replicating for at least a day with our 4 > other replicas, none of which have the data we'd entered into this master. > > Is there a way we can bring ldap back to life? What makes you think it is crashed other than these messages? What does `ipactl status` show? rob From erik at infochimps.com Thu Jun 16 21:53:22 2016 From: erik at infochimps.com (Erik Mackdanz) Date: Thu, 16 Jun 2016 16:53:22 -0500 Subject: [Freeipa-users] LDAPS for AD trust? Message-ID: Hello, Is it possible to force LDAPS instead of LDAP when connecting to the client's AD domain in a trust situation? I'm sure that the _ldaps SRV must be added to AD (AD doesn't have one by default). It's not clear, though, whether I can make SSSD request the _ldaps SRV record. I tried setting 'ldap_dns_service_name=ldaps' in sssd.conf but tcpdump shows only _ldap SRV record requests still. I think that option affects only the IPA server connection not AD. Thanks in advance, Erik From jhrozek at redhat.com Fri Jun 17 05:49:33 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 17 Jun 2016 07:49:33 +0200 Subject: [Freeipa-users] LDAPS for AD trust? In-Reply-To: References: Message-ID: <20160617054933.GP3591@hendrix> On Thu, Jun 16, 2016 at 04:53:22PM -0500, Erik Mackdanz wrote: > Hello, > > Is it possible to force LDAPS instead of LDAP when connecting to the > client's AD domain in a trust situation? > > I'm sure that the _ldaps SRV must be added to AD (AD doesn't have one > by default). > > It's not clear, though, whether I can make SSSD request the _ldaps SRV > record. I tried setting 'ldap_dns_service_name=ldaps' in sssd.conf > but tcpdump shows only _ldap SRV record requests still. I think that > option affects only the IPA server connection not AD. No, but more importantly there is no need to, the connection is already secured with GSSAPI. (Also, the clients don't connect to the AD DCs for identity data, but request the data from the IPA masters which go to the DCs, only authentication goes directly to AD KDCs) From pspacek at redhat.com Fri Jun 17 05:51:45 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 17 Jun 2016 07:51:45 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: <20160616195158.GH24826@10.4.128.1> References: <3253760.hiacI6SPC6@techz> <20160616195158.GH24826@10.4.128.1> Message-ID: <7452d47c-18bc-90c2-a9b5-bb1611f809b7@redhat.com> On 16.6.2016 21:51, Lukas Slebodnik wrote: > On (16/06/16 11:54), G?nther J. Niederwimmer wrote: >> Hello >> >> on my system the ods-exporter i mean have a problem. >> >> I have this in the logs >> CentOS 7.(2) ipa 4.3.1 >> >> Jun 16 11:37:25 ipa systemd: ipa-ods-exporter.service holdoff time over, >> scheduling restart. >> Jun 16 11:37:25 ipa systemd: Started IPA OpenDNSSEC Signer replacement. >> Jun 16 11:37:25 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... >> Jun 16 11:37:25 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers >> not running >> Jun 16 11:37:26 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code >> may provide more information (Ticket expired) >> Jun 16 11:37:26 ipa ipa-ods-exporter: Traceback (most recent call last): >> Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- >> exporter", line 656, in >> Jun 16 11:37:26 ipa ipa-ods-exporter: ldap.gssapi_bind() >> Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ >> ipapython/ipaldap.py", line 1085, in gssapi_bind >> Jun 16 11:37:26 ipa ipa-ods-exporter: '', auth_tokens, server_controls, >> client_controls) >> Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ >> contextlib.py", line 35, in __exit__ >> Jun 16 11:37:26 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) >> Jun 16 11:37:26 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ >> ipapython/ipaldap.py", line 992, in error_handler >> Jun 16 11:37:26 ipa ipa-ods-exporter: raise errors.ACIError(info=info) >> Jun 16 11:37:26 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient >> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (Ticket expired) >> Jun 16 11:37:26 ipa systemd: ipa-ods-exporter.service: main process exited, >> code=exited, status=1/FAILURE >> Jun 16 11:37:26 ipa systemd: Unit ipa-ods-exporter.service entered failed >> state. >> Jun 16 11:37:26 ipa systemd: ipa-ods-exporter.service failed. >> Jun 16 11:38:26 ipa systemd: ipa-ods-exporter.service holdoff time over, >> scheduling restart. >> Jun 16 11:38:26 ipa systemd: Started IPA OpenDNSSEC Signer replacement. >> Jun 16 11:38:26 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... >> Jun 16 11:38:27 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers >> not running >> Jun 16 11:38:28 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code >> may provide more information (Ticket expired) >> Jun 16 11:38:28 ipa ipa-ods-exporter: Traceback (most recent call last): >> Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- >> exporter", line 656, in >> Jun 16 11:38:28 ipa ipa-ods-exporter: ldap.gssapi_bind() >> Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ >> ipapython/ipaldap.py", line 1085, in gssapi_bind >> Jun 16 11:38:28 ipa ipa-ods-exporter: '', auth_tokens, server_controls, >> client_controls) >> Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ >> contextlib.py", line 35, in __exit__ >> Jun 16 11:38:28 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) >> Jun 16 11:38:28 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ >> ipapython/ipaldap.py", line 992, in error_handler >> Jun 16 11:38:28 ipa ipa-ods-exporter: raise errors.ACIError(info=info) >> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient >> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (Ticket expired) > ^^^^^^^^^^^^^^ > Here seems to be a reason why it failed. > But I can't help you more. Lukas is right. Interesting, this should never happen :-) Please enable debugging using procedure http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data and check logs after next ipa-ods-exporter restart. Thank you! -- Petr^2 Spacek From tomek at pipebreaker.pl Fri Jun 17 08:14:00 2016 From: tomek at pipebreaker.pl (Tomasz Torcz) Date: Fri, 17 Jun 2016 10:14:00 +0200 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 @ Fedora 24 In-Reply-To: References: <20160527122848.GA333519@mother.pipebreaker.pl> Message-ID: <20160617081359.GA1438728@mother.pipebreaker.pl> On Mon, May 30, 2016 at 01:45:40PM +0200, Petr Spacek wrote: > Fedora 24 is broken at the moment so there is nothing you can do before it is > fixed & released. > > Sorry. Petr, could you be more specific what is broken? We just signed F24 to be released in current state. There were no FreeIPA builds for Fedora since March this year, and I'm little afraid about this. -- Tomasz Torcz "Funeral in the morning, IDE hacking xmpp: zdzichubg at chrome.pl in the afternoon and evening." - Alan Cox -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From pvoborni at redhat.com Fri Jun 17 09:32:22 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jun 2016 11:32:22 +0200 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 In-Reply-To: <20160527122848.GA333519@mother.pipebreaker.pl> References: <20160527122848.GA333519@mother.pipebreaker.pl> Message-ID: <5763C3A6.3050802@redhat.com> On 27.5.2016 14:28, Tomasz Torcz wrote: > Hi, > > In my home environment I'm using two-server FreeIPA configuration on Fedora. > Initially installed on fedora 19 in November 2013, it have been upgraded every > Fedora release. It generally works OK, but somewhat degrades during operation. > Recently I've jumped to F24 in hope my problems will be resolved, but they weren't. > Thus this email and plea for assistance. > > In the meantime there was a problem with expired certificates, but it solved > with the help of rcrit on IRC. > > I'm using freeipa-server-4.3.1-1.fc24.x86_64. One of the servers is called > kaitain.pipebreaker.pl, the other okda.pipebreaker.pl. > > Currently I encounter following main problems: > 1) named is not servicing all the records from LDAP > 2) can't login to WebUI on kaitain.pipebreaker.pl > 3) can't login to WebUI on okda.pipebreaker.pl > 4) pycparser.lextab/lextab.py/yacctab.py permission errors > > More details: > ----- > ad 1) named problems > Recently I've added new AAAA host entry to my zone (.pipebreaker.pl). It is > visible in CLI, but named doesn't resolve it: > > $ ipa dnsrecord-find pipebreaker.pl microstation > Record name: microstation > AAAA record: 2001:6a0:200:d1::2 > ---------------------------- > Number of entries returned 1 > ---------------------------- > > $ host microstation ; host microstation.pipebreaker.pl > Host microstation not found: 3(NXDOMAIN) > Host microstation.pipebreaker.pl not found: 3(NXDOMAIN) > > Entries added previously resolve fine. I see no errors reported > in named-pkcs11.service logs. > > ----- > > ad 2) can't login to webui at kaitain > When I open a WebUI while having valid ticket, I'm shown my user page, > i.e. https://kaitain.pipebreaker.pl/ipa/ui/#/e/user/details/zdzichu is opened. > But when I logout from WebUI and try to login as admin, I receive: > > The password or username you entered is incorrect. > > The password is certainly correct, I can use it for 'kinit admin' successfully. > /var/log/httpd/error log contains: > > [Fri May 27 14:17:37.104341 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] mod_wsgi (pid=1882): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. > [Fri May 27 14:17:37.106932 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] Traceback (most recent call last): > [Fri May 27 14:17:37.106985 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/share/ipa/wsgi.py", line 63, in application > [Fri May 27 14:17:37.107436 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return api.Backend.wsgi_dispatch(environ, start_response) > [Fri May 27 14:17:37.107461 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in __call__ > [Fri May 27 14:17:37.107769 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return self.route(environ, start_response) > [Fri May 27 14:17:37.107786 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 273, in route > [Fri May 27 14:17:37.107808 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] return app(environ, start_response) > [Fri May 27 14:17:37.107829 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 943, in __call__ > [Fri May 27 14:17:37.107848 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] self.kinit(user, self.api.env.realm, password, ipa_ccache_name) > [Fri May 27 14:17:37.107887 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 965, in kinit > [Fri May 27 14:17:37.107918 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] raise CCacheError(message=unicode(e)) > [Fri May 27 14:17:37.136615 2016] [wsgi:error] [pid 1882] [remote 2001:470:71:68d:216:eaff:fec2:68b4:28] CCacheError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639107): No credentials cache found > > What cache is it talking about? How can I refresh it? > Switch IPA framework to debug mode as described below. It should show more information. > ----- > > > ad 3) cannot login to webui on okda > > When I go to https://okda.pipebreaker.pl/ipa/ui/ (the other server), I see "Loading?" screen > for couple of seconds, and afterwards "Gateway timeout" message. Everything > seems to be running on this server: > > root at okda ~$ ipactl status > WARNING: yacc table file version is out of date > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > There are no logs generated in httpd's error_log during login. > There are some problems in system log: > May 27 14:25:48 okda.pipebreaker.pl server[2364]: May 27, 2016 2:25:48 PM org.apache.catalina.core.ContainerBase backgroundProcess > May 27 14:25:48 okda.pipebreaker.pl server[2364]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm at 5ad7c518 background process > May 27 14:25:48 okda.pipebreaker.pl server[2364]: java.lang.NullPointerException > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:109) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1127) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5642) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1349) > May 27 14:25:48 okda.pipebreaker.pl server[2364]: at java.lang.Thread.run(Thread.java:745) > > as you can see, those logs do not contain any clue what's is wrong. Httpd error_log should at least show which operation encountered the Gateway timeout. If not, then put IPA framework into debug mode: http://www.freeipa.org/page/Troubleshooting#Administration_Framework Gateway timeout - some operation takes more than 30s, will be removed in 4.4 - https://fedorahosted.org/freeipa/ticket/5833. But still it won't make the operation quicker. > > ----- > > ad 4) pycparser.lextab/lextab.py/yacctab.py permission errors > I observe following errors in dnskeysyncd logs: > > May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' > May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: yacc table file version is out of date > May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' > > Also (related?) error during 'ipactl' invocations: > $ ipactl status > WARNING: yacc table file version is out of date > ? > These were seen before, it is not known if it affect IPA functionality. https://bugzilla.redhat.com/show_bug.cgi?id=1336913 > Warnings appear even after switching SELinux to permissive. > > > Please help me with resolving those problems. What logs should I provide? > I see no similiar issues described at http://www.freeipa.org/page/Troubleshooting > > -- Petr Vobornik From gjn at gjn.priv.at Fri Jun 17 10:54:21 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 17 Jun 2016 12:54:21 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: <7452d47c-18bc-90c2-a9b5-bb1611f809b7@redhat.com> References: <3253760.hiacI6SPC6@techz> <20160616195158.GH24826@10.4.128.1> <7452d47c-18bc-90c2-a9b5-bb1611f809b7@redhat.com> Message-ID: <2168657.PSfZIzaTQU@techz> Hello List, Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: > On 16.6.2016 21:51, Lukas Slebodnik wrote: > > On (16/06/16 11:54), G?nther J. Niederwimmer wrote: > >> Hello > >> > >> on my system the ods-exporter i mean have a problem. > >> > >> I have this in the logs > >> CentOS 7.(2) ipa 4.3.1 > >> > >> Jun 16 11:38:28 ipa ipa-ods-exporter: raise errors.ACIError(info=info) > >> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: > >> Insufficient > >> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > >> Minor code may provide more information (Ticket expired) > >> > > ^^^^^^^^^^^^^^ > > > > Here seems to be a reason why it failed. > > But I can't help you more. > > Lukas is right. Interesting, this should never happen :-) this have I also found ;-) > Please enable debugging using procedure > http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_n > o_data and check logs after next ipa-ods-exporter restart. > Thank you! OK, I attache the messages log? I mean this is a problem with my DNS ? -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer -------------- next part -------------- Jun 17 12:00:01 ipa systemd: Created slice user-0.slice. Jun 17 12:00:01 ipa systemd: Starting user-0.slice. Jun 17 12:00:01 ipa systemd: Started Session 324 of user root. Jun 17 12:00:01 ipa systemd: Starting Session 324 of user root. Jun 17 12:00:01 ipa systemd: Removed slice user-0.slice. Jun 17 12:00:01 ipa systemd: Stopping user-0.slice. Jun 17 12:00:29 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:00:29 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:00:29 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:00:30 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:00:31 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:00:31 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:00:31 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:00:31 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:00:31 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:00:31 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:00:31 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:00:31 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:00:31 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:00:31 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:00:31 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:00:31 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:00:31 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:00:31 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:01:01 ipa systemd: Created slice user-0.slice. Jun 17 12:01:01 ipa systemd: Starting user-0.slice. Jun 17 12:01:01 ipa systemd: Started Session 325 of user root. Jun 17 12:01:01 ipa systemd: Starting Session 325 of user root. Jun 17 12:01:31 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:01:31 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:01:31 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:01:31 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:01:32 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:01:32 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:01:32 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:01:32 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:01:32 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:01:32 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:01:32 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:01:32 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:01:32 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:01:32 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:01:32 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:01:32 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:01:32 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:01:32 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:02:32 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:02:32 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:02:32 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:02:33 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:02:34 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:02:34 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:02:34 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:02:34 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:02:34 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:02:34 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:02:34 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:02:34 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:02:34 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:02:34 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:02:34 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:02:34 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:02:34 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:02:34 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:03:34 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:03:34 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:03:34 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:03:34 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:03:35 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:03:35 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:03:35 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:03:35 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:03:35 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:03:35 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:03:35 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:03:35 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:03:35 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:03:35 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:03:35 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:03:35 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:03:35 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:03:35 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:03:59 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da:52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=50054 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 17 12:04:35 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:04:35 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:04:35 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:04:36 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:04:37 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:04:37 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:04:37 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:04:37 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:04:37 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:04:37 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:04:37 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:04:37 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:04:37 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:04:37 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:04:37 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:04:37 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:04:37 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:04:37 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:05:37 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:05:37 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:05:37 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:05:37 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:05:38 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:05:38 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:05:38 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:05:38 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:05:38 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:05:38 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:05:38 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:05:38 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:05:38 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:05:38 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:05:38 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:05:38 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:05:38 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:05:38 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:06:38 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:06:38 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:06:38 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:06:39 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:06:40 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:06:40 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:06:40 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:06:40 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:06:40 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:06:40 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:06:40 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:06:40 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:06:40 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:06:40 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:06:40 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:06:40 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:06:40 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:06:40 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:07:40 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:07:40 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:07:40 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:07:40 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:07:41 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:07:41 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:07:41 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:07:41 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:07:41 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:07:41 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:07:41 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:07:41 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:07:41 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:07:41 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:07:41 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:07:41 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:07:41 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:07:41 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:08:41 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:08:41 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:08:41 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:08:42 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:08:43 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:08:43 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:08:43 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:08:43 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:08:43 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:08:43 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:08:43 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:08:43 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:08:43 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:08:43 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:08:43 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:08:43 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:08:43 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:08:43 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:09:02 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da:52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=50059 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 17 12:09:43 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:09:43 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:09:43 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:09:43 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:09:44 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:09:44 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:09:44 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:09:44 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:09:44 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:09:44 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:09:44 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:09:44 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:09:44 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:09:44 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:09:44 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:09:44 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:09:44 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:09:44 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:10:01 ipa systemd: Started Session 326 of user root. Jun 17 12:10:01 ipa systemd: Starting Session 326 of user root. Jun 17 12:10:42 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:71:1c:7a:08:00 SRC=89.26.108.1 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43079 DF PROTO=TCP SPT=44592 DPT=389 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:10:42 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:71:1c:7a:08:00 SRC=89.26.108.1 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12711 DF PROTO=TCP SPT=46246 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:10:42 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:71:1c:7a:08:00 SRC=89.26.108.1 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12711 DF PROTO=TCP SPT=46246 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:10:42 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:71:1c:7a:08:00 SRC=89.26.108.1 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27702 DF PROTO=TCP SPT=46247 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:10:42 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:71:1c:7a:08:00 SRC=89.26.108.1 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27702 DF PROTO=TCP SPT=46247 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:10:42 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:71:1c:7a:08:00 SRC=89.26.108.1 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=42649 DF PROTO=TCP SPT=46248 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:10:42 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:71:1c:7a:08:00 SRC=89.26.108.1 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=42649 DF PROTO=TCP SPT=46248 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:10:44 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:10:44 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:10:44 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:10:45 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:10:45 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da:52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=50060 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 17 12:10:46 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:10:46 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:10:46 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:10:46 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:10:46 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:10:46 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:10:46 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:10:46 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:10:46 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:10:46 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:10:46 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:10:46 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:10:46 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:10:46 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:11:46 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:11:46 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:11:46 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:11:46 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:11:47 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:11:47 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:11:47 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:11:47 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:11:47 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:11:47 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:11:47 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:11:47 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:11:47 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:11:47 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:11:47 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:11:47 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:11:47 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:11:47 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:12:45 ipa systemd: Started Session 327 of user root. Jun 17 12:12:45 ipa systemd-logind: New session 327 of user root. Jun 17 12:12:45 ipa systemd: Starting Session 327 of user root. Jun 17 12:12:45 ipa dbus[555]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Jun 17 12:12:45 ipa dbus-daemon: dbus[555]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Jun 17 12:12:45 ipa dbus[555]: [system] Successfully activated service 'org.freedesktop.problems' Jun 17 12:12:45 ipa dbus-daemon: dbus[555]: [system] Successfully activated service 'org.freedesktop.problems' Jun 17 12:12:47 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:12:47 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:12:47 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:12:48 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:12:49 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:12:49 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:12:49 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:12:49 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:12:49 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:12:49 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:12:49 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:12:49 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:12:49 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:12:49 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:12:49 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:12:49 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:12:49 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:12:49 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:13:31 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17436 DF PROTO=TCP SPT=57814 DPT=389 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:13:31 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16363 DF PROTO=TCP SPT=53535 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:13:31 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16363 DF PROTO=TCP SPT=53535 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:13:31 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31856 DF PROTO=TCP SPT=53536 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:13:31 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31856 DF PROTO=TCP SPT=53536 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:13:31 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18133 DF PROTO=TCP SPT=53537 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:13:31 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18133 DF PROTO=TCP SPT=53537 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:13:34 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da:52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=50083 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 17 12:13:49 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:13:49 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:13:49 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:13:50 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:13:51 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:13:51 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:13:51 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:13:51 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:13:51 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:13:51 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:13:51 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:13:51 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:13:51 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:13:51 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:13:51 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:13:51 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:13:51 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:13:51 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:14:11 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da:52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=50084 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 17 12:14:52 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:14:52 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:14:52 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:14:52 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:14:53 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:14:53 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:14:53 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:14:53 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:14:53 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:14:53 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:14:53 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:14:53 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:14:53 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:14:53 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:14:53 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:14:53 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:14:53 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:14:53 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:15:53 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:15:53 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:15:53 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:15:53 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_70848784 Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_70850576 Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:15:54 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:15:54 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:15:54 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:15:54 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:15:54 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:15:54 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:15:54 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:15:54 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:15:54 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:15:54 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:15:54 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:15:54 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:15:54 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:15:54 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:15:54 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:16:55 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:16:55 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:16:55 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_49615120 Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_49616912 Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:16:55 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:16:56 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:16:56 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:16:56 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:16:56 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:16:56 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:16:56 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:16:56 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:16:56 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:16:56 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:16:56 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:16:56 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:16:56 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:16:56 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:16:56 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:16:56 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:17:14 ipa systemd: Reloaded The Apache HTTP Server. Jun 17 12:17:30 ipa named-pkcs11[3078]: client 91.221.196.11#55520 (4gjn.com): transfer of '4gjn.com/IN': AXFR started Jun 17 12:17:30 ipa named-pkcs11[3078]: client 91.221.196.11#55520 (4gjn.com): transfer of '4gjn.com/IN': AXFR ended Jun 17 12:17:53 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da:52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=50085 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 17 12:17:56 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:17:56 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:17:56 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:17:56 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_46616848 Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_46618640 Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:17:57 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:17:57 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:17:57 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:17:57 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:17:57 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:17:57 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:17:57 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:17:57 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:17:57 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:17:57 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:17:57 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:17:57 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:17:57 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:17:57 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:17:57 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:18:58 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:18:58 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:18:58 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_53715216 Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_53717008 Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:18:58 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:18:59 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:18:59 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:18:59 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:18:59 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:18:59 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:18:59 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:18:59 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:18:59 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:18:59 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:18:59 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:18:59 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:18:59 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:18:59 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:18:59 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:18:59 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:18:59 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:18:59 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:18:59 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:18:59 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:18:59 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:18:59 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:18:59 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:18:59 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:19:40 ipa systemd: Stopped target PKI Tomcat Server. Jun 17 12:19:40 ipa systemd: Stopping PKI Tomcat Server. Jun 17 12:19:40 ipa systemd: Stopping PKI Tomcat Server pki-tomcat... Jun 17 12:19:40 ipa systemd: Stopping 389 Directory Server 4GJN-COM.... Jun 17 12:19:40 ipa server: Java virtual machine used: /usr/lib/jvm/jre/bin/java Jun 17 12:19:40 ipa server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jun 17 12:19:40 ipa server: main class used: org.apache.catalina.startup.Bootstrap Jun 17 12:19:40 ipa server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jun 17 12:19:40 ipa server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jun 17 12:19:40 ipa server: arguments used: stop Jun 17 12:19:40 ipa server: Jun 17, 2016 12:19:40 PM org.apache.catalina.core.StandardServer await Jun 17 12:19:40 ipa server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jun 17 12:19:40 ipa server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jun 17 12:19:40 ipa server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jun 17 12:19:40 ipa server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jun 17 12:19:40 ipa server: Jun 17, 2016 12:19:40 PM org.apache.coyote.AbstractProtocol pause Jun 17 12:19:40 ipa server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jun 17 12:19:40 ipa systemd: Stopped PKI Tomcat Server pki-tomcat. Jun 17 12:19:42 ipa named-pkcs11[3078]: LDAP error: Can't contact LDAP server: ldap_sync_poll() failed Jun 17 12:19:42 ipa named-pkcs11[3078]: ldap_syncrepl will reconnect in 60 seconds Jun 17 12:19:43 ipa systemd: Starting 389 Directory Server 4GJN-COM.... Jun 17 12:19:43 ipa systemd: Started 389 Directory Server 4GJN-COM.. Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: Security Initialization: Enabling default cipher set. Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: Configured NSS Ciphers Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jun 17 12:19:43 ipa ns-slapd: [17/Jun/2016:12:19:43 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jun 17 12:19:45 ipa systemd: Stopping Kerberos 5 KDC... Jun 17 12:19:45 ipa systemd: Starting Kerberos 5 KDC... Jun 17 12:19:45 ipa systemd: Started Kerberos 5 KDC. Jun 17 12:19:45 ipa systemd: Stopping Kerberos 5 Password-changing and Administration... Jun 17 12:19:45 ipa systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jun 17 12:19:45 ipa systemd: Unit kadmin.service entered failed state. Jun 17 12:19:45 ipa systemd: kadmin.service failed. Jun 17 12:19:45 ipa systemd: Starting Kerberos 5 Password-changing and Administration... Jun 17 12:19:45 ipa systemd: Started Kerberos 5 Password-changing and Administration. Jun 17 12:19:45 ipa systemd: Stopping Berkeley Internet Name Domain (DNS) with native PKCS#11... Jun 17 12:19:45 ipa named-pkcs11[3078]: received control channel command 'stop' Jun 17 12:19:45 ipa named-pkcs11[3078]: shutting down: flushing changes Jun 17 12:19:45 ipa named-pkcs11[3078]: stopping command channel on 127.0.0.1#953 Jun 17 12:19:45 ipa named-pkcs11[3078]: stopping command channel on ::1#953 Jun 17 12:19:45 ipa named-pkcs11[3078]: ldap_sync_prepare() failed, retrying in 1 second: shutting down Jun 17 12:19:45 ipa named-pkcs11[3078]: zone 1.f.8.0.f.6.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN: shutting down Jun 17 12:19:45 ipa named-pkcs11[3078]: zone 4gjn.com/IN (signed): shutting down Jun 17 12:19:45 ipa named-pkcs11[3078]: zone 4gjn.com/IN (unsigned): shutting down Jun 17 12:19:45 ipa named-pkcs11[3078]: no longer listening on ::#53 Jun 17 12:19:45 ipa named-pkcs11[3078]: no longer listening on 127.0.0.1#53 Jun 17 12:19:45 ipa named-pkcs11[3078]: no longer listening on 89.26.108.6#53 Jun 17 12:19:45 ipa named-pkcs11[3078]: no longer listening on 192.168.55.204#53 Jun 17 12:19:45 ipa named-pkcs11[3078]: no longer listening on 192.168.100.204#53 Jun 17 12:19:45 ipa named-pkcs11[3078]: exiting Jun 17 12:19:45 ipa systemd: Starting Generate rndc key for BIND (DNS)... Jun 17 12:19:45 ipa systemd: Started Generate rndc key for BIND (DNS). Jun 17 12:19:45 ipa systemd: Starting Berkeley Internet Name Domain (DNS) with native PKCS#11... Jun 17 12:19:45 ipa bash: zone localhost.localdomain/IN: loaded serial 0 Jun 17 12:19:45 ipa bash: zone localhost/IN: loaded serial 0 Jun 17 12:19:45 ipa bash: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Jun 17 12:19:45 ipa bash: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Jun 17 12:19:45 ipa bash: zone 0.in-addr.arpa/IN: loaded serial 0 Jun 17 12:19:45 ipa named-pkcs11[9113]: starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.3 -u named Jun 17 12:19:45 ipa named-pkcs11[9113]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' Jun 17 12:19:45 ipa named-pkcs11[9113]: ---------------------------------------------------- Jun 17 12:19:45 ipa named-pkcs11[9113]: BIND 9 is maintained by Internet Systems Consortium, Jun 17 12:19:45 ipa named-pkcs11[9113]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Jun 17 12:19:45 ipa named-pkcs11[9113]: corporation. Support and training for BIND 9 are Jun 17 12:19:45 ipa named-pkcs11[9113]: available at https://www.isc.org/support Jun 17 12:19:45 ipa named-pkcs11[9113]: ---------------------------------------------------- Jun 17 12:19:45 ipa named-pkcs11[9113]: adjusted limit on open files from 4096 to 1048576 Jun 17 12:19:45 ipa named-pkcs11[9113]: found 2 CPUs, using 2 worker threads Jun 17 12:19:45 ipa named-pkcs11[9113]: using 2 UDP listeners per interface Jun 17 12:19:45 ipa named-pkcs11[9113]: using up to 4096 sockets Jun 17 12:19:45 ipa named-pkcs11[9113]: loading configuration from '/etc/named.conf' Jun 17 12:19:45 ipa named-pkcs11[9113]: reading built-in trusted keys from file '/etc/named.iscdlv.key' Jun 17 12:19:45 ipa named-pkcs11[9113]: using default UDP/IPv4 port range: [1024, 65535] Jun 17 12:19:45 ipa named-pkcs11[9113]: using default UDP/IPv6 port range: [1024, 65535] Jun 17 12:19:45 ipa named-pkcs11[9113]: listening on IPv6 interfaces, port 53 Jun 17 12:19:45 ipa named-pkcs11[9113]: listening on IPv4 interface lo, 127.0.0.1#53 Jun 17 12:19:45 ipa named-pkcs11[9113]: listening on IPv4 interface ens10, 89.26.108.6#53 Jun 17 12:19:45 ipa named-pkcs11[9113]: listening on IPv4 interface eth0, 192.168.55.204#53 Jun 17 12:19:45 ipa named-pkcs11[9113]: listening on IPv4 interface eth1, 192.168.100.204#53 Jun 17 12:19:45 ipa named-pkcs11[9113]: generating session key for dynamic DNS Jun 17 12:19:45 ipa named-pkcs11[9113]: sizing zone task pool based on 6 zones Jun 17 12:19:45 ipa named-pkcs11[9113]: /etc/named.conf:16: no forwarders seen; disabling forwarding Jun 17 12:19:45 ipa named-pkcs11[9113]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Jun 17 12:19:45 ipa named-pkcs11[9113]: bind-dyndb-ldap version 8.0 compiled at 15:16:02 Nov 20 2015, compiler 4.8.5 20150623 (Red Hat 4.8.5-4) Jun 17 12:19:45 ipa named-pkcs11[9113]: option 'serial_autoincrement' is not supported, ignoring Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 10.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 16.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 17.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 18.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 19.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 20.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 21.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 22.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 23.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 24.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 25.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 26.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: LDAP instance 'ipa' is being synchronized, please ignore message 'all zones loaded' Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 27.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 28.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 29.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 30.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 31.172.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 168.192.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 64.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 65.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 66.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 67.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 68.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 69.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 70.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 71.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 72.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 73.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 74.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 75.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 76.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 77.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 78.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 79.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 80.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 81.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 82.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 83.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 84.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 85.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 86.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 87.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 88.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 89.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 90.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 91.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 92.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 93.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 94.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 95.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 96.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 97.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 98.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 99.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 100.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 101.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 102.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 103.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 104.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 105.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 106.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 107.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 108.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 109.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 110.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 111.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 112.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 113.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 114.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 115.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 116.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 117.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 118.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 119.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 120.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 121.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 122.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 123.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 124.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 125.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 126.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 127.100.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 127.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 254.169.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 100.51.198.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 113.0.203.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: D.F.IP6.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 8.E.F.IP6.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 9.E.F.IP6.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: A.E.F.IP6.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: B.E.F.IP6.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Jun 17 12:19:45 ipa named-pkcs11[9113]: /etc/named.conf:16: no forwarders seen; disabling forwarding Jun 17 12:19:45 ipa named-pkcs11[9113]: command channel listening on 127.0.0.1#953 Jun 17 12:19:45 ipa named-pkcs11[9113]: command channel listening on ::1#953 Jun 17 12:19:45 ipa named-pkcs11[9113]: managed-keys-zone: journal file is out of date: removing journal file Jun 17 12:19:45 ipa named-pkcs11[9113]: managed-keys-zone: loaded serial 90 Jun 17 12:19:45 ipa named-pkcs11[9113]: zone 0.in-addr.arpa/IN: loaded serial 0 Jun 17 12:19:45 ipa named-pkcs11[9113]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Jun 17 12:19:45 ipa named-pkcs11[9113]: zone localhost/IN: loaded serial 0 Jun 17 12:19:45 ipa named-pkcs11[9113]: zone localhost.localdomain/IN: loaded serial 0 Jun 17 12:19:45 ipa named-pkcs11[9113]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Jun 17 12:19:45 ipa named-pkcs11[9113]: all zones loaded Jun 17 12:19:45 ipa named-pkcs11[9113]: running Jun 17 12:19:45 ipa systemd: Started Berkeley Internet Name Domain (DNS) with native PKCS#11. Jun 17 12:19:46 ipa systemd: Stopping IPA memcached daemon, increases IPA server performance... Jun 17 12:19:46 ipa systemd: Starting IPA memcached daemon, increases IPA server performance... Jun 17 12:19:46 ipa systemd: PID file /var/run/ipa_memcached/ipa_memcached.pid not readable (yet?) after start. Jun 17 12:19:46 ipa systemd: Started IPA memcached daemon, increases IPA server performance. Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 4gjn.com/IN: reconfiguring NSEC3PARAM to '1 0 10 65ba2cbb5f87cba8' Jun 17 12:19:46 ipa systemd: Stopping The Apache HTTP Server... Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 1.f.8.0.f.6.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN: loaded serial 1466158786 Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 4gjn.com/IN (unsigned): loaded serial 1466158786 Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 4gjn.com/IN (signed): signing in progress Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 4gjn.com/IN (signed): reconfiguring NSEC3PARAM to '1 0 10 65ba2cbb5f87cba8' Jun 17 12:19:46 ipa named-pkcs11[9113]: 2 master zones from LDAP instance 'ipa' loaded (2 zones defined, 0 inactive, 0 failed to load) Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 1.f.8.0.f.6.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN: sending notifies (serial 1466158786) Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 4gjn.com/IN (signed): loaded serial 1466158786 Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 4gjn.com/IN (signed): could not get zone keys for secure dynamic update Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 4gjn.com/IN (signed): receive_secure_serial: unchanged Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 4gjn.com/IN (signed): sending notifies (serial 1466158787) Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 4gjn.com/IN (signed): reconfiguring zone keys Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 4gjn.com/IN (signed): zone_addnsec3chain(1,INITIAL|CREATE,10,65BA2CBB5F87CBA8) Jun 17 12:19:46 ipa named-pkcs11[9113]: zone 4gjn.com/IN (signed): next key event: 17-Jun-2016 13:19:46.248 Jun 17 12:19:47 ipa named-pkcs11[9113]: checkhints: unable to get root NS rrset from cache: not found Jun 17 12:19:47 ipa systemd: Starting The Apache HTTP Server... Jun 17 12:19:47 ipa ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jun 17 12:19:47 ipa systemd: Started The Apache HTTP Server. Jun 17 12:19:47 ipa systemd: Stopping IPA Custodia Service... Jun 17 12:19:47 ipa systemd: Started IPA Custodia Service. Jun 17 12:19:47 ipa systemd: Starting IPA Custodia Service... Jun 17 12:19:48 ipa systemd: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Jun 17 12:19:48 ipa systemd: Configuration file /lib/systemd/system/pki-tomcatd at .service is marked executable. Please remove executable permission bits. Proceeding anyway. Jun 17 12:19:48 ipa systemd: Starting PKI Tomcat Server pki-tomcat... Jun 17 12:19:48 ipa ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Jun 17 12:19:49 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da:52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=50090 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 17 12:19:49 ipa systemd: Started PKI Tomcat Server pki-tomcat. Jun 17 12:19:49 ipa systemd: Reached target PKI Tomcat Server. Jun 17 12:19:49 ipa systemd: Starting PKI Tomcat Server. Jun 17 12:19:49 ipa server: Java virtual machine used: /usr/lib/jvm/jre/bin/java Jun 17 12:19:49 ipa server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jun 17 12:19:49 ipa server: main class used: org.apache.catalina.startup.Bootstrap Jun 17 12:19:49 ipa server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jun 17 12:19:49 ipa server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jun 17 12:19:49 ipa server: arguments used: start Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://ipa.4gjn.com:9080/ca/ocsp' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jun 17 12:19:50 ipa server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jun 17 12:19:50 ipa server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.coyote.AbstractProtocol init Jun 17 12:19:50 ipa server: INFO: Initializing ProtocolHandler ["http-bio-8080"] Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.coyote.AbstractProtocol init Jun 17 12:19:50 ipa server: INFO: Initializing ProtocolHandler ["http-bio-8443"] Jun 17 12:19:50 ipa server: Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Jun 17 12:19:50 ipa server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Jun 17 12:19:50 ipa server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Jun 17 12:19:50 ipa server: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Jun 17 12:19:50 ipa server: Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Jun 17 12:19:50 ipa server: Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Jun 17 12:19:50 ipa server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Jun 17 12:19:50 ipa server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.coyote.AbstractProtocol init Jun 17 12:19:50 ipa server: INFO: Initializing ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jun 17 12:19:50 ipa server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.Catalina load Jun 17 12:19:50 ipa server: INFO: Initialization processed in 548 ms Jun 17 12:19:50 ipa server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jun 17 12:19:50 ipa server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jun 17 12:19:50 ipa server: PKIListener: org.apache.catalina.core.StandardServer[start] Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.core.StandardService startInternal Jun 17 12:19:50 ipa server: INFO: Starting service Catalina Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.core.StandardEngine startInternal Jun 17 12:19:50 ipa server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.54 Jun 17 12:19:50 ipa server: Jun 17, 2016 12:19:50 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 17 12:19:50 ipa server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml Jun 17 12:19:51 ipa named-pkcs11[9113]: zone 1.f.8.0.f.6.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN: sending notifies (serial 1466158786) Jun 17 12:19:51 ipa named-pkcs11[9113]: zone 4gjn.com/IN (signed): sending notifies (serial 1466158806) Jun 17 12:19:51 ipa server: Jun 17, 2016 12:19:51 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 17 12:19:51 ipa server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 1,144 ms Jun 17 12:19:51 ipa server: Jun 17, 2016 12:19:51 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 17 12:19:51 ipa server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml Jun 17 12:19:52 ipa server: Jun 17, 2016 12:19:52 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 17 12:19:52 ipa server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml has finished in 758 ms Jun 17 12:19:52 ipa server: Jun 17, 2016 12:19:52 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 17 12:19:52 ipa server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml Jun 17 12:19:53 ipa server: Jun 17, 2016 12:19:53 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 17 12:19:53 ipa server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#js.xml has finished in 822 ms Jun 17 12:19:53 ipa server: Jun 17, 2016 12:19:53 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 17 12:19:53 ipa server: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml Jun 17 12:19:53 ipa server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jun 17 12:19:53 ipa server: SSLAuthenticatorWithFallback: Setting container Jun 17 12:19:55 ipa server: SSLAuthenticatorWithFallback: Initializing authenticators Jun 17 12:19:55 ipa server: SSLAuthenticatorWithFallback: Starting authenticators Jun 17 12:19:55 ipa server: CMSEngine.initializePasswordStore() begins Jun 17 12:19:55 ipa server: CMSEngine.initializePasswordStore(): tag=internaldb Jun 17 12:19:55 ipa server: CMSEngine.initializePasswordStore(): tag=replicationdb Jun 17 12:19:59 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:19:59 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:19:59 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_55681296 Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_55683088 Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:20:00 ipa server: CA is started. Jun 17 12:20:00 ipa server: Jun 17, 2016 12:20:00 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 17 12:20:00 ipa server: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 7,529 ms Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:20:00 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:00 ipa server: Jun 17, 2016 12:20:00 PM org.apache.coyote.AbstractProtocol start Jun 17 12:20:00 ipa server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jun 17 12:20:00 ipa server: Jun 17, 2016 12:20:00 PM org.apache.coyote.AbstractProtocol start Jun 17 12:20:00 ipa server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jun 17 12:20:00 ipa server: Jun 17, 2016 12:20:00 PM org.apache.coyote.AbstractProtocol start Jun 17 12:20:00 ipa server: INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] Jun 17 12:20:00 ipa server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jun 17 12:20:00 ipa server: PKIListener: Subsystem CA is running. Jun 17 12:20:00 ipa server: Jun 17, 2016 12:20:00 PM org.apache.catalina.startup.Catalina start Jun 17 12:20:00 ipa server: INFO: Server startup in 10325 ms Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:20:01 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:20:01 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:20:01 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:20:01 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:20:01 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:20:01 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:20:01 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:20:01 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:20:01 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:20:01 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:20:01 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:20:01 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:20:01 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:20:01 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:20:01 ipa systemd: Stopping ipa-otpd socket. Jun 17 12:20:01 ipa systemd: Listening on ipa-otpd socket. Jun 17 12:20:01 ipa systemd: Starting ipa-otpd socket. Jun 17 12:20:01 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:20:01 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:20:01 ipa ods-enforcerd: Received SIGTERM, exiting... Jun 17 12:20:01 ipa ods-enforcerd: all done! hsm_close result: 0 Jun 17 12:20:01 ipa systemd: Stopping OpenDNSSEC Enforcer daemon... Jun 17 12:20:01 ipa systemd: Starting OpenDNSSEC Enforcer daemon... Jun 17 12:20:01 ipa ods-enforcerd: opendnssec starting... Jun 17 12:20:01 ipa ods-enforcerd: opendnssec Parent exiting... Jun 17 12:20:01 ipa ods-enforcerd: opendnssec forked OK... Jun 17 12:20:01 ipa ods-enforcerd: group set to: ods (998) Jun 17 12:20:01 ipa ods-enforcerd: user set to: ods (999) Jun 17 12:20:01 ipa ods-enforcerd: opendnssec started (version 1.4.7), pid 9501 Jun 17 12:20:01 ipa ods-enforcerd: HSM opened successfully. Jun 17 12:20:01 ipa ods-enforcerd: Checking database connection... Jun 17 12:20:01 ipa ods-enforcerd: Database connection ok. Jun 17 12:20:01 ipa ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Jun 17 12:20:01 ipa ods-enforcerd: Reading config schema "/usr/share/opendnssec/conf.rng" Jun 17 12:20:01 ipa ods-enforcerd: Communication Interval: 3600 Jun 17 12:20:01 ipa systemd: PID file /var/run/opendnssec/enforcerd.pid not readable (yet?) after start. Jun 17 12:20:01 ipa systemd: Started OpenDNSSEC Enforcer daemon. Jun 17 12:20:01 ipa ods-enforcerd: OpenDNSSEC ods-enforcerd started (version 1.4.7), pid 9501 Jun 17 12:20:01 ipa ods-enforcerd: No DS Submit command supplied Jun 17 12:20:01 ipa ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db Jun 17 12:20:01 ipa ods-enforcerd: Log User set to: local0 Jun 17 12:20:01 ipa ods-enforcerd: Switched log facility to: local0 Jun 17 12:20:01 ipa ods-enforcerd: Connecting to Database... Jun 17 12:20:01 ipa ods-enforcerd: Policy default found. Jun 17 12:20:01 ipa ods-enforcerd: Key sharing is Off. Jun 17 12:20:01 ipa ods-enforcerd: 1 zone(s) found on policy "default" Jun 17 12:20:01 ipa ods-enforcerd: No new KSKs need to be created. Jun 17 12:20:01 ipa ods-enforcerd: No new ZSKs need to be created. Jun 17 12:20:01 ipa ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. Jun 17 12:20:01 ipa ods-enforcerd: Zone 4gjn.com found. Jun 17 12:20:01 ipa ods-enforcerd: Policy for 4gjn.com set to default. Jun 17 12:20:01 ipa ods-enforcerd: Config will be output to /var/opendnssec/signconf/4gjn.com.xml. Jun 17 12:20:01 ipa systemd: Stopping IPA key daemon... Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa : INFO Signal 15 received: Shutting down! Jun 17 12:20:01 ipa systemd: Started IPA key daemon. Jun 17 12:20:01 ipa systemd: Starting IPA key daemon... Jun 17 12:20:01 ipa ods-enforcerd: No change to: /var/opendnssec/signconf/4gjn.com.xml Jun 17 12:20:01 ipa ods-enforcerd: Disconnecting from Database... Jun 17 12:20:01 ipa ods-enforcerd: Sleeping for 3600 seconds. Jun 17 12:20:01 ipa systemd: Started Session 328 of user root. Jun 17 12:20:01 ipa systemd: Starting Session 328 of user root. Jun 17 12:20:01 ipa systemd: Started Session 329 of user root. Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:20:01 ipa systemd: Starting Session 329 of user root. Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: Starting external process Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: args=klist -V Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: Process finished, return code=0 Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: stderr= Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: WARNING: session memcached servers not running Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:20:01 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:20:01 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_57076112 Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_57102544 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_49512720 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_49514512 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:20:02 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:20:02 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:20:02 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:20:02 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:20:02 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:20:02 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:20:02 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:20:02 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:20:02 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:20:02 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:20:02 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:20:02 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa : DEBUG Kerberos principal: ipa-dnskeysyncd/ipa.4gjn.com Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa : DEBUG Initializing principal ipa-dnskeysyncd/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-dnskeysyncd.keytab Jun 17 12:20:02 ipa ipa-dnskeysyncd: ipa : DEBUG using ccache /tmp/ipa-dnskeysyncd.ccache Jun 17 12:20:03 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:20:03 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:20:03 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:20:03 ipa ipa-dnskeysyncd: ipa : DEBUG Attempt 1/5: success Jun 17 12:20:03 ipa ipa-dnskeysyncd: ipa : DEBUG LDAP URL: ldapi://%2Fvar%2Frun%2Fslapd-4GJN-COM.socket/cn%3Ddns%2Cdc%3D4gjn%2Cdc%3Dcom??sub?%28%7C%28objectClass%3DidnsZone%29%28objectClass%3DidnsSecKey%29%28objectClass%3Dipk11PublicKey%29%29 Jun 17 12:20:03 ipa ipa-dnskeysyncd: ipa : INFO LDAP bind... Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa : INFO Commencing sync process Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None (not received yet) Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: idnsname=4gjn.com.,cn=dns,dc=4gjn,dc=com c22a0029-ee8d-11e5-8229-c5dfdc6d4358 Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'c22a0029-ee8d-11e5-8229-c5dfdc6d4358': } Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=cdf8c470-ee8d-11e5-9ad1-52540090fcc3,cn=keys,cn=sec,cn=dns,dc=4gjn,dc=com c22a005d-ee8d-11e5-8229-c5dfdc6d4358 Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=a41435ac-0ba9-11e6-bf30-52540090fcc3,cn=keys,cn=sec,cn=dns,dc=4gjn,dc=com 816a8894-0ba9-11e6-8229-c5dfdc6d4358 Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: idnsname=1.f.8.0.f.6.0.0.0.7.4.0.1.0.0.2.ip6.arpa.,cn=dns,dc=4gjn,dc=com 006d7702-1389-11e6-8229-c5dfdc6d4358 Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=ef0515c2-18e2-11e6-84b4-52540090fcc3,cn=keys,cn=sec,cn=dns,dc=4gjn,dc=com d107be8a-18e2-11e6-8229-c5dfdc6d4358 Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=ef0eed40-18e2-11e6-9f0b-52540090fcc3,cn=keys,cn=sec,cn=dns,dc=4gjn,dc=com d107be8c-18e2-11e6-8229-c5dfdc6d4358 Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: cn=ZSK-20160513081559Z-d7fe5c98d5f3f89aefb9e8dfb92ebcb1,cn=keys,idnsname=4gjn.com.,cn=dns,dc=4gjn,dc=com d107be90-18e2-11e6-8229-c5dfdc6d4358 Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO Key metadata cn=ZSK-20160513081559Z-d7fe5c98d5f3f89aefb9e8dfb92ebcb1,cn=keys,idnsname=4gjn.com.,cn=dns,dc=4gjn,dc=com added to zone 4gjn.com. Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: cn=KSK-20160513081559Z-6145b3b71c448dfc1130d0f9d2caac79,cn=keys,idnsname=4gjn.com.,cn=dns,dc=4gjn,dc=com d107be92-18e2-11e6-8229-c5dfdc6d4358 Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO Key metadata cn=KSK-20160513081559Z-6145b3b71c448dfc1130d0f9d2caac79,cn=keys,idnsname=4gjn.com.,cn=dns,dc=4gjn,dc=com added to zone 4gjn.com. Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: ipa.4gjn.com:389#krbprincipalname=ipa-dnskeysyncd/ipa.4gjn.com at 4gjn.com,cn=services,cn=accounts,dc=4gjn,dc=com:cn=dns,dc=4gjn,dc=com:(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))#87822 Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa : DEBUG Starting external process Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa : DEBUG args=ods-ksmutil zonelist export Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa : DEBUG Process finished, return code=0 Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa : DEBUG stdout= Jun 17 12:20:05 ipa ipa-dnskeysyncd: Jun 17 12:20:05 ipa ipa-dnskeysyncd: Jun 17 12:20:05 ipa ipa-dnskeysyncd: default Jun 17 12:20:05 ipa ipa-dnskeysyncd: /var/opendnssec/signconf/4gjn.com.xml Jun 17 12:20:05 ipa ipa-dnskeysyncd: Jun 17 12:20:05 ipa ipa-dnskeysyncd: Jun 17 12:20:05 ipa ipa-dnskeysyncd: /var/lib/ipa/dns/zone/entryUUID/c22a0029-ee8d-11e5-8229-c5dfdc6d4358 Jun 17 12:20:05 ipa ipa-dnskeysyncd: Jun 17 12:20:05 ipa ipa-dnskeysyncd: Jun 17 12:20:05 ipa ipa-dnskeysyncd: /var/opendnssec/signed/4gjn.com Jun 17 12:20:05 ipa ipa-dnskeysyncd: Jun 17 12:20:05 ipa ipa-dnskeysyncd: Jun 17 12:20:05 ipa ipa-dnskeysyncd: Jun 17 12:20:05 ipa ipa-dnskeysyncd: Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa : DEBUG stderr= Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG ODS zones: {'c22a0029-ee8d-11e5-8229-c5dfdc6d4358': } Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO Zones removed from LDAP: [] Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO Zones added to LDAP: [] Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa : DEBUG Starting external process Jun 17 12:20:05 ipa ipa-dnskeysyncd: ipa : DEBUG args=/usr/sbin/ods-signer ipa-hsm-update Jun 17 12:20:53 ipa named-pkcs11[9113]: client 217.196.154.211#56361 (4gjn.com): transfer of '4gjn.com/IN': AXFR-style IXFR started Jun 17 12:20:53 ipa named-pkcs11[9113]: client 217.196.154.211#56361 (4gjn.com): transfer of '4gjn.com/IN': AXFR-style IXFR ended Jun 17 12:21:03 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:21:03 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:21:03 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_68784400 Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_68786192 Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:21:03 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:21:04 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:21:04 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:21:04 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:21:04 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:21:04 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:21:04 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:21:04 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:21:04 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:21:04 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:21:04 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:21:04 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:21:04 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:21:04 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:21:04 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:21:04 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:22:04 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:22:04 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:22:04 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_51884304 Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_51886096 Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:22:05 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:22:06 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:22:06 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:22:06 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:22:06 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:22:06 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:22:06 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:22:06 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:22:06 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:22:06 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:22:06 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:22:06 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:22:06 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:22:06 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:22:06 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:22:06 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:22:06 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:22:06 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:22:06 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:22:06 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:22:06 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:22:06 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:22:06 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:22:06 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:23:06 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:23:06 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:23:06 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_72712464 Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_72714256 Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:23:06 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:23:07 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:23:07 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:23:07 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:23:07 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:23:07 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:23:07 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:23:07 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:23:07 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:23:07 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:23:07 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:23:07 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:23:07 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:23:07 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:23:07 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:23:07 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:24:07 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:24:07 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:24:07 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_44978448 Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_44980240 Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:24:08 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:24:09 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:24:09 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:24:09 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:24:09 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:24:09 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:24:09 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:24:09 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:24:09 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:24:09 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:24:09 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:24:09 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:24:09 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:24:09 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:24:09 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:24:09 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:24:09 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:24:09 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:24:09 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:24:09 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:25:01 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10994 DF PROTO=TCP SPT=57818 DPT=389 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:25:01 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:71:1c:7a:08:00 SRC=89.26.108.1 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25769 DF PROTO=TCP SPT=44791 DPT=389 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:25:01 ipa systemd: Created slice user-991.slice. Jun 17 12:25:01 ipa systemd: Starting user-991.slice. Jun 17 12:25:01 ipa systemd: Started Session 330 of user pcp. Jun 17 12:25:01 ipa systemd: Starting Session 330 of user pcp. Jun 17 12:25:01 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:71:1c:7a:08:00 SRC=89.26.108.1 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54872 DF PROTO=TCP SPT=46445 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:25:01 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:71:1c:7a:08:00 SRC=89.26.108.1 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54872 DF PROTO=TCP SPT=46445 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:25:01 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:71:1c:7a:08:00 SRC=89.26.108.1 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55668 DF PROTO=TCP SPT=46446 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:25:01 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:71:1c:7a:08:00 SRC=89.26.108.1 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55668 DF PROTO=TCP SPT=46446 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:25:01 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=50280 DF PROTO=TCP SPT=53539 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:25:01 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=50280 DF PROTO=TCP SPT=53539 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:25:01 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64030 DF PROTO=TCP SPT=53540 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:25:01 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64030 DF PROTO=TCP SPT=53540 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:25:01 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26550 DF PROTO=TCP SPT=53541 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:25:01 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26550 DF PROTO=TCP SPT=53541 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 17 12:25:02 ipa systemd: Removed slice user-991.slice. Jun 17 12:25:02 ipa systemd: Stopping user-991.slice. Jun 17 12:25:05 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da:52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=50091 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 17 12:25:09 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:25:09 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:25:09 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_74748176 Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_74749968 Jun 17 12:25:09 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:25:10 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:25:10 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:25:10 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:25:10 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:25:10 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:25:10 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:25:10 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:25:10 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:25:10 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:25:10 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:25:10 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:25:10 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:25:10 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:25:10 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:25:10 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:26:10 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:26:10 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:26:10 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_58036496 Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_58038288 Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:26:11 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:26:12 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:26:12 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:26:12 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:26:12 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:26:12 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:26:12 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:26:12 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:26:12 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:26:12 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:26:12 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:26:12 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:26:12 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:26:12 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:26:12 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:26:12 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:26:12 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:26:12 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:26:20 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da:52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=50092 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 17 12:27:12 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:27:12 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:27:12 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_75657488 Jun 17 12:27:12 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_75659280 Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:27:13 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:27:13 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:27:13 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:27:13 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:27:13 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:27:13 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:27:13 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:27:13 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:27:13 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:27:13 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:27:13 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:27:13 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:27:13 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:27:13 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:27:13 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:28:01 ipa systemd: Created slice user-991.slice. Jun 17 12:28:01 ipa systemd: Starting user-991.slice. Jun 17 12:28:01 ipa systemd: Started Session 331 of user pcp. Jun 17 12:28:01 ipa systemd: Starting Session 331 of user pcp. Jun 17 12:28:01 ipa systemd: Removed slice user-991.slice. Jun 17 12:28:01 ipa systemd: Stopping user-991.slice. Jun 17 12:28:13 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:28:13 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:28:13 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_46498064 Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_46499856 Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:28:14 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:28:15 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:28:15 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:28:15 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:28:15 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:28:15 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:28:15 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:28:15 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:28:15 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:28:15 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:28:15 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:28:15 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:28:15 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:28:15 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:28:15 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:28:15 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:28:15 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:28:15 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:28:15 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:28:15 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:28:15 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:28:15 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:28:15 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:28:15 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:28:15 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:28:15 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:28:40 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da:52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=50093 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 17 12:29:15 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:29:15 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:29:15 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_72827152 Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_72828944 Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:29:15 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:29:16 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:29:16 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:29:16 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:29:16 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:29:16 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:29:16 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:29:16 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:29:16 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:29:16 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:29:16 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:29:16 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:29:16 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:29:16 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:29:16 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:29:16 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:29:51 ipa named-pkcs11[9113]: client 217.196.154.211#35859 (1.f.8.0.f.6.0.0.0.7.4.0.1.0.0.2.ip6.arpa): transfer of '1.f.8.0.f.6.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN': AXFR-style IXFR started Jun 17 12:29:51 ipa named-pkcs11[9113]: client 217.196.154.211#35859 (1.f.8.0.f.6.0.0.0.7.4.0.1.0.0.2.ip6.arpa): transfer of '1.f.8.0.f.6.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN': AXFR-style IXFR ended Jun 17 12:30:01 ipa systemd: Started Session 332 of user root. Jun 17 12:30:01 ipa systemd: Starting Session 332 of user root. Jun 17 12:30:16 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:30:16 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:30:16 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_76964112 Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_76965904 Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:30:17 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:30:18 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:30:18 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:30:18 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:30:18 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:30:18 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:30:18 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:30:18 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:30:18 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:30:18 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:30:18 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:30:18 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:30:18 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:30:18 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:30:18 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:30:18 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:30:18 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:30:18 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:31:18 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 17 12:31:18 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 17 12:31:18 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_46227728 Jun 17 12:31:18 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_46229520 Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa-ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/opendnssec/tmp/ipa-ods-exporter.ccache Jun 17 12:31:19 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 17 12:31:19 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:31:19 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 17 12:31:19 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods-exporter", line 656, in Jun 17 12:31:19 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 17 12:31:19 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 17 12:31:19 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 17 12:31:19 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ Jun 17 12:31:19 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 17 12:31:19 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 992, in error_handler Jun 17 12:31:19 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 17 12:31:19 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 17 12:31:19 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 17 12:31:19 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 17 12:31:19 ipa systemd: ipa-ods-exporter.service failed. Jun 17 12:31:30 ipa named-pkcs11[9113]: client 91.221.196.11#29098 (4gjn.com): transfer of '4gjn.com/IN': AXFR-style IXFR started Jun 17 12:31:30 ipa named-pkcs11[9113]: client 91.221.196.11#29098 (4gjn.com): transfer of '4gjn.com/IN': AXFR-style IXFR ended From abokovoy at redhat.com Fri Jun 17 12:01:18 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 17 Jun 2016 15:01:18 +0300 Subject: [Freeipa-users] LDAPS for AD trust? In-Reply-To: References: Message-ID: <20160617120118.24kplt7elrhrajpu@redhat.com> On Thu, 16 Jun 2016, Erik Mackdanz wrote: >Hello, > >Is it possible to force LDAPS instead of LDAP when connecting to the >client's AD domain in a trust situation? > >I'm sure that the _ldaps SRV must be added to AD (AD doesn't have one >by default). There is no such thing as _ldaps SRV record and nothing supports it either in Active Directory or otherwise. LDAPS (port 636) was never standardized and with the release of LDAPv3 spec in 1999 was made obsolete. The software still supports it but it is not better than STARTTLS extension which is part of LDAPv3. I think in many cases security auditors are doing injustice to the reality with their 'requirements' to have LDAP over SSL as port 636. As Jakub said, SASL GSSAPI is already used to encrypt the connection if you configure your ldap.conf properly with GSSAPI_SIGN Specifies if GSSAPI signing (GSS_C_INTEG_FLAG) should be used. The default is off. GSSAPI_ENCRYPT Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG) should be used. The default is off. When IPA trust to AD is in use, SSSD on IPA masters is talking LDAP to AD DCs, not IPA clients, so the change would be rather limited. It would be good, of course, if SSSD would switch this on automatically with LDAP_OPT_ENCRYPT / LDAP_OPT_SIGN but I don't see this in the code. -- / Alexander Bokovoy From abokovoy at redhat.com Fri Jun 17 12:02:59 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 17 Jun 2016 15:02:59 +0300 Subject: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users In-Reply-To: <1466102490.20989.123.camel@petsmart.com> References: <1465842048.20989.37.camel@petsmart.com> <20160613190729.evh3ykgmz7yvgiom@redhat.com> <264C67C6145722439414DB6176F5A6E147594CE714@EXMBX02.ssg.petsmart.com> <20160614200247.oaw5bn6zag7xvlko@redhat.com> <264C67C6145722439414DB6176F5A6E147594CE718@EXMBX02.ssg.petsmart.com> <20160615065236.emmia6tf22jkxigy@redhat.com> <1466102490.20989.123.camel@petsmart.com> Message-ID: <20160617120259.keqa6xvj4ultfa5r@redhat.com> On Thu, 16 Jun 2016, David Fischer wrote: >Alexander, > >Ok I figured most of my issues were ldap search time out and also >ldap_idmap_range_size was to small. Good. >So I am left with one last problem is that any new users can login via >password but existing users passwords do not work but kerberos tickets >do. So is there another setting I am missing. getent and id -a both >work fine and there are no HBAC. Any thought would be helpfull. New users where? In Active Directory or in IPA? In case of authentication checks you need to look at the SSSD domain log together with the pam log and krb5_child log. > >Thanks > >-----Original Message----- >From: Alexander Bokovoy > >To: David Fischer > >Cc: freeipa-users at redhat.com > >Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users >Date: Tue, 14 Jun 2016 23:52:36 -0700 > > >On Tue, 14 Jun 2016, David Fischer wrote: > > >Alexander, > >I am getting the windows admin to refresh our DR AD setup and I should >be able to give you an idea on some of our groups layouts. > >So a quick understanding is that a single user can have 15-20+ groups >those groups might have all users in them plus groups. The groups of >groups can link back to groups that the user may have already assigned. >We do know that we have atleast one circular group in our environment. >I have used the 'ignore_group_members' with some success. Ref: >http://scanmail.trustwave.com/?c=6406&d=t_vg1_n-LHIZctaFe8SPSnNlXH2FMlsMdw7rWgmT1Q&u=https%3a%2f%2fjhrozek%2ewordpress%2ecom%2f2015%2f08%2f19%2fperformance-tuning-sssd-for-large-ipa-ad-trust-deployments%2f > > >That article is what Jakub and I wrote. Jakub may have more suggestions >and there are some improvements in recent SSSD releases in RHEL 7.2.4. > > > >________________________________ >##################################################################################### >The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. >##################################################################################### > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From mbasti at redhat.com Fri Jun 17 12:13:55 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jun 2016 14:13:55 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: <2168657.PSfZIzaTQU@techz> References: <3253760.hiacI6SPC6@techz> <20160616195158.GH24826@10.4.128.1> <7452d47c-18bc-90c2-a9b5-bb1611f809b7@redhat.com> <2168657.PSfZIzaTQU@techz> Message-ID: <63a013a2-2161-fb64-b6cf-8dca54ff1e39@redhat.com> On 17.06.2016 12:54, G?nther J. Niederwimmer wrote: > Hello List, > > Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: >> On 16.6.2016 21:51, Lukas Slebodnik wrote: >>> On (16/06/16 11:54), G?nther J. Niederwimmer wrote: >>>> Hello >>>> >>>> on my system the ods-exporter i mean have a problem. >>>> >>>> I have this in the logs >>>> CentOS 7.(2) ipa 4.3.1 >>>> >>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise errors.ACIError(info=info) >>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: >>>> Insufficient >>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (Ticket expired) >>>> >>> ^^^^^^^^^^^^^^ >>> >>> Here seems to be a reason why it failed. >>> But I can't help you more. >> Lukas is right. Interesting, this should never happen :-) > this have I also found ;-) > >> Please enable debugging using procedure >> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_n >> o_data and check logs after next ipa-ods-exporter restart. >> Thank you! > OK, > > I attache the messages log? > > I mean this is a problem with my DNS ? > > > Hello, can you check kerberos status of ipa-ods-exporter service in webUI? identity/services/ipa-ods-exported/ There should be kerberos status in right top corner in details view Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From toby.gale at gmail.com Fri Jun 17 11:40:31 2016 From: toby.gale at gmail.com (Toby Gale) Date: Fri, 17 Jun 2016 12:40:31 +0100 Subject: [Freeipa-users] FreeIPA and Active Directory Password Synchronisation Message-ID: Hello, After successfully adding a 'winsync' agreement and loading AD data into FreeIPA I am trying to configure the password sync software on the domain controllers. I have installed the certificates and can successfully bind from the domain controller using ldp.exe and the 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user. I have edited the registry to increase logging, by setting 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am seeing the error: 06/17/16 08:47:32: Backoff time expired. Attempting sync 06/17/16 08:47:32: Password list has 1 entries 06/17/16 08:47:32: Attempting to sync password for some.user 06/17/16 08:47:32: Searching for (ntuserdomainid=some.user) 06/17/16 08:47:32: Ldap error in QueryUsername 34: Invalid DN syntax 06/17/16 08:47:32: Deferring password change for some.user 06/17/16 08:47:32: Backing off for 1024000ms When I run the query from the CLI, it is successful: $ ldapsearch -x -h ldaps://localhost -p 636 -D 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password' -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' '(ntuserdomainid=some.user)' Can anyone help me resolve this? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From DFischer at PetSmart.com Fri Jun 17 13:26:14 2016 From: DFischer at PetSmart.com (David Fischer) Date: Fri, 17 Jun 2016 06:26:14 -0700 Subject: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users In-Reply-To: <20160617120259.keqa6xvj4ultfa5r@redhat.com> References: <1465842048.20989.37.camel@petsmart.com> <20160613190729.evh3ykgmz7yvgiom@redhat.com> <264C67C6145722439414DB6176F5A6E147594CE714@EXMBX02.ssg.petsmart.com> <20160614200247.oaw5bn6zag7xvlko@redhat.com> <264C67C6145722439414DB6176F5A6E147594CE718@EXMBX02.ssg.petsmart.com> <20160615065236.emmia6tf22jkxigy@redhat.com> <1466102490.20989.123.camel@petsmart.com> <20160617120259.keqa6xvj4ultfa5r@redhat.com> Message-ID: <1466169974.20989.129.camel@petsmart.com> -----Original Message----- From: Alexander Bokovoy > To: David Fischer > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users Date: Fri, 17 Jun 2016 05:02:59 -0700 On Thu, 16 Jun 2016, David Fischer wrote: Alexander, Ok I figured most of my issues were ldap search time out and also ldap_idmap_range_size was to small. Good. So I am left with one last problem is that any new users can login via password but existing users passwords do not work but kerberos tickets do. So is there another setting I am missing. getent and id -a both work fine and there are no HBAC. Any thought would be helpfull. New users where? In Active Directory or in IPA? In case of authentication checks you need to look at the SSSD domain log together with the pam log and krb5_child log. Sorry, Yes all accounts will live in AD. So any users that I have created in AD after Trust is create I am able to login as, any accounts be fore give password failure. Thanks -----Original Message----- From: Alexander Bokovoy > To: David Fischer > Cc: freeipa-users at redhat.com %3e>> Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users Date: Tue, 14 Jun 2016 23:52:36 -0700 On Tue, 14 Jun 2016, David Fischer wrote: Alexander, I am getting the windows admin to refresh our DR AD setup and I should be able to give you an idea on some of our groups layouts. So a quick understanding is that a single user can have 15-20+ groups those groups might have all users in them plus groups. The groups of groups can link back to groups that the user may have already assigned. We do know that we have atleast one circular group in our environment. I have used the 'ignore_group_members' with some success. Ref: http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OsDSsbiAmg&u=https%3a%2f%2fjhrozek%2ewordpress%2ecom%2f2015%2f08%2f19%2fperformance-tuning-sssd-for-large-ipa-ad-trust-deployments%2f That article is what Jakub and I wrote. Jakub may have more suggestions and there are some improvements in recent SSSD releases in RHEL 7.2.4. ________________________________ ##################################################################################### The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. ##################################################################################### -- Manage your subscription for the Freeipa-users mailing list: http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OsXftLjezA&u=https%3a%2f%2fwww%2eredhat%2ecom%2fmailman%2flistinfo%2ffreeipa-users Go to http://scanmail.trustwave.com/?c=6406&d=9-bj11grZoCjllgMl1zsg9ScQg5PR0s_OpOBsbSAyQ&u=http%3a%2f%2ffreeipa%2eorg for more info on the project ________________________________ ##################################################################################### The information contained in this electronic mail message, including attachments, if any, is PetSmart confidential information. It is intended only for the use of the person(s) named above. If the reader of this message is not the intended recipient, or has received this message in error, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify the sender via e-mail and promptly delete the original message. ##################################################################################### From gjn at gjn.priv.at Fri Jun 17 16:29:52 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Fri, 17 Jun 2016 18:29:52 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: <63a013a2-2161-fb64-b6cf-8dca54ff1e39@redhat.com> References: <3253760.hiacI6SPC6@techz> <2168657.PSfZIzaTQU@techz> <63a013a2-2161-fb64-b6cf-8dca54ff1e39@redhat.com> Message-ID: <1643007.IrsrPHefJj@techz> Hello, Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: > On 17.06.2016 12:54, G?nther J. Niederwimmer wrote: > > Hello List, > > > > Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: > >> On 16.6.2016 21:51, Lukas Slebodnik wrote: > >>> On (16/06/16 11:54), G?nther J. Niederwimmer wrote: > >>>> Hello > >>>> > >>>> on my system the ods-exporter i mean have a problem. > >>>> > >>>> I have this in the logs > >>>> CentOS 7.(2) ipa 4.3.1 > >>>> > >>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise errors.ACIError(info=info) > >>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: > >>>> Insufficient > >>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > >>>> failure. > >>>> Minor code may provide more information (Ticket expired) > >>>> > >>> ^^^^^^^^^^^^^^ > >>> > >>> Here seems to be a reason why it failed. > >>> But I can't help you more. > >> > >> Lukas is right. Interesting, this should never happen :-) > > > > this have I also found ;-) > > > >> Please enable debugging using procedure > >> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_return > >> s_n o_data and check logs after next ipa-ods-exporter restart. > >> Thank you! > > > > OK, > > > > I attache the messages log? > > > > I mean this is a problem with my DNS ? > > Hello, > can you check kerberos status of ipa-ods-exporter service in webUI? > > identity/services/ipa-ods-exported/ > There should be kerberos status in right top corner in details view > I have a identity/services/ipa-ods-exporter/.. with a "Kerberos Key Present, Service Provisioned" but no Certificate ? -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From mbasti at redhat.com Fri Jun 17 21:05:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jun 2016 23:05:32 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: <1643007.IrsrPHefJj@techz> References: <3253760.hiacI6SPC6@techz> <2168657.PSfZIzaTQU@techz> <63a013a2-2161-fb64-b6cf-8dca54ff1e39@redhat.com> <1643007.IrsrPHefJj@techz> Message-ID: <300d91f9-2f90-5111-bedf-8f25313399f9@redhat.com> On 17.06.2016 18:29, G?nther J. Niederwimmer wrote: > Hello, > > Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: >> On 17.06.2016 12:54, G?nther J. Niederwimmer wrote: >>> Hello List, >>> >>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: >>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: >>>>> On (16/06/16 11:54), G?nther J. Niederwimmer wrote: >>>>>> Hello >>>>>> >>>>>> on my system the ods-exporter i mean have a problem. >>>>>> >>>>>> I have this in the logs >>>>>> CentOS 7.(2) ipa 4.3.1 >>>>>> >>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise errors.ACIError(info=info) >>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: >>>>>> Insufficient >>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>>>>> failure. >>>>>> Minor code may provide more information (Ticket expired) >>>>>> >>>>> ^^^^^^^^^^^^^^ >>>>> >>>>> Here seems to be a reason why it failed. >>>>> But I can't help you more. >>>> Lukas is right. Interesting, this should never happen :-) >>> this have I also found ;-) >>> >>>> Please enable debugging using procedure >>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_return >>>> s_n o_data and check logs after next ipa-ods-exporter restart. >>>> Thank you! >>> OK, >>> >>> I attache the messages log? >>> >>> I mean this is a problem with my DNS ? >> Hello, >> can you check kerberos status of ipa-ods-exporter service in webUI? >> >> identity/services/ipa-ods-exported/ >> There should be kerberos status in right top corner in details view >> > I have a > identity/services/ipa-ods-exporter/.. > > with a "Kerberos Key Present, Service Provisioned" > > but no Certificate ? > > > Can you try, # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods-exporter/$(hostname) and do ldapsearch # ldapsearch -Y GSSAPI It should show us if keytab is okay Certificate is not needed. From Dan.Finkelstein at high5games.com Sat Jun 18 10:34:27 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Sat, 18 Jun 2016 10:34:27 +0000 Subject: [Freeipa-users] CentOS 6.8: uninstalling IPA client causes python error Message-ID: <0BAA0171-449C-46F2-8B2A-D5108E8A7F8C@high5games.com> We're rebinding clients from IPA 3 to IPA 4 and two CentOS 6.8 servers are giving us grief. When we try to run the uninstall program via "ipa-client-install --uninstall", we get: [root at localhost ~]# ipa-client-install --uninstall -U -f Disabling client Kerberos and LDAP configurations Unconfiguring the NIS domain. Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2567, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2544, in main return uninstall(options, env) File "/usr/sbin/ipa-client-install", line 637, in uninstall fstore.restore_all_files() File "/usr/lib/python2.6/site-packages/ipapython/sysrestore.py", line 222, in restore_all_files shutil.copy(backup_path, path) # SELinux needs copy File "/usr/lib64/python2.6/shutil.py", line 84, in copy copyfile(src, dst) File "/usr/lib64/python2.6/shutil.py", line 51, in copyfile with open(dst, 'wb') as fdst: IOError: [Errno 13] Permission denied: '/etc/ssh/sshd_config' The /etc/ssh/sshd_config file seems to have proper permissions (as do the other files), so we're a little stumped why it fails here. Thanks, Dan [cid:image001.jpg at 01D1C92B.760300A0] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: From toby.gale at gmail.com Sat Jun 18 11:47:50 2016 From: toby.gale at gmail.com (Toby Gale) Date: Sat, 18 Jun 2016 12:47:50 +0100 Subject: [Freeipa-users] Active Directory password sync fails with RC 34 Message-ID: Hello, After successfully adding a 'winsync' agreement and loading AD data into FreeIPA I am trying to configure the password sync software on the domain controllers. I have installed the certificates and can successfully bind from the domain controller using ldp.exe and the 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user. I have edited the registry to increase logging, by setting 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am seeing the error: 06/17/16 08:47:32: Backoff time expired. Attempting sync 06/17/16 08:47:32: Password list has 1 entries 06/17/16 08:47:32: Attempting to sync password for some.user 06/17/16 08:47:32: Searching for (ntuserdomainid=some.user) 06/17/16 08:47:32: Ldap error in QueryUsername 34: Invalid DN syntax 06/17/16 08:47:32: Deferring password change for some.user 06/17/16 08:47:32: Backing off for 1024000ms When I run the query from the CLI, it is successful: $ ldapsearch -x -h ldaps://localhost -p 636 -D 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password' -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' '(ntuserdomainid=some.user)' Can anyone help me resolve this? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Sat Jun 18 13:03:42 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Sat, 18 Jun 2016 15:03:42 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: <300d91f9-2f90-5111-bedf-8f25313399f9@redhat.com> References: <3253760.hiacI6SPC6@techz> <1643007.IrsrPHefJj@techz> <300d91f9-2f90-5111-bedf-8f25313399f9@redhat.com> Message-ID: <1574571.ccFegkPbxX@techz> hello, Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: > On 17.06.2016 18:29, G?nther J. Niederwimmer wrote: > > Hello, > > > > Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: > >> On 17.06.2016 12:54, G?nther J. Niederwimmer wrote: > >>> Hello List, > >>> > >>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: > >>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: > >>>>> On (16/06/16 11:54), G?nther J. Niederwimmer wrote: > >>>>>> Hello > >>>>>> > >>>>>> on my system the ods-exporter i mean have a problem. > >>>>>> > >>>>>> I have this in the logs > >>>>>> CentOS 7.(2) ipa 4.3.1 > >>>>>> > >>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise > >>>>>> errors.ACIError(info=info) > >>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: > >>>>>> Insufficient > >>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > >>>>>> failure. > >>>>>> Minor code may provide more information (Ticket expired) > >>>>>> > >>>>> ^^^^^^^^^^^^^^ > >>>>> > >>>>> Here seems to be a reason why it failed. > >>>>> But I can't help you more. > >>>> > >>>> Lukas is right. Interesting, this should never happen :-) > >>> > >>> this have I also found ;-) > >>> > >>>> Please enable debugging using procedure > >>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_retu > >>>> rn > >>>> s_n o_data and check logs after next ipa-ods-exporter restart. > >>>> Thank you! > >>> > >>> OK, > >>> > >>> I attache the messages log? > >>> > >>> I mean this is a problem with my DNS ? > >> > >> Hello, > >> can you check kerberos status of ipa-ods-exporter service in webUI? > >> > >> identity/services/ipa-ods-exported/ > >> There should be kerberos status in right top corner in details view > > > > I have a > > identity/services/ipa-ods-exporter/.. > > > > with a "Kerberos Key Present, Service Provisioned" > > > > but no Certificate ? > > Can you try, > > # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab > ipa-ods-exporter/$(hostname) OK I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods- exporter/$(hostname)" written on one line!! is this OK. > and do ldapsearch > # ldapsearch -Y GSSAPI and also ldapsearch is OK > It should show us if keytab is okay But the Error is present :-(. > Certificate is not needed. OK Thanks for the Help. -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From Dan.Finkelstein at high5games.com Sat Jun 18 13:09:37 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Sat, 18 Jun 2016 13:09:37 +0000 Subject: [Freeipa-users] CentOS 6.8: uninstalling IPA client causes python error In-Reply-To: <0BAA0171-449C-46F2-8B2A-D5108E8A7F8C@high5games.com> References: <0BAA0171-449C-46F2-8B2A-D5108E8A7F8C@high5games.com> Message-ID: Epilogue: While I couldn't solve the python error, I did manage to uninstall the ipa client and sssd components, then delete /var/lib/ipa-client (which was causing the ipa-client-install program to think that it was already registered). After reinstalling the ipa client and sssd components, ipa-client-install happily bound the system to the IPA cluster. Best regards, Dan [cid:image001.jpg at 01D1C941.229D0CB0] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: on behalf of Daniel Finkestein Date: Saturday, June 18, 2016 at 06:34 To: "freeipa-users at redhat.com" Subject: [Freeipa-users] CentOS 6.8: uninstalling IPA client causes python error We're rebinding clients from IPA 3 to IPA 4 and two CentOS 6.8 servers are giving us grief. When we try to run the uninstall program via "ipa-client-install --uninstall", we get: [root at localhost ~]# ipa-client-install --uninstall -U -f Disabling client Kerberos and LDAP configurations Unconfiguring the NIS domain. Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2567, in sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2544, in main return uninstall(options, env) File "/usr/sbin/ipa-client-install", line 637, in uninstall fstore.restore_all_files() File "/usr/lib/python2.6/site-packages/ipapython/sysrestore.py", line 222, in restore_all_files shutil.copy(backup_path, path) # SELinux needs copy File "/usr/lib64/python2.6/shutil.py", line 84, in copy copyfile(src, dst) File "/usr/lib64/python2.6/shutil.py", line 51, in copyfile with open(dst, 'wb') as fdst: IOError: [Errno 13] Permission denied: '/etc/ssh/sshd_config' The /etc/ssh/sshd_config file seems to have proper permissions (as do the other files), so we're a little stumped why it fails here. Thanks, Dan [cid:image002.jpg at 01D1C941.229D0CB0] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 4334 bytes Desc: image002.jpg URL: From gjn at gjn.priv.at Sat Jun 18 14:06:59 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Sat, 18 Jun 2016 16:06:59 +0200 Subject: [Freeipa-users] LDAP "mail" from User In-Reply-To: <57601FEE.1000100@0xc0dedbad.com> References: <3253694.VMncdTnI5A@techz> <57601FEE.1000100@0xc0dedbad.com> Message-ID: <1723984.017lRiTPpf@techz> Hello, Am Mittwoch, 15. Juni 2016, 01:17:02 CEST schrieb Peter Fern: > I wrote a plugin a long time ago for this, just put it on Github for you: > > https://github.com/pdf/freeipa-user-mailalternateaddress > > This adds support for the mailAlternateAddress (AKA alias) schema to the > GUI/CLI. > > On 14/06/16 23:27, G?nther J. Niederwimmer wrote: > > Hello, > > Is there a way to differ the Mail addresses from a user. > > I > > setup a User with with 3 Mail addresses in IPA UI > > User: Peter > > > peter at xxx.net > peter at yyyy.com > peter at aaaa.bbb > > for me, I can't > found a way to setup this correct in a dovecot way? > > I mean I must > have a "aliases" field in Ldap ? > > I am not a Ldap Profi ;-), but why > I can insert more EMail addresses when I > can't found this later. > > > Have any a answer for my problem, > > Thanks > Thanks for your work, I hope this is working with FreeIPA 4.3.1 on my system ;-). Now I have to install it ...... -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From tomek at pipebreaker.pl Sat Jun 18 17:13:54 2016 From: tomek at pipebreaker.pl (Tomasz Torcz) Date: Sat, 18 Jun 2016 19:13:54 +0200 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 In-Reply-To: <5763C3A6.3050802@redhat.com> References: <20160527122848.GA333519@mother.pipebreaker.pl> <5763C3A6.3050802@redhat.com> Message-ID: <20160618171354.GA439585@mother.pipebreaker.pl> On Fri, Jun 17, 2016 at 11:32:22AM +0200, Petr Vobornik wrote: > On 27.5.2016 14:28, Tomasz Torcz wrote: > > Hi, > > > > In my home environment I'm using two-server FreeIPA configuration on Fedora. > > Initially installed on fedora 19 in November 2013, it have been upgraded every > > Fedora release. It generally works OK, but somewhat degrades during operation. > > Recently I've jumped to F24 in hope my problems will be resolved, but they weren't. > > Thus this email and plea for assistance. > > > > I'm using freeipa-server-4.3.1-1.fc24.x86_64. One of the servers is called > > kaitain.pipebreaker.pl, the other okda.pipebreaker.pl. > > > > Currently I encounter following main problems: > > 1) named is not servicing all the records from LDAP > > 2) can't login to WebUI on kaitain.pipebreaker.pl > > 3) can't login to WebUI on okda.pipebreaker.pl > > 4) pycparser.lextab/lextab.py/yacctab.py permission errors > > > Switch IPA framework to debug mode as described below. It should show > more information. > > > Httpd error_log should at least show which operation encountered the > Gateway timeout. If not, then put IPA framework into debug mode: > > http://www.freeipa.org/page/Troubleshooting#Administration_Framework Thanks Petr! While editing /etc/ipa/defualt.conf to enable debug I've noticed my previous errors. Few weeks ago I was having problems with certmonger not re-requesting certificates. In order to point certmonger to the other IPA server, I've edited host= line in default.conf. After all I must have mixed things up, and _both_ mine IPA servers had the other host entered in host= line. After entering correct names, I can log into both web uis. Most of the functions work, but 5) I cannot get Authentication?Certificates list: on kaitain, after going into Authentication -> Certificates list I got ethernal spinning in browser, and error_log contains: [Sat Jun 18 18:46:07.665264 2016] [wsgi:error] [pid 12629] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sat Jun 18 18:46:07.665458 2016] [wsgi:error] [pid 12629] ipa: DEBUG: WSGI jsonserver_session.__call__: [Sat Jun 18 18:46:07.665637 2016] [wsgi:error] [pid 12629] ipa: DEBUG: found session cookie_id = 47c42943141700c4968c2c2f3f050848 [Sat Jun 18 18:46:07.666035 2016] [wsgi:error] [pid 12629] ipa: DEBUG: found session data in cache with id=47c42943141700c4968c2c2f3f050848 [Sat Jun 18 18:46:07.666169 2016] [wsgi:error] [pid 12629] ipa: DEBUG: jsonserver_session.__call__: session_id=47c42943141700c4968c2c2f3f050848 start_timestamp=2016-06-18T18:42:34 access_timestamp=2016-06-18T18:46:07 expiration_timestamp=2016-06-18T19:06:01 [Sat Jun 18 18:46:07.666268 2016] [wsgi:error] [pid 12629] ipa: DEBUG: storing ccache data into file "/var/run/ipa_memcached/krbcc_12629" [Sat Jun 18 18:46:07.667531 2016] [wsgi:error] [pid 12629] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1466354363.67 expiration=1466269567.67 (2016-06-18T19:06:07) [Sat Jun 18 18:46:07.938034 2016] [wsgi:error] [pid 12629] ipa: DEBUG: Created connection context.ldap2_139873368474448 [Sat Jun 18 18:46:07.938202 2016] [wsgi:error] [pid 12629] ipa: DEBUG: WSGI jsonserver.__call__: [Sat Jun 18 18:46:07.938293 2016] [wsgi:error] [pid 12629] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Sat Jun 18 18:46:07.938652 2016] [wsgi:error] [pid 12629] ipa: DEBUG: raw: cert_find(version=u'2.164') [Sat Jun 18 18:46:07.938900 2016] [wsgi:error] [pid 12629] ipa: DEBUG: cert_find(exactly=False, all=False, raw=False, version=u'2.164') [Sat Jun 18 18:46:07.939225 2016] [wsgi:error] [pid 12629] ipa: DEBUG: raw: ca_is_enabled(version=u'2.164') [Sat Jun 18 18:46:07.939574 2016] [wsgi:error] [pid 12629] ipa: DEBUG: ca_is_enabled(version=u'2.164') [Sat Jun 18 18:46:08.079826 2016] [wsgi:error] [pid 12629] ipa: DEBUG: ipaserver.plugins.dogtag.ra.find() [Sat Jun 18 18:46:08.080263 2016] [wsgi:error] [pid 12629] ipa: DEBUG: ipaserver.plugins.dogtag.ra.find(): request: [Sat Jun 18 18:46:08.080339 2016] [wsgi:error] [pid 12629] falsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalse On okda, going to Certificates list yields ?Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)? and error_log contains: [Sat Jun 18 18:59:10.100983 2016] [wsgi:error] [pid 748083] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sat Jun 18 18:59:10.101728 2016] [wsgi:error] [pid 748083] ipa: DEBUG: WSGI jsonserver_session.__call__: [Sat Jun 18 18:59:10.102146 2016] [wsgi:error] [pid 748083] ipa: DEBUG: found session cookie_id = b5e06452ed9aa125f497913ce7703e2d [Sat Jun 18 18:59:10.103128 2016] [wsgi:error] [pid 748083] ipa: DEBUG: found session data in cache with id=b5e06452ed9aa125f497913ce7703e2d [Sat Jun 18 18:59:10.103506 2016] [wsgi:error] [pid 748083] ipa: DEBUG: jsonserver_session.__call__: session_id=b5e06452ed9aa125f497913ce7703e2d start_timestamp=2016-06-18T18:53:51 access_timestamp=2016-06-18T18:59:10 expiration_timestamp=2016-06-18T19:18:05 [Sat Jun 18 18:59:10.103740 2016] [wsgi:error] [pid 748083] ipa: DEBUG: storing ccache data into file "/var/run/ipa_memcached/krbcc_748083" [Sat Jun 18 18:59:10.106447 2016] [wsgi:error] [pid 748083] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1466355156.11 expiration=1466270350.11 (2016-06-18T19:19:10) [Sat Jun 18 18:59:10.146746 2016] [wsgi:error] [pid 748083] ipa: DEBUG: Created connection context.ldap2_139926010708624 [Sat Jun 18 18:59:10.146927 2016] [wsgi:error] [pid 748083] ipa: DEBUG: WSGI jsonserver.__call__: [Sat Jun 18 18:59:10.147058 2016] [wsgi:error] [pid 748083] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Sat Jun 18 18:59:10.204085 2016] [wsgi:error] [pid 748083] ipa: DEBUG: raw: cert_find(version=u'2.164') [Sat Jun 18 18:59:10.207402 2016] [wsgi:error] [pid 748083] ipa: DEBUG: cert_find(exactly=False, all=False, raw=False, version=u'2.164') [Sat Jun 18 18:59:10.227056 2016] [wsgi:error] [pid 748083] ipa: DEBUG: raw: ca_is_enabled(version=u'2.164') [Sat Jun 18 18:59:10.229373 2016] [wsgi:error] [pid 748083] ipa: DEBUG: ca_is_enabled(version=u'2.164') [Sat Jun 18 18:59:10.414288 2016] [wsgi:error] [pid 748083] ipa: DEBUG: ipaserver.plugins.dogtag.ra.find() [Sat Jun 18 18:59:10.523459 2016] [wsgi:error] [pid 748083] ipa: DEBUG: ipaserver.plugins.dogtag.ra.find(): request: [Sat Jun 18 18:59:10.523796 2016] [wsgi:error] [pid 748083] falsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalse [Sat Jun 18 18:59:11.244206 2016] [wsgi:error] [pid 748083] ipa: DEBUG: HTTP Response code: 500 [Sat Jun 18 18:59:11.248305 2016] [wsgi:error] [pid 748083] ipa: ERROR: ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS (Internal Server Error) [Sat Jun 18 18:59:11.336576 2016] [wsgi:error] [pid 748083] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Sat Jun 18 18:59:11.336895 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute [Sat Jun 18 18:59:11.337011 2016] [wsgi:error] [pid 748083] result = self.Command[name](*args, **options) [Sat Jun 18 18:59:11.337086 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 446, in __call__ [Sat Jun 18 18:59:11.337156 2016] [wsgi:error] [pid 748083] ret = self.run(*args, **options) [Sat Jun 18 18:59:11.337241 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 763, in run [Sat Jun 18 18:59:11.337311 2016] [wsgi:error] [pid 748083] return self.execute(*args, **options) [Sat Jun 18 18:59:11.337373 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 819, in execute [Sat Jun 18 18:59:11.337417 2016] [wsgi:error] [pid 748083] result=self.Backend.ra.find(options) [Sat Jun 18 18:59:11.337455 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1861, in find [Sat Jun 18 18:59:11.337493 2016] [wsgi:error] [pid 748083] detail=e.msg) [Sat Jun 18 18:59:11.337566 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1331, in raise_certificate_operation_error [Sat Jun 18 18:59:11.337653 2016] [wsgi:error] [pid 748083] raise errors.CertificateOperationError(error=err_msg) [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083] [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: [jsonserver_session] admin at PIPEBREAKER.PL: cert_find(version=u'2.164'): CertificateOperationError [Sat Jun 18 18:59:11.339764 2016] [wsgi:error] [pid 748083] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_748083" [Sat Jun 18 18:59:11.340133 2016] [wsgi:error] [pid 748083] ipa: DEBUG: store session: session_id=b5e06452ed9aa125f497913ce7703e2d start_timestamp=2016-06-18T18:53:51 access_timestamp=2016-06-18T18:59:11 expiration_timestamp=2016-06-18T19:19:10 [Sat Jun 18 18:59:11.342056 2016] [wsgi:error] [pid 748083] ipa: DEBUG: Destroyed connection context.ldap2_139926010708624 How to fix those? BTW, I've increased socket-timeout in /etc/httpd/conf.d/ipa.conf > Gateway timeout - some operation takes more than 30s, will be removed in > 4.4 - https://fedorahosted.org/freeipa/ticket/5833. But still it won't > make the operation quicker. > > > Also (related?) error during 'ipactl' invocations: > > $ ipactl status > > WARNING: yacc table file version is out of date > > These were seen before, it is not known if it affect IPA functionality. > > https://bugzilla.redhat.com/show_bug.cgi?id=1336913 > -- Tomasz Torcz "God, root, what's the difference?" xmpp: zdzichubg at chrome.pl "God is more forgiving." From rcritten at redhat.com Sun Jun 19 03:00:27 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 18 Jun 2016 23:00:27 -0400 Subject: [Freeipa-users] CentOS 6.8: uninstalling IPA client causes python error In-Reply-To: References: <0BAA0171-449C-46F2-8B2A-D5108E8A7F8C@high5games.com> Message-ID: <57660ACB.6000109@redhat.com> Dan.Finkelstein at high5games.com wrote: > Epilogue: > > While I couldn't solve the python error, I did manage to uninstall the > ipa client and sssd components, then delete /var/lib/ipa-client (which > was causing the ipa-client-install program to think that it was already > registered). After reinstalling the ipa client and sssd components, > ipa-client-install happily bound the system to the IPA cluster. I'd check for SELinux errors, that might explain things. rob > > Best regards, > > Dan > > > > *Daniel Alex Finkelstein*| Lead Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _ | 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: * on behalf of Daniel > Finkestein > *Date: *Saturday, June 18, 2016 at 06:34 > *To: *"freeipa-users at redhat.com" > *Subject: *[Freeipa-users] CentOS 6.8: uninstalling IPA client causes > python error > > We're rebinding clients from IPA 3 to IPA 4 and two CentOS 6.8 servers > are giving us grief. When we try to run the uninstall program via > "ipa-client-install --uninstall", we get: > > [root at localhost ~]# ipa-client-install --uninstall -U -f > > Disabling client Kerberos and LDAP configurations > > Unconfiguring the NIS domain. > > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted > > Restoring client configuration files > > Traceback (most recent call last): > > File "/usr/sbin/ipa-client-install", line 2567, in > > sys.exit(main()) > > File "/usr/sbin/ipa-client-install", line 2544, in main > > return uninstall(options, env) > > File "/usr/sbin/ipa-client-install", line 637, in uninstall > > fstore.restore_all_files() > > File "/usr/lib/python2.6/site-packages/ipapython/sysrestore.py", line > 222, in restore_all_files > > shutil.copy(backup_path, path) # SELinux needs copy > > File "/usr/lib64/python2.6/shutil.py", line 84, in copy > > copyfile(src, dst) > > File "/usr/lib64/python2.6/shutil.py", line 51, in copyfile > > with open(dst, 'wb') as fdst: > > IOError: [Errno 13] Permission denied: '/etc/ssh/sshd_config' > > The /etc/ssh/sshd_config file seems to have proper permissions (as do > the other files), so we're a little stumped why it fails here. > > Thanks, > > Dan > > > > *Daniel Alex Finkelstein*| Lead Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _ | 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > > From rcritten at redhat.com Sun Jun 19 03:02:23 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 18 Jun 2016 23:02:23 -0400 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 In-Reply-To: <20160618171354.GA439585@mother.pipebreaker.pl> References: <20160527122848.GA333519@mother.pipebreaker.pl> <5763C3A6.3050802@redhat.com> <20160618171354.GA439585@mother.pipebreaker.pl> Message-ID: <57660B3F.2010308@redhat.com> Tomasz Torcz wrote: > On Fri, Jun 17, 2016 at 11:32:22AM +0200, Petr Vobornik wrote: >> On 27.5.2016 14:28, Tomasz Torcz wrote: >>> Hi, >>> >>> In my home environment I'm using two-server FreeIPA configuration on Fedora. >>> Initially installed on fedora 19 in November 2013, it have been upgraded every >>> Fedora release. It generally works OK, but somewhat degrades during operation. >>> Recently I've jumped to F24 in hope my problems will be resolved, but they weren't. >>> Thus this email and plea for assistance. >>> >>> I'm using freeipa-server-4.3.1-1.fc24.x86_64. One of the servers is called >>> kaitain.pipebreaker.pl, the other okda.pipebreaker.pl. >>> >>> Currently I encounter following main problems: >>> 1) named is not servicing all the records from LDAP >>> 2) can't login to WebUI on kaitain.pipebreaker.pl >>> 3) can't login to WebUI on okda.pipebreaker.pl >>> 4) pycparser.lextab/lextab.py/yacctab.py permission errors >> >> >> Switch IPA framework to debug mode as described below. It should show >> more information. >> >> >> Httpd error_log should at least show which operation encountered the >> Gateway timeout. If not, then put IPA framework into debug mode: >> >> http://www.freeipa.org/page/Troubleshooting#Administration_Framework > > > Thanks Petr! While editing /etc/ipa/defualt.conf to enable debug > I've noticed my previous errors. Few weeks ago I was having problems > with certmonger not re-requesting certificates. In order to point > certmonger to the other IPA server, I've edited host= line > in default.conf. > After all I must have mixed things up, and _both_ mine IPA servers > had the other host entered in host= line. After entering correct > names, I can log into both web uis. > > Most of the functions work, but 5) I cannot get Authentication?Certificates > list: > > on kaitain, after going into Authentication -> Certificates list I got > ethernal spinning in browser, and error_log contains: > [Sat Jun 18 18:46:07.665264 2016] [wsgi:error] [pid 12629] ipa: DEBUG: WSGI wsgi_dispatch.__call__: > [Sat Jun 18 18:46:07.665458 2016] [wsgi:error] [pid 12629] ipa: DEBUG: WSGI jsonserver_session.__call__: > [Sat Jun 18 18:46:07.665637 2016] [wsgi:error] [pid 12629] ipa: DEBUG: found session cookie_id = 47c42943141700c4968c2c2f3f050848 > [Sat Jun 18 18:46:07.666035 2016] [wsgi:error] [pid 12629] ipa: DEBUG: found session data in cache with id=47c42943141700c4968c2c2f3f050848 > [Sat Jun 18 18:46:07.666169 2016] [wsgi:error] [pid 12629] ipa: DEBUG: jsonserver_session.__call__: session_id=47c42943141700c4968c2c2f3f050848 start_timestamp=2016-06-18T18:42:34 access_timestamp=2016-06-18T18:46:07 expiration_timestamp=2016-06-18T19:06:01 > [Sat Jun 18 18:46:07.666268 2016] [wsgi:error] [pid 12629] ipa: DEBUG: storing ccache data into file "/var/run/ipa_memcached/krbcc_12629" > [Sat Jun 18 18:46:07.667531 2016] [wsgi:error] [pid 12629] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1466354363.67 expiration=1466269567.67 (2016-06-18T19:06:07) > [Sat Jun 18 18:46:07.938034 2016] [wsgi:error] [pid 12629] ipa: DEBUG: Created connection context.ldap2_139873368474448 > [Sat Jun 18 18:46:07.938202 2016] [wsgi:error] [pid 12629] ipa: DEBUG: WSGI jsonserver.__call__: > [Sat Jun 18 18:46:07.938293 2016] [wsgi:error] [pid 12629] ipa: DEBUG: WSGI WSGIExecutioner.__call__: > [Sat Jun 18 18:46:07.938652 2016] [wsgi:error] [pid 12629] ipa: DEBUG: raw: cert_find(version=u'2.164') > [Sat Jun 18 18:46:07.938900 2016] [wsgi:error] [pid 12629] ipa: DEBUG: cert_find(exactly=False, all=False, raw=False, version=u'2.164') > [Sat Jun 18 18:46:07.939225 2016] [wsgi:error] [pid 12629] ipa: DEBUG: raw: ca_is_enabled(version=u'2.164') > [Sat Jun 18 18:46:07.939574 2016] [wsgi:error] [pid 12629] ipa: DEBUG: ca_is_enabled(version=u'2.164') > [Sat Jun 18 18:46:08.079826 2016] [wsgi:error] [pid 12629] ipa: DEBUG: ipaserver.plugins.dogtag.ra.find() > [Sat Jun 18 18:46:08.080263 2016] [wsgi:error] [pid 12629] ipa: DEBUG: ipaserver.plugins.dogtag.ra.find(): request: > [Sat Jun 18 18:46:08.080339 2016] [wsgi:error] [pid 12629] falsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalse > > > > On okda, going to Certificates list yields ?Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)? > and error_log contains: > [Sat Jun 18 18:59:10.100983 2016] [wsgi:error] [pid 748083] ipa: DEBUG: WSGI wsgi_dispatch.__call__: > [Sat Jun 18 18:59:10.101728 2016] [wsgi:error] [pid 748083] ipa: DEBUG: WSGI jsonserver_session.__call__: > [Sat Jun 18 18:59:10.102146 2016] [wsgi:error] [pid 748083] ipa: DEBUG: found session cookie_id = b5e06452ed9aa125f497913ce7703e2d > [Sat Jun 18 18:59:10.103128 2016] [wsgi:error] [pid 748083] ipa: DEBUG: found session data in cache with id=b5e06452ed9aa125f497913ce7703e2d > [Sat Jun 18 18:59:10.103506 2016] [wsgi:error] [pid 748083] ipa: DEBUG: jsonserver_session.__call__: session_id=b5e06452ed9aa125f497913ce7703e2d start_timestamp=2016-06-18T18:53:51 access_timestamp=2016-06-18T18:59:10 expiration_timestamp=2016-06-18T19:18:05 > [Sat Jun 18 18:59:10.103740 2016] [wsgi:error] [pid 748083] ipa: DEBUG: storing ccache data into file "/var/run/ipa_memcached/krbcc_748083" > [Sat Jun 18 18:59:10.106447 2016] [wsgi:error] [pid 748083] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1466355156.11 expiration=1466270350.11 (2016-06-18T19:19:10) > [Sat Jun 18 18:59:10.146746 2016] [wsgi:error] [pid 748083] ipa: DEBUG: Created connection context.ldap2_139926010708624 > [Sat Jun 18 18:59:10.146927 2016] [wsgi:error] [pid 748083] ipa: DEBUG: WSGI jsonserver.__call__: > [Sat Jun 18 18:59:10.147058 2016] [wsgi:error] [pid 748083] ipa: DEBUG: WSGI WSGIExecutioner.__call__: > [Sat Jun 18 18:59:10.204085 2016] [wsgi:error] [pid 748083] ipa: DEBUG: raw: cert_find(version=u'2.164') > [Sat Jun 18 18:59:10.207402 2016] [wsgi:error] [pid 748083] ipa: DEBUG: cert_find(exactly=False, all=False, raw=False, version=u'2.164') > [Sat Jun 18 18:59:10.227056 2016] [wsgi:error] [pid 748083] ipa: DEBUG: raw: ca_is_enabled(version=u'2.164') > [Sat Jun 18 18:59:10.229373 2016] [wsgi:error] [pid 748083] ipa: DEBUG: ca_is_enabled(version=u'2.164') > [Sat Jun 18 18:59:10.414288 2016] [wsgi:error] [pid 748083] ipa: DEBUG: ipaserver.plugins.dogtag.ra.find() > [Sat Jun 18 18:59:10.523459 2016] [wsgi:error] [pid 748083] ipa: DEBUG: ipaserver.plugins.dogtag.ra.find(): request: > [Sat Jun 18 18:59:10.523796 2016] [wsgi:error] [pid 748083] falsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalse > [Sat Jun 18 18:59:11.244206 2016] [wsgi:error] [pid 748083] ipa: DEBUG: HTTP Response code: 500 > [Sat Jun 18 18:59:11.248305 2016] [wsgi:error] [pid 748083] ipa: ERROR: ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS (Internal Server Error) > [Sat Jun 18 18:59:11.336576 2016] [wsgi:error] [pid 748083] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): > [Sat Jun 18 18:59:11.336895 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute > [Sat Jun 18 18:59:11.337011 2016] [wsgi:error] [pid 748083] result = self.Command[name](*args, **options) > [Sat Jun 18 18:59:11.337086 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 446, in __call__ > [Sat Jun 18 18:59:11.337156 2016] [wsgi:error] [pid 748083] ret = self.run(*args, **options) > [Sat Jun 18 18:59:11.337241 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 763, in run > [Sat Jun 18 18:59:11.337311 2016] [wsgi:error] [pid 748083] return self.execute(*args, **options) > [Sat Jun 18 18:59:11.337373 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 819, in execute > [Sat Jun 18 18:59:11.337417 2016] [wsgi:error] [pid 748083] result=self.Backend.ra.find(options) > [Sat Jun 18 18:59:11.337455 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1861, in find > [Sat Jun 18 18:59:11.337493 2016] [wsgi:error] [pid 748083] detail=e.msg) > [Sat Jun 18 18:59:11.337566 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1331, in raise_certificate_operation_error > [Sat Jun 18 18:59:11.337653 2016] [wsgi:error] [pid 748083] raise errors.CertificateOperationError(error=err_msg) > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083] > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: [jsonserver_session] admin at PIPEBREAKER.PL: cert_find(version=u'2.164'): CertificateOperationError > [Sat Jun 18 18:59:11.339764 2016] [wsgi:error] [pid 748083] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_748083" > [Sat Jun 18 18:59:11.340133 2016] [wsgi:error] [pid 748083] ipa: DEBUG: store session: session_id=b5e06452ed9aa125f497913ce7703e2d start_timestamp=2016-06-18T18:53:51 access_timestamp=2016-06-18T18:59:11 expiration_timestamp=2016-06-18T19:19:10 > [Sat Jun 18 18:59:11.342056 2016] [wsgi:error] [pid 748083] ipa: DEBUG: Destroyed connection context.ldap2_139926010708624 > > > How to fix those? You'll need to look at the dogtag debug log for the reason it threw a 500, it's in /var/log/pki-tomcat/ca or something close to that. rob > > > BTW, I've increased socket-timeout in /etc/httpd/conf.d/ipa.conf > > > > >> Gateway timeout - some operation takes more than 30s, will be removed in >> 4.4 - https://fedorahosted.org/freeipa/ticket/5833. But still it won't >> make the operation quicker. >> >>> Also (related?) error during 'ipactl' invocations: >>> $ ipactl status >>> WARNING: yacc table file version is out of date >> >> These were seen before, it is not known if it affect IPA functionality. >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1336913 >> > From gjn at gjn.priv.at Sun Jun 19 10:30:32 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Sun, 19 Jun 2016 12:30:32 +0200 Subject: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias In-Reply-To: <574EE932.1040501@redhat.com> References: <27123231.2vVFdNkPoa@techz> <4468326.xlZGrDGMFj@techz> <574EE932.1040501@redhat.com> Message-ID: <43130555.CD4bVCgrSr@techz> Hello Rob, Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden: > G?nther J. Niederwimmer wrote: > > Hello, > > > > Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: > >> G?nther J. Niederwimmer wrote: > >>> Hello > >>> I found any Help for the IPA Certificate but I found no way to import > >>> the > >>> IPA CA ? > >>> I like to create a webserver with a owncloud virtualhost and other.. > >>> > >>> But it is for me not possible to create the /etc/httpd/alias correct ? > >>> > >>> I found this in IPA DOCS > >>> > >>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt > >>> > >>> but with this command line I have a Error /etc/ipa/ca.crt have wrong > >>> format ? > >>> > >>> Have any a link with a working example > >> > >> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled > >> clients so the documentation is written from that perspective. > > > > Yes. > > > >> You can grab a copy from any enrolled system, including an IPA Master. > >> Otherwise the command looks ok assuming you were sitting in > >> /etc/httpd/alias when the command was executed (-d .). > > > > Yes ;-). > > but certutil mean it is a wrong format from the Certificate > > $ mkdir /tmp/testdb && cd /tmp/testdb > $ certutil -N -d . > $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt On my system I have this message after install ca.crt p11-kit: objects of this type cannot be created ? is this correct ? A other question, have I to change the Attribute (?), IPA-server create / IMPORT this ca.crt with -t "CT,C,C" > $ certutil -L -d . > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > EXAMPLE.COM IPA CA CT,, > > I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You > can use openssl for that: > > $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt > > > Something is wrong on my system !! > > > > for me it is not possible to have on a enrolled ipa-client a working > > webserver (apache) with mod_NSS > > > > The last Tests apache mean it is the wrong "passwd" for the DB and don't > > start? > > > > So now I start again with a new clean /etc/httpd/alias > > Not knowing how you created the database or what your nss.conf looks > like it's hard to say what is going on. If you set a NSS database > password then you need to tell mod_nss about it. > > Typically you'd set this in nss.conf: > > NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf" > > and create /etc/httpd/conf/password.conf with contents like: > > internal:SecretPassword123 > > Ensure that the file is owned by apache:apache and mode 0400. This is the best INFO for this file ;-) Thanks -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From pspacek at redhat.com Mon Jun 20 07:54:11 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 20 Jun 2016 09:54:11 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: <1574571.ccFegkPbxX@techz> References: <3253760.hiacI6SPC6@techz> <1643007.IrsrPHefJj@techz> <300d91f9-2f90-5111-bedf-8f25313399f9@redhat.com> <1574571.ccFegkPbxX@techz> Message-ID: On 18.6.2016 15:03, G?nther J. Niederwimmer wrote: > hello, > > Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: >> On 17.06.2016 18:29, G?nther J. Niederwimmer wrote: >>> Hello, >>> >>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: >>>> On 17.06.2016 12:54, G?nther J. Niederwimmer wrote: >>>>> Hello List, >>>>> >>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: >>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: >>>>>>> On (16/06/16 11:54), G?nther J. Niederwimmer wrote: >>>>>>>> Hello >>>>>>>> >>>>>>>> on my system the ods-exporter i mean have a problem. >>>>>>>> >>>>>>>> I have this in the logs >>>>>>>> CentOS 7.(2) ipa 4.3.1 >>>>>>>> >>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise >>>>>>>> errors.ACIError(info=info) >>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: >>>>>>>> Insufficient >>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>>>>>>> failure. >>>>>>>> Minor code may provide more information (Ticket expired) >>>>>>>> >>>>>>> ^^^^^^^^^^^^^^ >>>>>>> >>>>>>> Here seems to be a reason why it failed. >>>>>>> But I can't help you more. >>>>>> >>>>>> Lukas is right. Interesting, this should never happen :-) >>>>> >>>>> this have I also found ;-) >>>>> >>>>>> Please enable debugging using procedure >>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_retu >>>>>> rn >>>>>> s_n o_data and check logs after next ipa-ods-exporter restart. >>>>>> Thank you! >>>>> >>>>> OK, >>>>> >>>>> I attache the messages log? >>>>> >>>>> I mean this is a problem with my DNS ? >>>> >>>> Hello, >>>> can you check kerberos status of ipa-ods-exporter service in webUI? >>>> >>>> identity/services/ipa-ods-exported/ >>>> There should be kerberos status in right top corner in details view >>> >>> I have a >>> identity/services/ipa-ods-exporter/.. >>> >>> with a "Kerberos Key Present, Service Provisioned" >>> >>> but no Certificate ? >> >> Can you try, >> >> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab >> ipa-ods-exporter/$(hostname) > > OK > I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods- > exporter/$(hostname)" > > written on one line!! is this OK. > > >> and do ldapsearch >> # ldapsearch -Y GSSAPI > > and also ldapsearch is OK > >> It should show us if keytab is okay > > But the Error is present :-(. We need to see precise error. Please copy&paste it into the e-mail. It would be awesome if you could follow general rules for bug reporting: http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html Besides other things it would allow us to help you in shorter time. Have a nice day! -- Petr^2 Spacek From tomek at pipebreaker.pl Mon Jun 20 08:07:15 2016 From: tomek at pipebreaker.pl (Tomasz Torcz) Date: Mon, 20 Jun 2016 10:07:15 +0200 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 In-Reply-To: <57660B3F.2010308@redhat.com> References: <20160527122848.GA333519@mother.pipebreaker.pl> <5763C3A6.3050802@redhat.com> <20160618171354.GA439585@mother.pipebreaker.pl> <57660B3F.2010308@redhat.com> Message-ID: <20160620080714.GA275278@mother.pipebreaker.pl> On Sat, Jun 18, 2016 at 11:02:23PM -0400, Rob Crittenden wrote: > > > > Most of the functions work, but 5) I cannot get Authentication?Certificates > > list: > > > > On okda, going to Certificates list yields ?Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)? > > and error_log contains: > > [Sat Jun 18 18:59:10.523796 2016] [wsgi:error] [pid 748083] falsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalse > > [Sat Jun 18 18:59:11.244206 2016] [wsgi:error] [pid 748083] ipa: DEBUG: HTTP Response code: 500 > > [Sat Jun 18 18:59:11.248305 2016] [wsgi:error] [pid 748083] ipa: ERROR: ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS (Internal Server Error) > > [Sat Jun 18 18:59:11.336576 2016] [wsgi:error] [pid 748083] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): > > [Sat Jun 18 18:59:11.336895 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute > > [Sat Jun 18 18:59:11.337011 2016] [wsgi:error] [pid 748083] result = self.Command[name](*args, **options) > > [Sat Jun 18 18:59:11.337086 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 446, in __call__ > > [Sat Jun 18 18:59:11.337156 2016] [wsgi:error] [pid 748083] ret = self.run(*args, **options) > > [Sat Jun 18 18:59:11.337241 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 763, in run > > [Sat Jun 18 18:59:11.337311 2016] [wsgi:error] [pid 748083] return self.execute(*args, **options) > > [Sat Jun 18 18:59:11.337373 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 819, in execute > > [Sat Jun 18 18:59:11.337417 2016] [wsgi:error] [pid 748083] result=self.Backend.ra.find(options) > > [Sat Jun 18 18:59:11.337455 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1861, in find > > [Sat Jun 18 18:59:11.337493 2016] [wsgi:error] [pid 748083] detail=e.msg) > > [Sat Jun 18 18:59:11.337566 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1331, in raise_certificate_operation_error > > [Sat Jun 18 18:59:11.337653 2016] [wsgi:error] [pid 748083] raise errors.CertificateOperationError(error=err_msg) > > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) > > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083] > > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: [jsonserver_session] admin at PIPEBREAKER.PL: cert_find(version=u'2.164'): CertificateOperationError > > > > How to fix those? > > You'll need to look at the dogtag debug log for the reason it threw a 500, > it's in /var/log/pki-tomcat/ca or something close to that. I've looked into the logs but I'm not wiser. Is there a setting to get rid of java traceback from logs and get more useful messages? There seem to be a problem with SSL connection to port 636, maybe because it seems to use expired certificate? $ echo | openssl s_client -connect okda.pipebreaker.pl:636 | openssl x509 -noout depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority verify return:1 depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl verify error:num=10:certificate has expired notAfter=Nov 17 12:19:28 2015 GMT verify return:1 depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl notAfter=Nov 17 12:19:28 2015 GMT verify return:1 DONE Log from /var/log/pki/pki-tomcat/ca/system: 0.localhost-startStop-1 - [18/Jun/2016:18:54:09 CEST] [8] [3] In Ldap (bound) connection pool to host okda.pipebreaker.pl port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) Log from /var/log/pki/pki-tomcat/ca/debug: [18/Jun/2016:18:54:03][localhost-startStop-1]: ============================================ [18/Jun/2016:18:54:03][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [18/Jun/2016:18:54:03][localhost-startStop-1]: ============================================ [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: done init id=debug [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: initialized debug [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: initSubsystem id=log [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: ready to init id=log [18/Jun/2016:18:54:04][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) [18/Jun/2016:18:54:09][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) [18/Jun/2016:18:54:09][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: done init id=log [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: initialized log [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: ready to init id=jss [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: done init id=jss [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: initialized jss [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: ready to init id=dbs [18/Jun/2016:18:54:09][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true [18/Jun/2016:18:54:09][localhost-startStop-1]: Creating LdapBoundConnFactor(DBSubsystem) [18/Jun/2016:18:54:09][localhost-startStop-1]: LdapBoundConnFactory: init [18/Jun/2016:18:54:09][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [18/Jun/2016:18:54:09][localhost-startStop-1]: LdapAuthInfo: init() [18/Jun/2016:18:54:09][localhost-startStop-1]: LdapAuthInfo: init begins [18/Jun/2016:18:54:09][localhost-startStop-1]: LdapAuthInfo: init ends [18/Jun/2016:18:54:09][localhost-startStop-1]: init: before makeConnection errorIfDown is true [18/Jun/2016:18:54:09][localhost-startStop-1]: makeConnection: errorIfDown true [18/Jun/2016:18:54:09][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca Could not connect to LDAP server host okda.pipebreaker.pl port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1166) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1072) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:568) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:122) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4997) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5289) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:585) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1794) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Internal Database Error encountered: Could not connect to LDAP server host okda.pipebreaker.pl port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1166) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1072) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:568) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:122) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4997) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5289) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:585) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1794) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine.shutdown() -- Tomasz Torcz RIP is irrevelant. Spoofing is futile. xmpp: zdzichubg at chrome.pl Your routes will be aggreggated. -- Alex Yuriev From rmeggins at redhat.com Mon Jun 20 14:49:14 2016 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Jun 2016 08:49:14 -0600 Subject: [Freeipa-users] Active Directory password sync fails with RC 34 In-Reply-To: References: Message-ID: On 06/18/2016 05:47 AM, Toby Gale wrote: > > Hello, > > After successfully adding a 'winsync' agreement and loading AD data > into FreeIPA I am trying to configure the password sync software on > the domain controllers. > > I have installed the certificates and can successfully bind from the > domain controller using ldp.exe and the > 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user. > > I have edited the registry to increase logging, by setting > 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am > seeing the error: > > 06/17/16 08:47:32: Backoff time expired. Attempting sync > 06/17/16 08:47:32: Password list has 1 entries > 06/17/16 08:47:32: Attempting to sync password for some.user > 06/17/16 08:47:32: Searching for (ntuserdomainid=some.user) > 06/17/16 08:47:32: Ldap error in QueryUsername > 34: Invalid DN syntax > Take a look at the 389/dirsrv access log on your linux host at /var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the error corresponding to this - it should be at the same approximate date/time (make sure you check your time zones) and the RESULT line should have err=34 > 06/17/16 08:47:32: Deferring password change for some.user > 06/17/16 08:47:32: Backing off for 1024000ms > > When I run the query from the CLI, it is successful: > > $ ldapsearch -x -h ldaps://localhost -p 636 -D > 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w > 'password' -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' > '(ntuserdomainid=some.user)' > > Can anyone help me resolve this? > > Thanks. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Mon Jun 20 15:30:42 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Mon, 20 Jun 2016 16:30:42 +0100 Subject: [Freeipa-users] it's a weird one - how AD users get into IPA ? In-Reply-To: <20160610102346.6hr2caf5mh6x7d3w@redhat.com> References: <20160610090142.GS3271@hendrix> <1465552301.19234.2.camel@yahoo.co.uk> <20160610102346.6hr2caf5mh6x7d3w@redhat.com> Message-ID: <81a7ba4e-2f04-5bcd-0d1a-fcb31d72fb20@yahoo.co.uk> On 10/06/16 11:23, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, lejeczek wrote: >> On Fri, 2016-06-10 at 11:01 +0200, Jakub Hrozek wrote: >>> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: >>> > hi everyone >>> > >>> > there is a master IPA which in some weird way puts AD >>> users into >>> > its ldap >>> > catalog. I say weird cause there is no trust nor other >>> sync >>> > established, >>> > there was a trust agreement, one way type, but now >>> 'trust-find' >>> > shows >>> > nothing, that trust was removed. >>> > >>> > but still when I create a user @AD DS a second later I >>> see it in >>> > IPA's ldap, >>> > eg. >>> > >>> > dn: >>> uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private >>> >>> > ,dc=c >>> > cnr,dc=aaa,dc=private,dc=dom >>> > >>> > how to trace the culprit config responsible for this? >>> >>> Check the DN, this is not the IPA tree (cn=account), but >>> the compat >>> tree >>> (cn=compat) populated by the slapi-nis plugin. The >>> intent is to make >>> the >>> AD users available to non-SSSD clients that can only use >>> LDAP as an >>> interface. >>> >> any chance this plugin gets included without user/admin >> intention, eg. >> during migrate-ds ? > The slapi-nis plugin is enabled by default when IPA is > installed because > ou=sudoers tree is emulated by the slapi-nis. > >> is ipa toolkit or I have to go directly to ldap to >> de/activate >> plugin(s) ? > See ipa-compat-manage > I've set up another replica, configuration on sssd and kdc site virtually identical, nsswith too, ipa-compat-manage etc. No trusts traces on both ends. Master still(after reboot and sss_cache cleanup) receives, or rather pulls AD's users, whereas replica(s) don't. This is hilarious, but how is this possible? I add a user @AD DC and on master I ldapsearch and first few lines are: dn: cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local objectClass: extensibleObject cn: compat dn: cn=users,cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local objectClass: extensibleObject cn: users dn: uid=bootccnr at ccnr.priv.my.dom.local,cn=users,cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local objectClass: ipaOverrideTarget objectClass: posixAccount objectClass: top cn: ccnr boot gidNumber: 1952400513 gecos: ccnr boot ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0xMTQ0OTE1MDkxLTIyNTIxNzUyMTUtNzAyNTMwMDMyLT ExMzQ= uidNumber: 1952401134 loginShell: /bin/bash homeDirectory: /home/bootccnr at ccnr.priv.my.dom.local uid: bootccnr at ccnr.priv.my.dom.local dn: uid=testccnr at ccnr.priv.my.dom.local,cn=users,cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local objectClass: ipaOverrideTarget objectClass: posixAccount objectClass: top cn: ccnr tester gidNumber: 1952400513 gecos: ccnr tester ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0xMTQ0OTE1MDkxLTIyNTIxNzUyMTUtNzAyNTMwMDMyLT ExMzM= uidNumber: 1952401133 loginShell: /bin/bash homeDirectory: /home/testccnr at ccnr.priv.my.dom.local uid: testccnr at ccnr.priv.my.dom.local could it be that "compat" part happens only on master? I mean - should only happen on master?(even though replicas use ipa-compat-manage) regards, L. From wia at iglass.net Mon Jun 20 16:00:11 2016 From: wia at iglass.net (Marc Wiatrowski) Date: Mon, 20 Jun 2016 12:00:11 -0400 Subject: [Freeipa-users] CA: IPA certificates not renewing In-Reply-To: <5762B625.7060803@redhat.com> References: <57602152.9090104@redhat.com> <5762B625.7060803@redhat.com> Message-ID: Thanks for the reply Rob, So should fixing replication be more than running a re-initialize? I've tried this with no luck. Still the same errors in renewing the IPA certs. status: CA_UNREACHABLE ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x3ffe000f not found)) Is there a procedure for getting these serial numbers back in to the system? or manually recreating somehow? I was able to clear 4301 error. One ipaCert needed to be updated. thanks On Thu, Jun 16, 2016 at 10:22 AM, Rob Crittenden wrote: > Marc Wiatrowski wrote: > >> Thanks Rob, >> >> Any suggestions on how make the CA aware of the current serial number? >> > > Serial numbers are dolled out like uid numbers, by the 389-ds DNA Plugin. > So each CA that has ever issued a certificate has its own range, hence the > quite different serial number values. > > Given that some issued certificates are unknown it stands to reason that > replication is broken between one or more masters. Fixing that should > resolve (most of) the other issues. > > Also started seeing the following error from two of the servers, >> spider01b and spider01o, but not spider01a when to navigate in the web >> gui. Though it doesn't appear to stop me from doing anything. >> >> IPA Error 4301 >> Certificate operation cannot be completed: EXCEPTION (Invalid Crential.) >> > > Dogtag does some of its access control by comparing the incoming client > certificate with an expected value in its LDAP database, in this case > uid=ipara,ou=People,o=ipaca. There you'll find a copy of the client > certificate and a description field that contains the expected serial #, > subject and issuer. > > These are out-of-whack if you're getting Invalid Credentials. It could be > a number of things so I'd proceed cautiously. Given you have a working > master I'd use that as a starting point. > > Look at the the RA cert is in /etc/httpd/alias: > > # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial > > See if it is the same on all masters, it should be. > > If it is, look at the uid=ipara entry on all the masters. Again, should be > the same. > > Note that fixing this won't address any replication issues. > > rob > > >> Marc >> >> On Tue, Jun 14, 2016 at 2:07 PM, Marc Wiatrowski > > wrote: >> >> >> >> On Tue, Jun 14, 2016 at 11:22 AM, Rob Crittenden >> > wrote: >> >> Marc Wiatrowski wrote: >> >> Hello, I'm having issues with the 3 ipa certificates of type >> CA: IPA >> renewing on 2 of 3 replicas. Particularly on the 2 that are >> not the CA >> master. The other 5 certificates from getcert list do renew >> and all >> certificates on the CA master do look to renew. >> >> Both servers running >> ipa-server-3.0.0-50.el6.centos.1.x86_64 I've done >> full updates and rebooted. >> >> >> Can you check on the replication status for each CA? >> >> $ ipa-csreplica-manage list -v ipa.example.com >> >> >> The hostname is important because including that will show the >> agreements that host has. Do this for each master with a CA. >> >> The CA being asked to do the renewal is unaware of the current >> serial number so it is refusing to proceed. >> >> rob >> >> >> >> [root at spider01o]$ ipa-csreplica-manage list -v spider01a.iglass.net >> >> Directory Manager password: >> >> spider01b.iglass.net >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: Incremental >> update succeeded >> last update ended: 2016-06-14 17:49:16+00:00 >> spider01o.iglass.net >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: Incremental >> update started >> last update ended: 2016-06-14 17:55:20+00:00 >> >> [root at spider01o]$ ipa-csreplica-manage list -v spider01o.iglass.net >> >> Directory Manager password: >> >> spider01a.iglass.net >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: Incremental >> update started >> last update ended: 2016-06-14 17:57:44+00:00 >> spider01b.iglass.net >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: Incremental >> update started >> last update ended: 2016-06-14 17:57:41+00:00 >> >> [root at spider01o]$ ipa-csreplica-manage list -v spider01b.iglass.net >> >> Directory Manager password: >> >> spider01a.iglass.net >> last init status: 0 Total update succeeded >> last init ended: 2016-06-03 19:43:12+00:00 >> last update status: 0 Replica acquired successfully: Incremental >> update succeeded >> last update ended: 2016-06-14 17:44:17+00:00 >> spider01o.iglass.net >> last init status: 0 Total update succeeded >> last init ended: 2016-06-03 19:44:38+00:00 >> last update status: 0 Replica acquired successfully: Incremental >> update started >> last update ended: 2016-06-14 17:57:53+00:00 >> spider01a.iglass.net >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: Incremental >> update succeeded >> last update ended: 2016-06-14 17:44:13+00:00 >> spider01o.iglass.net >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: Incremental >> update started >> last update ended: 2016-06-14 17:57:54+00:00 >> >> >> Not sure what this is telling... This an issue with the last being >> doubled? Thanks >> >> >> >> The failed renews look like: >> >> [root at spider01a]$ getcert list -i 20141202144354 >> Number of certificates and requests being tracked: 8. >> Request ID '20141202144354': >> status: CA_UNREACHABLE >> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed >> request, >> will retry: 4301 (RPC failed at server. Certificate operation cannot >> be >> completed: EXCEPTION (Certificate serial number 0x3ffe0010 not >> found)). >> stuck: no >> key pair storage: >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IGLASS.NET >> > >> subject: CN=spider01a.iglass.net >> > >,O=IGLASS.NET >> > >> expires: 2016-12-02 14:38:45 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA >> track: yes >> auto-renew: yes >> >> [root at spider01a]$ getcert list -i 20141202144616 >> Number of certificates and requests being tracked: 8. >> Request ID '20141202144616': >> status: CA_UNREACHABLE >> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed >> request, >> will retry: 4301 (RPC failed at server. Certificate operation cannot >> be >> completed: EXCEPTION (Certificate serial number 0x3ffe000f not >> found)). >> stuck: no >> key pair storage: >> >> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IGLASS.NET >> > >> subject: CN=spider01a.iglass.net >> > >,O=IGLASS.NET >> > >> expires: 2016-12-02 14:38:43 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv IGLASS-NET >> track: yes >> auto-renew: yes >> >> [root at spider01a]$ getcert list -i 20141202144733 >> Number of certificates and requests being tracked: 8. >> Request ID '20141202144733': >> status: CA_UNREACHABLE >> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed >> request, >> will retry: 4301 (RPC failed at server. Certificate operation cannot >> be >> completed: EXCEPTION (Certificate serial number 0x3ffe0011 not >> found)). >> stuck: no >> key pair storage: >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IGLASS.NET >> > >> subject: CN=spider01a.iglass.net >> > >,O=IGLASS.NET >> > >> expires: 2016-12-02 14:38:46 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> >> >> From >> [root at spider01a]$ getcert resubmit -i 20141202144354 >> >> On the replica issuing the resubmit >> >> ==> /var/log/httpd/access_log <== >> 192.168.176.2 - - [13/Jun/2016:15:49:32 -0400] "POST /ipa/xml >> HTTP/1.1" >> 401 1370 >> >> ==> /var/log/httpd/error_log <== >> [Mon Jun 13 15:49:33 2016] [error] ipa: ERROR: >> ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Certificate >> serial number 0x3ffe0010 not found) >> [Mon Jun 13 15:49:33 2016] [error] ipa: INFO: >> host/spider01a.iglass.net at IGLASS.NET >> >> > >: >> >> cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', >> principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET >> >> > >', add=True): >> CertificateOperationError >> >> ==> /var/log/httpd/access_log <== >> 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST >> /ca/agent/ca/displayBySerial HTTP/1.1" 200 262 >> 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET >> >> > > [13/Jun/2016:15:49:32 >> -0400] >> "POST /ipa/xml HTTP/1.1" 200 376 >> >> ==> /var/log/pki-ca/system <== >> 2508.TP-Processor6 - [13/Jun/2016:15:49:33 EDT] [3] [3] Servlet >> caDisplayBySerial: Error encountered in DisplayBySerial. Error Record >> not found. >> >> >> On the CA master spider01o: >> >> ==> /var/log/httpd/access_log <== >> 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST /ipa/xml >> HTTP/1.1" >> 401 1370 >> >> ==> krb5kdc.log <== >> Jun 13 15:49:34 spider01o.iglass.net >> > > >> krb5kdc[1963](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.177.2 >> >: ISSUE: authtime >> 1465847372, etypes {rep=18 >> tkt=18 ses=18}, host/spider01a.iglass.net at IGLASS.NET >> >> > > for >> ldap/spider01o.iglass.net at IGLASS.NET >> >> > > >> >> ==> /var/log/httpd/error_log <== >> [Mon Jun 13 15:49:34 2016] [error] ipa: ERROR: >> ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Invalid >> Credential.) >> [Mon Jun 13 15:49:34 2016] [error] ipa: INFO: >> host/spider01a.iglass.net at IGLASS.NET >> >> > >: >> >> cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', >> principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET >> >> > >', add=True): >> CertificateOperationError >> >> ==> /var/log/httpd/access_log <== >> 192.168.177.2 - - [13/Jun/2016:15:49:34 -0400] "POST >> /ca/agent/ca/displayBySerial HTTP/1.1" 200 235 >> 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET >> >> > > [13/Jun/2016:15:49:33 >> -0400] >> "POST /ipa/xml HTTP/1.1" 200 349 >> >> ==> /var/log/pki-ca/system <== >> 2231.TP-Processor3 - [13/Jun/2016:15:49:34 EDT] [6] [3] Cannot >> authenticate agent with certificate Serial 0x5ffc0008 Subject DN >> CN=IPA >> RA,O=IGLASS.NET > >. Error: User not found >> >> >> I realize they expire at the end of the year, but I've had my >> certificates expire before and would rather not go through that again. >> Any idea on what's wrong or suggestions on where to look would be >> appreciated. >> >> Thanks, >> Marc >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gheorghita.butnaru at tuiasi.ro Mon Jun 20 16:12:14 2016 From: gheorghita.butnaru at tuiasi.ro (gheorghita.butnaru at tuiasi.ro) Date: Mon, 20 Jun 2016 19:12:14 +0300 Subject: [Freeipa-users] ldap entry from an plugin Message-ID: <46fccbc7cd2e3cb0773121f850f5b679.squirrel@webmail.tuiasi.ro> Hello, I have an small plugin that adds two new fields in user details. Based on those, i need to make an new entry in directory, like i will do with ldapmodify for example ( http://pastebin.com/ZSEA64k8 ) basically every time when an user modifies those new attrs i need to make an entry. i have an small function that takes the content of attr that was added by user in webUI. With that function i have all infos i want for my new entry: dn, cn, object classes, attr. how can i add those infos from that function to ldap? Thanks, Gheorghita From gjn at gjn.priv.at Mon Jun 20 16:48:42 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Mon, 20 Jun 2016 18:48:42 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: References: <3253760.hiacI6SPC6@techz> <1574571.ccFegkPbxX@techz> Message-ID: <4253691.QxeogKA5rI@techz> Hello, Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek: > On 18.6.2016 15:03, G?nther J. Niederwimmer wrote: > > hello, > > > > Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: > >> On 17.06.2016 18:29, G?nther J. Niederwimmer wrote: > >>> Hello, > >>> > >>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: > >>>> On 17.06.2016 12:54, G?nther J. Niederwimmer wrote: > >>>>> Hello List, > >>>>> > >>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: > >>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: > >>>>>>> On (16/06/16 11:54), G?nther J. Niederwimmer wrote: > >>>>>>>> Hello > >>>>>>>> > >>>>>>>> on my system the ods-exporter i mean have a problem. > >>>>>>>> > >>>>>>>> I have this in the logs > >>>>>>>> CentOS 7.(2) ipa 4.3.1 > >>>>>>>> > >>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise > >>>>>>>> errors.ACIError(info=info) > >>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: > >>>>>>>> Insufficient > >>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > >>>>>>>> failure. > >>>>>>>> Minor code may provide more information (Ticket expired) > >>>>>>>> > >>>>>>> ^^^^^^^^^^^^^^ > >>>>>>> > >>>>>>> Here seems to be a reason why it failed. > >>>>>>> But I can't help you more. > >>>>>> > >>>>>> Lukas is right. Interesting, this should never happen :-) > >>>>> > >>>>> this have I also found ;-) > >>>>> > >>>>>> Please enable debugging using procedure > >>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_re > >>>>>> tu > >>>>>> rn > >>>>>> s_n o_data and check logs after next ipa-ods-exporter restart. > >>>>>> Thank you! > >>>>> > >>>>> OK, > >>>>> > >>>>> I attache the messages log? > >>>>> > >>>>> I mean this is a problem with my DNS ? > >>>> > >>>> Hello, > >>>> can you check kerberos status of ipa-ods-exporter service in webUI? > >>>> > >>>> identity/services/ipa-ods-exported/ > >>>> There should be kerberos status in right top corner in details view > >>> > >>> I have a > >>> identity/services/ipa-ods-exporter/.. > >>> > >>> with a "Kerberos Key Present, Service Provisioned" > >>> > >>> but no Certificate ? > >> > >> Can you try, > >> > >> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab > >> ipa-ods-exporter/$(hostname) > > > > OK > > I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods- > > exporter/$(hostname)" > > > > written on one line!! is this OK. > > > >> and do ldapsearch > >> # ldapsearch -Y GSSAPI > > > > and also ldapsearch is OK > > > >> It should show us if keytab is okay > > > > But the Error is present :-(. > > We need to see precise error. Please copy&paste it into the e-mail. that is it. Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 20 18:43:34 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:43:35 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 20 18:43:35 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:43:35 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 20 18:43:35 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa- ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 20 18:43:35 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/ opendnssec/tmp/ipa-ods-exporter.ccache Jun 20 18:43:35 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 20 18:43:35 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 20 18:43:35 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 20 18:43:35 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 20 18:43:35 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 20 18:43:35 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 20 18:43:35 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 20 18:43:35 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 20 18:43:35 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 20 18:43:35 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 20 18:43:35 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 20 18:43:35 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 20 18:43:35 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 20 18:43:35 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 20 18:43:35 ipa systemd: ipa-ods-exporter.service failed. Jun 20 18:44:35 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 20 18:44:35 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 20 18:44:35 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipalib.plugins... Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.aci Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automember Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.automount Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.batch Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.caacl Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.cert Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.config Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.delegation Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.dns Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.group Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.host Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idrange Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.idviews Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.internal Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.migration Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.misc Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.passwd Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.permission Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.ping Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.privilege Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: Starting external process Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: args=klist -V Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: Process finished, return code=0 Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: stderr= Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.role Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.server Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.service Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.session Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.topology Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.trust Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.user Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.vault Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipalib.plugins.virtual Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.join Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase Jun 20 18:44:35 ipa ipa-ods-exporter: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_66359568 Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_66361360 Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: session_auth_duration: 0:20:00 Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: Initializing principal ipa- ods-exporter/ipa.4gjn.com using keytab /etc/ipa/dnssec/ipa-ods-exporter.keytab Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: using ccache /var/ opendnssec/tmp/ipa-ods-exporter.ccache Jun 20 18:44:36 ipa ipa-ods-exporter: ipa: DEBUG: Attempt 1/5: success Jun 20 18:44:36 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 20 18:44:36 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 20 18:44:36 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 20 18:44:36 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 20 18:44:36 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 20 18:44:36 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 20 18:44:36 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 20 18:44:36 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 20 18:44:36 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 20 18:44:36 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 20 18:44:36 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 20 18:44:36 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service failed. > It would be awesome if you could follow general rules for bug reporting: > http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html > > Besides other things it would allow us to help you in shorter time. > > Have a nice day! -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From mbasti at redhat.com Mon Jun 20 16:55:51 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 18:55:51 +0200 Subject: [Freeipa-users] ldap entry from an plugin In-Reply-To: <46fccbc7cd2e3cb0773121f850f5b679.squirrel@webmail.tuiasi.ro> References: <46fccbc7cd2e3cb0773121f850f5b679.squirrel@webmail.tuiasi.ro> Message-ID: On 20.06.2016 18:12, gheorghita.butnaru at tuiasi.ro wrote: > Hello, > > I have an small plugin that adds two new fields in user details. Based on > those, i need to make an new entry in directory, like i will do with > ldapmodify for example ( http://pastebin.com/ZSEA64k8 ) > > basically every time when an user modifies those new attrs i need to make > an entry. > i have an small function that takes the content of attr that was added by > user in webUI. With that function i have all infos i want for my new > entry: > dn, cn, object classes, attr. > > how can i add those infos from that function to ldap? > > Thanks, > Gheorghita > > Hello, did you read this document how to extend freeIPA? https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf From gheorghita.butnaru at tuiasi.ro Mon Jun 20 17:20:30 2016 From: gheorghita.butnaru at tuiasi.ro (gheorghita.butnaru at tuiasi.ro) Date: Mon, 20 Jun 2016 20:20:30 +0300 Subject: [Freeipa-users] ldap entry from an plugin In-Reply-To: References: <46fccbc7cd2e3cb0773121f850f5b679.squirrel@webmail.tuiasi.ro> Message-ID: yes i did, started from there. i have two new fields in user details and works as expected. now, based on those new entries i need to make an entry in ldap like this one: dn: cn=userid, cn=192.168.1.0, cn=shared_net_name, cn=config,dc=dhcp,dc=example,dc=com cn: userid objectClass: top objectClass: dhcpHost objectClass: dhcpOptions dhcpHWAddress: ethernet 00:a0:78:8e:9e:aa shared_net_name, dhcpHWAddress - added by users in those new fields. I was thinking that i can do it on the same plugin file but i don't know how exactly how to do it > > > On 20.06.2016 18:12, gheorghita.butnaru at tuiasi.ro wrote: >> Hello, >> >> I have an small plugin that adds two new fields in user details. Based >> on >> those, i need to make an new entry in directory, like i will do with >> ldapmodify for example ( http://pastebin.com/ZSEA64k8 ) >> >> basically every time when an user modifies those new attrs i need to >> make >> an entry. >> i have an small function that takes the content of attr that was added >> by >> user in webUI. With that function i have all infos i want for my new >> entry: >> dn, cn, object classes, attr. >> >> how can i add those infos from that function to ldap? >> >> Thanks, >> Gheorghita >> >> > Hello, did you read this document how to extend freeIPA? > > https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf > From lslebodn at redhat.com Mon Jun 20 17:26:45 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 20 Jun 2016 19:26:45 +0200 Subject: [Freeipa-users] ldap entry from an plugin In-Reply-To: References: <46fccbc7cd2e3cb0773121f850f5b679.squirrel@webmail.tuiasi.ro> Message-ID: <20160620172644.GC12141@10.4.128.1> On (20/06/16 20:20), gheorghita.butnaru at tuiasi.ro wrote: >yes i did, started from there. > >i have two new fields in user details and works as expected. >now, based on those new entries i need to make an entry in ldap like this >one: > >dn: cn=userid, cn=192.168.1.0, cn=shared_net_name, >cn=config,dc=dhcp,dc=example,dc=com >cn: userid >objectClass: top >objectClass: dhcpHost >objectClass: dhcpOptions >dhcpHWAddress: ethernet 00:a0:78:8e:9e:aa > >shared_net_name, dhcpHWAddress - added by users in those new fields. >I was thinking that i can do it on the same plugin file but i don't know >how exactly how to do it If you want to enhace FreeIPA with DHCP the I will recommend you to look into freeipa-user archives. https://www.redhat.com/archives/freeipa-users/2016-May/msg00211.html https://github.com/jefferyharrell/IPA-dhcp LS From gheorghita.butnaru at tuiasi.ro Mon Jun 20 17:50:33 2016 From: gheorghita.butnaru at tuiasi.ro (gheorghita.butnaru at tuiasi.ro) Date: Mon, 20 Jun 2016 20:50:33 +0300 Subject: [Freeipa-users] ldap entry from an plugin In-Reply-To: <20160620172644.GC12141@10.4.128.1> References: <46fccbc7cd2e3cb0773121f850f5b679.squirrel@webmail.tuiasi.ro> <20160620172644.GC12141@10.4.128.1> Message-ID: <51a3ea4a6419b7493caa97a1b1028375.squirrel@webmail.tuiasi.ro> i like that plugin but, for my purpose, i just need something simple: 1. two options for users to select their wanted networks and to add their mac addresses ( done already, fully functional). 2. with that input i want to make an entry , like i sad, for dhcp server important to say is that i already have that input in the corresponding attr in ldap but i want to build an special entry for dhcp like in my next example for example if an user selects network Net1 and Mac address aa:aa:aa:aa:aa:aa i will need something like this in directory: dn: cn=userid, cn=192.168.1.0, cn=Net1, cn=config,dc=dhcp,dc=example,dc=com cn: userid objectClass: top objectClass: dhcpHost objectClass: dhcpOptions dhcpHWAddress: ethernet aa:aa:aa:aa:aa:aa Network IP is unique and correspond to that network everything else that i need for an working dhcp is already in directory. > On (20/06/16 20:20), gheorghita.butnaru at tuiasi.ro wrote: >>yes i did, started from there. >> >>i have two new fields in user details and works as expected. >>now, based on those new entries i need to make an entry in ldap like this >>one: >> >>dn: cn=userid, cn=192.168.1.0, cn=shared_net_name, >>cn=config,dc=dhcp,dc=example,dc=com >>cn: userid >>objectClass: top >>objectClass: dhcpHost >>objectClass: dhcpOptions >>dhcpHWAddress: ethernet 00:a0:78:8e:9e:aa >> >>shared_net_name, dhcpHWAddress - added by users in those new fields. >>I was thinking that i can do it on the same plugin file but i don't know >>how exactly how to do it > > If you want to enhace FreeIPA with DHCP > the I will recommend you to look into freeipa-user archives. > https://www.redhat.com/archives/freeipa-users/2016-May/msg00211.html > https://github.com/jefferyharrell/IPA-dhcp > > LS > From schogan at us.ibm.com Mon Jun 20 18:36:25 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Mon, 20 Jun 2016 11:36:25 -0700 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: References: Message-ID: Hi All.. I thought we fixed this issue by rebooting the KVM host but it is showing again. Our First Master IPA is being rebooted 2 -5 times a day now just to keep it alive. What we are seeing: God at FirstMaster log]# kinit admin kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting initial credentials DNS is not working as nslookup is failing to a replica.... think once we lose DNS it all goes down hill which makes sense. [god at FirstMaster log]# ipactl stop -----> Just hangs forever.. no replies.. no error.. nothing I try service named stop and nothing happens I have the box hard shutdown from KVM console. Reboot it and it works for a little while but eventually back to same behavior. At this point I can service named stop and it responds... ipactl status and it responds.. but when if I try service named restart I get [god at FirstMaster log]# service named stop Stopping named: ...... [god at Firstmaster log]# service named start Starting named: [FAILED] [god at FirstMaster log]# service named status rndc: connect failed: 127.0.0.1#953: connection refused named dead but pid file exists Rebooted box and it is hung on shutting down domain-local and never fully shuts down.. have to get it hard shutdown again. During an attempt to gracefully shut down we see this Shutting Down dirsrv: PKI-IPA OK DOMAIN-LOCAL FAILED *** Error: 1 instance(s) unsuccessfully stopped FAILED Then it moves on to shut other things down and returns to dirsrv Shutting Down dirsrv: PKI-IPA....server already stopped FAILED {Makes sense.. it died earlier} DOMAIN-LOCAL... {this sits here til we hard shutdown} bind-libs-9.8.2-0.47.rc1.el6.x86_64 bind-9.8.2-0.47.rc1.el6.x86_64 bind-utils-9.8.2-0.47.rc1.el6.x86_64 ipa-client-3.0.0-50.el6.1.x86_64 ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64 sssd-ipa-1.13.3-22.el6.x86_64 /var/log/dirsrv/slapd-DOMAIN-LOCAL [20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 starting up [20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=domain,dc=local [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 5688d8e6001000070000] which is present in RUV [changelog max RUV] [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica dc=domain,dc=local there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [20/Jun/2016:13:29:07 -0400] - Listening on All Interfaces port 636 for LDAPS requests [20/Jun/2016:13:29:07 -0400] - Listening on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meTo1server.domain.local" (1server:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:16 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:29:16 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:00 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 starting up [20/Jun/2016:13:59:00 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [20/Jun/2016:13:59:01 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=domain,dc=local [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 5688d8e6001000070000] which is present in RUV [changelog max RUV] [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica dc=domain,dc=local there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meTobldvxl0011.domain.local" (1server:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [20/Jun/2016:13:59:48 -0400] - Listening on All Interfaces port 636 for LDAPS requests [20/Jun/2016:13:59:48 -0400] - Listening on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:59:57 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth resumed Sean Hogan From: Sean Hogan/Durham/IBM To: freeipa-users Date: 06/02/2016 09:24 AM Subject: IPA 3.0.47 to 3.0.50 Upgrade problem Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not sure on this yet) that they changed ntp.. ntp used to point at my ipas.. but they look like they are now pointing elsewhere. Everything was stable at 6.7 3.0.47 pointing to IPA for NTP. However.. they all seem to have the same date. My master first IPA is acting up. Replication is off, kerberos seems to be off, DNS is off and I think IPA in general on it is toast. We do have 8 IPAs.. only FirstMaster is acting up it seems right now and all either running on KVM or ESXI. [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# kinit admin kinit: Generic error (see e-text) while getting initial credential slapd-DOMAIN-LOCAL [01/Jun/2016:18:25:43 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'DOMAIN.LOCAL')) errno 115 (Operation now in progress) [01/Jun/2016:18:25:43 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv2.domain.local" (ipaserv2:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv3.domain.local" (ipaserv3:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv4.domain.local" (ipaserv4:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv5.domain.local" (ipaserv5:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:28:04 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [01/Jun/2016:18:28:04 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2016:18:28:13 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [01/Jun/2016:18:28:13 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:33:03 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [01/Jun/2016:18:33:03 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2016:18:33:18 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [01/Jun/2016:18:33:18 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:38:03 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipa-replica-manage -v list --------------> just hangs and never returns [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipactl start ------------->Just hangs here as well.. never gets to the KDC. Starting Directory Service Starting dirsrv: PKI-IPA... already running [ OK ] DOMAIN-LOCAL... already running [ OK ] If I run nslookup it fails over to a Replica for the DNS resolution instead of resolving ips itself. PKI log shows a bunch of this: [02/Jun/2016:11:15:25 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" (ipaserver2:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:11:15:34 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" (ipaserver2:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:11:16:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:16:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:21:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:22:06 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:26:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:26:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:31:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:31:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:36:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:36:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:41:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:41:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:45:16 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:45:16 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:11:45:25 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:11:46:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:46:56 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:51:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:51:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:56:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:56:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:01:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:01:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:05:33 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:05:33 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:12:06:01 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:06:06 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:12:06:31 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:06:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) NTP seems OK [God at FirstMasterIPA slapd-PKI-IPA]# date Thu Jun 2 12:23:00 EDT 2016 [God at ipaserver3 ~]# date Thu Jun 2 12:23:02 EDT 2016 Sean Hogan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From schogan at us.ibm.com Mon Jun 20 19:49:27 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Mon, 20 Jun 2016 12:49:27 -0700 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: References: Message-ID: Also seeing this in the upgrade log on the first master but not on the 7 ipas. ERROR Failed to restart named: Command '/sbin/service named restart ' returned non-zero exit status 7 which led me to https://bugzilla.redhat.com/show_bug.cgi?id=895298 Sean Hogan From: Sean Hogan/Durham/IBM at IBMUS To: freeipa-users Date: 06/20/2016 11:46 AM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Sent by: freeipa-users-bounces at redhat.com Hi All.. I thought we fixed this issue by rebooting the KVM host but it is showing again. Our First Master IPA is being rebooted 2 -5 times a day now just to keep it alive. What we are seeing: God at FirstMaster log]# kinit admin kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting initial credentials DNS is not working as nslookup is failing to a replica.... think once we lose DNS it all goes down hill which makes sense. [god at FirstMaster log]# ipactl stop -----> Just hangs forever.. no replies.. no error.. nothing I try service named stop and nothing happens I have the box hard shutdown from KVM console. Reboot it and it works for a little while but eventually back to same behavior. At this point I can service named stop and it responds... ipactl status and it responds.. but when if I try service named restart I get [god at FirstMaster log]# service named stop Stopping named: ...... [god at Firstmaster log]# service named start Starting named: [FAILED] [god at FirstMaster log]# service named status rndc: connect failed: 127.0.0.1#953: connection refused named dead but pid file exists Rebooted box and it is hung on shutting down domain-local and never fully shuts down.. have to get it hard shutdown again. During an attempt to gracefully shut down we see this Shutting Down dirsrv: PKI-IPA OK DOMAIN-LOCAL FAILED *** Error: 1 instance(s) unsuccessfully stopped FAILED Then it moves on to shut other things down and returns to dirsrv Shutting Down dirsrv: PKI-IPA....server already stopped FAILED {Makes sense.. it died earlier} DOMAIN-LOCAL... {this sits here til we hard shutdown} bind-libs-9.8.2-0.47.rc1.el6.x86_64 bind-9.8.2-0.47.rc1.el6.x86_64 bind-utils-9.8.2-0.47.rc1.el6.x86_64 ipa-client-3.0.0-50.el6.1.x86_64 ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64 sssd-ipa-1.13.3-22.el6.x86_64 /var/log/dirsrv/slapd-DOMAIN-LOCAL [20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 starting up [20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=domain,dc=local [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 5688d8e6001000070000] which is present in RUV [changelog max RUV] [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica dc=domain,dc=local there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [20/Jun/2016:13:29:07 -0400] - Listening on All Interfaces port 636 for LDAPS requests [20/Jun/2016:13:29:07 -0400] - Listening on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meTo1server.domain.local" (1server:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:16 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:29:16 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:00 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 starting up [20/Jun/2016:13:59:00 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [20/Jun/2016:13:59:01 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=domain,dc=local [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 5688d8e6001000070000] which is present in RUV [changelog max RUV] [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica dc=domain,dc=local there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meTobldvxl0011.domain.local" (1server:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [20/Jun/2016:13:59:48 -0400] - Listening on All Interfaces port 636 for LDAPS requests [20/Jun/2016:13:59:48 -0400] - Listening on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:59:57 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth resumed Sean Hogan Inactive hide details for Sean Hogan---06/02/2016 09:24:39 AM---Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.Sean Hogan---06/02/2016 09:24:39 AM---Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not sure on this From: Sean Hogan/Durham/IBM To: freeipa-users Date: 06/02/2016 09:24 AM Subject: IPA 3.0.47 to 3.0.50 Upgrade problem Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not sure on this yet) that they changed ntp.. ntp used to point at my ipas.. but they look like they are now pointing elsewhere. Everything was stable at 6.7 3.0.47 pointing to IPA for NTP. However.. they all seem to have the same date. My master first IPA is acting up. Replication is off, kerberos seems to be off, DNS is off and I think IPA in general on it is toast. We do have 8 IPAs.. only FirstMaster is acting up it seems right now and all either running on KVM or ESXI. [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# kinit admin kinit: Generic error (see e-text) while getting initial credential slapd-DOMAIN-LOCAL [01/Jun/2016:18:25:43 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'DOMAIN.LOCAL')) errno 115 (Operation now in progress) [01/Jun/2016:18:25:43 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv2.domain.local" (ipaserv2:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv3.domain.local" (ipaserv3:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv4.domain.local" (ipaserv4:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv5.domain.local" (ipaserv5:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:28:04 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [01/Jun/2016:18:28:04 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2016:18:28:13 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [01/Jun/2016:18:28:13 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:33:03 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [01/Jun/2016:18:33:03 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2016:18:33:18 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [01/Jun/2016:18:33:18 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:38:03 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipa-replica-manage -v list --------------> just hangs and never returns [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipactl start ------------->Just hangs here as well.. never gets to the KDC. Starting Directory Service Starting dirsrv: PKI-IPA... already running [ OK ] DOMAIN-LOCAL... already running [ OK ] If I run nslookup it fails over to a Replica for the DNS resolution instead of resolving ips itself. PKI log shows a bunch of this: [02/Jun/2016:11:15:25 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" (ipaserver2:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:11:15:34 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" (ipaserver2:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:11:16:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:16:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:21:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:22:06 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:26:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:26:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:31:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:31:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:36:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:36:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:41:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:41:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:45:16 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:45:16 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:11:45:25 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:11:46:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:46:56 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:51:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:51:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:56:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:56:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:01:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:01:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:05:33 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:05:33 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:12:06:01 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:06:06 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:12:06:31 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:06:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) NTP seems OK [God at FirstMasterIPA slapd-PKI-IPA]# date Thu Jun 2 12:23:00 EDT 2016 [God at ipaserver3 ~]# date Thu Jun 2 12:23:02 EDT 2016 Sean Hogan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From martin at stefany.eu Mon Jun 20 20:46:13 2016 From: martin at stefany.eu (Martin =?UTF-8?Q?=C5=A0tefany?=) Date: Mon, 20 Jun 2016 22:46:13 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' Message-ID: <1466455573.2729.22.camel@stefany.eu> Hello all, I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) systems while I can to CentOS 7.2 (ipa-client and ipa-server) systems within same IPA domain. I will appreciate any help whatsoever. IPA servers (and most of the clients) are IPA 4.2.0 on CentOS 7.2 with latest updates, affected clients are IPA clients 4.2.4 on Fedora 23 with latest updates. I started by looking to the journal: j?n 20 13:02:50 desk2.stefany.eu sshd[25162]: Connection from?144.xxx.xxx.xxx?port 22543 on 172.17.100.191 port 22 ... j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:??denied??{ name_connect } for??pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe2a50 items=0 ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0? ... j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:??denied??{ name_connect } for??pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe42d0 items=0 ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0? ... j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys martin failed, status 1 ... j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Failed publickey for martin from?144.xxx.xxx.xxx?port 22543 ssh2: RSA SHA256:uyzB4[stripped] ... j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: Received disconnect from?144.xxx.xxx.xxx?port 22543:14: No supported authentication methods available [preauth] j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Disconnected from 144.xxx.xxx.xxx port 22543 [preauth] which was weird, because the same key would nicely work elsewhere (on any other CentOS 7.2 system, while no Fedora 23 system would work as I have figured out) I have tried putting SELinux into permissive mode, or generating custom module with custom policy allowing this, but it doesn't help, and even tcpdump capture doesn't capture anything when such connection to 'somewhere' port 80 is opened. I moved on to testing the '/usr/bin/sss_ssh_authorizedkeys martin' command. Fedora 23: # sss_ssh_authorizedkeys martin Error looking up public keys CentOS 7.2: # sss_ssh_authorizedkeys martin ssh-rsa AAA... ssh-rsa AAA... ssh-ed25519 AAA... ssh-rsa AAA... ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsox... (???) -->> this is one is not in LDAP (checked with ldapsearch & ipa user-show martin --all --raw), not present in dc=stefany,dc=eu tree or in compat tree So, I have turned on debug_level = 0x0250 in sssd.conf in both Fedora 23 and CentOS 7.2 and checked the logs. CentOS 7.2 is just fine, Fedora 23 gives these failures: ==> /var/log/sssd/sssd_ssh.log <== (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received client version [0]. (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered version [0]. (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): name 'martin' matched without domain, user is martin ==> /var/log/sssd/sssd_stefany.eu.log <== (Mon Jun 20 21:58:14 2016) [sssd[be[stefany.eu]]] [be_get_account_info] (0x0200): Got request for [0x1][BE_REQ_USER][1][name=martin] ==> /var/log/sssd/sssd_ssh.log <== (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): cert_to_ssh_key failed. (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): decode_and_add_base64_data failed. And that's right, the last - ghost - "sshpubkey" is invalid base64 string. So Fedora 23 fails because of some extra validation in SSSD... I can't tell where this invalid base64 stuff is coming from, and yes, I have stopped both IPA servers, run sss_cache -E on both of them and on clients, and started IPA servers serially one by one, the invalid key is still there. I have a plan B to delete the account, put it back and see if it cleans up, but I would prefer to figure out what is actually wrong here and what's introducing the wrong sshpubkey. And why is sssd_ssh connecting to some port 80 somewhere Thank you in advance! Kind regards, Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part URL: From toby.gale at gmail.com Tue Jun 21 06:58:53 2016 From: toby.gale at gmail.com (Toby Gale) Date: Tue, 21 Jun 2016 07:58:53 +0100 Subject: [Freeipa-users] Active Directory password sync fails with RC 34 In-Reply-To: References: Message-ID: Thanks for the help Rich. Looking at the log I noticed some extra characters in the DN that corresponds to "Search Base". I got the Windows admin to share his RDP session to the DC and had a look at the registry in "HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync". I noticed the same characters in the "Search Base" key. I think the extra characters were accidentally copy-pasted from the documentation I sent them. Removing them and restarting the service has resolved the problem. On Mon, Jun 20, 2016 at 3:49 PM, Rich Megginson wrote: > On 06/18/2016 05:47 AM, Toby Gale wrote: > > Hello, > > After successfully adding a 'winsync' agreement and loading AD data into > FreeIPA I am trying to configure the password sync software on the domain > controllers. > > I have installed the certificates and can successfully bind from the > domain controller using ldp.exe and the > 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user. > > I have edited the registry to increase logging, by setting > 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I am seeing > the error: > > 06/17/16 08:47:32: Backoff time expired. Attempting sync > 06/17/16 08:47:32: Password list has 1 entries > 06/17/16 08:47:32: Attempting to sync password for some.user > 06/17/16 08:47:32: Searching for (ntuserdomainid=some.user) > 06/17/16 08:47:32: Ldap error in QueryUsername > 34: Invalid DN syntax > > > Take a look at the 389/dirsrv access log on your linux host at > /var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the error > corresponding to this - it should be at the same approximate date/time > (make sure you check your time zones) and the RESULT line should have err=34 > > 06/17/16 08:47:32: Deferring password change for some.user > 06/17/16 08:47:32: Backing off for 1024000ms > > When I run the query from the CLI, it is successful: > > $ ldapsearch -x -h ldaps://localhost -p 636 -D > 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w 'password' > -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' > '(ntuserdomainid=some.user)' > > Can anyone help me resolve this? > > Thanks. > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Tue Jun 21 07:43:44 2016 From: sbose at redhat.com (Sumit Bose) Date: Tue, 21 Jun 2016 09:43:44 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: <1466455573.2729.22.camel@stefany.eu> References: <1466455573.2729.22.camel@stefany.eu> Message-ID: <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> On Mon, Jun 20, 2016 at 10:46:13PM +0200, Martin ?tefany wrote: > Hello all, > > I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I > figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) systems > while I can to CentOS 7.2 (ipa-client and ipa-server) systems within same IPA > domain. I will appreciate any help whatsoever. > IPA servers (and most of the clients) are IPA 4.2.0 on CentOS 7.2 with latest > updates, affected clients are IPA clients 4.2.4 on Fedora 23 with latest > updates. > > I started by looking to the journal: > j?n 20 13:02:50 desk2.stefany.eu sshd[25162]: Connection > from?144.xxx.xxx.xxx?port 22543 on 172.17.100.191 port 22 > ... > j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:??denied??{ name_connect > } for??pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 > tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 > j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 > success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe2a50 items=0 > ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0? Does the user by chance have a certificate added to his entry including a link to an OCSP responder? Recent version of SSSD have the ability to generate public ssh-keys from valid certificates added to the user entry to support the ssh Smartcard feature (see e.g. the -I option in the ssh man page for details or https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1#RunningsshclientwithSmartcardsupport) While trying to validate thecertificate via OCSP sssd_ssh must connect to a http server. To allow this setting the 'nis_enabled' SELinux boolean to true should help. Nevertheless, since this should work by default, it would be nice if you can open a bugzilla ticket for the SELinux policy on F23 to allow this by default. HTH bye, Sumit > ... > j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc:??denied??{ name_connect > } for??pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 > tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 > j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 > success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe42d0 items=0 > ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0? > ... > j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: AuthorizedKeysCommand > /usr/bin/sss_ssh_authorizedkeys martin failed, status 1 > ... > j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Failed publickey for martin > from?144.xxx.xxx.xxx?port 22543 ssh2: RSA SHA256:uyzB4[stripped] > ... > j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: Received disconnect > from?144.xxx.xxx.xxx?port 22543:14: No supported authentication methods > available [preauth] > j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Disconnected from 144.xxx.xxx.xxx > port 22543 [preauth] > > which was weird, because the same key would nicely work elsewhere (on any other > CentOS 7.2 system, while no Fedora 23 system would work as I have figured out) > > I have tried putting SELinux into permissive mode, or generating custom module > with custom policy allowing this, but it doesn't help, and even tcpdump capture > doesn't capture anything when such connection to 'somewhere' port 80 is opened. > > I moved on to testing the '/usr/bin/sss_ssh_authorizedkeys martin' command. > Fedora 23: > # sss_ssh_authorizedkeys martin > Error looking up public keys > > CentOS 7.2: > # sss_ssh_authorizedkeys martin > ssh-rsa AAA... > ssh-rsa AAA... > ssh-ed25519 AAA... > ssh-rsa AAA... > ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsox... (???) -->> this is one is not in > LDAP (checked with ldapsearch & ipa user-show martin --all --raw), not present > in dc=stefany,dc=eu tree or in compat tree > > So, I have turned on debug_level = 0x0250 in sssd.conf in both Fedora 23 and > CentOS 7.2 and checked the logs. CentOS 7.2 is just fine, Fedora 23 gives these > failures: > ==> /var/log/sssd/sssd_ssh.log <== > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received > client version [0]. > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered > version [0]. > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): > name 'martin' matched without domain, user is martin > > ==> /var/log/sssd/sssd_stefany.eu.log <== > (Mon Jun 20 21:58:14 2016) [sssd[be[stefany.eu]]] [be_get_account_info] > (0x0200): Got request for [0x1][BE_REQ_USER][1][name=martin] > > ==> /var/log/sssd/sssd_ssh.log <== > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): > cert_to_ssh_key failed. > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): > decode_and_add_base64_data failed. > > And that's right, the last - ghost - "sshpubkey" is invalid base64 string. So > Fedora 23 fails because of some extra validation in SSSD... > > I can't tell where this invalid base64 stuff is coming from, and yes, I have > stopped both IPA servers, run sss_cache -E on both of them and on clients, and > started IPA servers serially one by one, the invalid key is still there. > > I have a plan B to delete the account, put it back and see if it cleans up, but > I would prefer to figure out what is actually wrong here and what's introducing > the wrong sshpubkey. And why is sssd_ssh connecting to some port 80 somewhere > > Thank you in advance! > > Kind regards, > Martin > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From Dan.Finkelstein at high5games.com Tue Jun 21 09:23:44 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Tue, 21 Jun 2016 09:23:44 +0000 Subject: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone Message-ID: <5160A8F1-CBD5-4F53-BEE7-84223B2B764C@high5games.com> We've recently set up a "clean" install of FreeIPA replete with replicas, but we just noticed an odd behavior in the DNS service: hosts in the top level domain (like ipa.example.com) do not resolve, whereas hosts in subdomains (like ipa.dev.example.com) do. I'm not sure what to look for in the various log files but I don't see any obvious errors. I thought perhaps this might have some guidance https://www.redhat.com/archives/freeipa-users/2015-July/msg00102.html, and maybe it does, but I'm not sure how to rescue my top-level domain names. Thanks and regards, Dan [cid:image001.jpg at 01D1CB7D.143197C0] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: From Dan.Finkelstein at high5games.com Tue Jun 21 09:27:05 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Tue, 21 Jun 2016 09:27:05 +0000 Subject: [Freeipa-users] CentOS 6.8: uninstalling IPA client causes python error In-Reply-To: <57660ACB.6000109@redhat.com> References: <0BAA0171-449C-46F2-8B2A-D5108E8A7F8C@high5games.com> <57660ACB.6000109@redhat.com> Message-ID: Oh, I disabled that first. I turn on services and restrictions one-by-one after things are working, not before. ?Dan [cid:image001.jpg at 01D1CB7D.8BC9E530] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: Rob Crittenden Date: Saturday, June 18, 2016 at 23:00 To: Daniel Finkestein , "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] CentOS 6.8: uninstalling IPA client causes python error I'd check for SELinux errors, that might explain things. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: From pspacek at redhat.com Tue Jun 21 10:04:06 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 21 Jun 2016 12:04:06 +0200 Subject: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone In-Reply-To: <5160A8F1-CBD5-4F53-BEE7-84223B2B764C@high5games.com> References: <5160A8F1-CBD5-4F53-BEE7-84223B2B764C@high5games.com> Message-ID: <1685b2c7-44d9-793e-affb-e78ffeab28af@redhat.com> On 21.6.2016 11:23, Dan.Finkelstein at high5games.com wrote: > We've recently set up a "clean" install of FreeIPA replete with replicas, but we just noticed an odd behavior in the DNS service: hosts in the top level domain (like ipa.example.com) do not resolve, whereas hosts in subdomains (like ipa.dev.example.com) do. I'm not sure what to look for in the various log files but I don't see any obvious errors. I thought perhaps this might have some guidance https://www.redhat.com/archives/freeipa-users/2015-July/msg00102.html, and maybe it does, but I'm not sure how to rescue my top-level domain names. Hi, we can certainly debug this but first of all, please clarify what 'top-level' means. If you really want help please do not obfuscate any DNS names. It often hides real problems while not improving security in any way. (BTW you do not need to hide domain names like 'NY5-EXMB1.High5.local' because these already leaked through e-mail headers :-) So, here are the important questions: 0) What name is unresolvable? $ dig the.problematic.name.example. 1) What is the expected result from "dig"? 2) What DNS zones are configured in IPA? $ ipa dnszone-find 3) Do you use DNS forwarding? (--forwarders option during IPA install or commands ipa dnsforwardzone-*, ipa dnsconfig-mod etc.) -- Petr^2 Spacek From martin at stefany.eu Tue Jun 21 10:43:23 2016 From: martin at stefany.eu (=?UTF-8?Q?Martin_=c5=a0tefany?=) Date: Tue, 21 Jun 2016 12:43:23 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <1466455573.2729.22.camel@stefany.eu> <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> Hello Sumit, putting SELinux to permissive mode and/or enabling nis_enabled seboolean seemed not help at all. And you are right, my user has userCertificate (needed for secure libvirtd connection). [martin at desk2 ~]$ sss_ssh_authorizedkeys martin Error looking up public keys [martin at desk2 ~]$ sudo setenforce 0 [sudo] password for martin: [martin at desk2 ~]$ sss_ssh_authorizedkeys martin Error looking up public keys [martin at desk2 ~]$ sudo setsebool nis_enabled on [martin at desk2 ~]$ sss_ssh_authorizedkeys martin Error looking up public keys [martin at desk2 ~]$ sudo sss_cache -E [martin at desk2 ~]$ sss_ssh_authorizedkeys martin Error looking up public keys [have a coffee... really] [martin at desk2 ~]$ sss_ssh_authorizedkeys martin ssh-rsa AAA... ssh-rsa AAA... ssh-ed25519 AAA... ssh-rsa AAA... ssh-rsa AAA... RH bug for selinux-policy: https://bugzilla.redhat.com/show_bug.cgi?id=1348447 Thank you! Martin On 6/21/2016 9:43 AM, Sumit Bose wrote: > On Mon, Jun 20, 2016 at 10:46:13PM +0200, Martin ?tefany wrote: >> Hello all, >> >> I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I >> figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) systems >> while I can to CentOS 7.2 (ipa-client and ipa-server) systems within same IPA >> domain. I will appreciate any help whatsoever. >> IPA servers (and most of the clients) are IPA 4.2.0 on CentOS 7.2 with latest >> updates, affected clients are IPA clients 4.2.4 on Fedora 23 with latest >> updates. >> >> I started by looking to the journal: >> j?n 20 13:02:50 desk2.stefany.eu sshd[25162]: Connection >> from 144.xxx.xxx.xxx port 22543 on 172.17.100.191 port 22 >> ... >> j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc: denied { name_connect >> } for pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 >> tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 >> j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 >> success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe2a50 items=0 >> ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> sgid=0 > > Does the user by chance have a certificate added to his entry including > a link to an OCSP responder? > > Recent version of SSSD have the ability to generate public ssh-keys from > valid certificates added to the user entry to support the ssh Smartcard > feature (see e.g. the -I option in the ssh man page for details or > https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1#RunningsshclientwithSmartcardsupport) > > While trying to validate thecertificate via OCSP sssd_ssh must connect > to a http server. To allow this setting the 'nis_enabled' SELinux > boolean to true should help. > > Nevertheless, since this should work by default, it would be nice if you > can open a bugzilla ticket for the SELinux policy on F23 to allow this > by default. > > HTH > > bye, > Sumit > >> ... >> j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc: denied { name_connect >> } for pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 >> tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 >> j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 >> success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe42d0 items=0 >> ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> sgid=0 >> ... >> j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: AuthorizedKeysCommand >> /usr/bin/sss_ssh_authorizedkeys martin failed, status 1 >> ... >> j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Failed publickey for martin >> from 144.xxx.xxx.xxx port 22543 ssh2: RSA SHA256:uyzB4[stripped] >> ... >> j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: Received disconnect >> from 144.xxx.xxx.xxx port 22543:14: No supported authentication methods >> available [preauth] >> j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Disconnected from 144.xxx.xxx.xxx >> port 22543 [preauth] >> >> which was weird, because the same key would nicely work elsewhere (on any other >> CentOS 7.2 system, while no Fedora 23 system would work as I have figured out) >> >> I have tried putting SELinux into permissive mode, or generating custom module >> with custom policy allowing this, but it doesn't help, and even tcpdump capture >> doesn't capture anything when such connection to 'somewhere' port 80 is opened. >> >> I moved on to testing the '/usr/bin/sss_ssh_authorizedkeys martin' command. >> Fedora 23: >> # sss_ssh_authorizedkeys martin >> Error looking up public keys >> >> CentOS 7.2: >> # sss_ssh_authorizedkeys martin >> ssh-rsa AAA... >> ssh-rsa AAA... >> ssh-ed25519 AAA... >> ssh-rsa AAA... >> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsox... (???) -->> this is one is not in >> LDAP (checked with ldapsearch & ipa user-show martin --all --raw), not present >> in dc=stefany,dc=eu tree or in compat tree >> >> So, I have turned on debug_level = 0x0250 in sssd.conf in both Fedora 23 and >> CentOS 7.2 and checked the logs. CentOS 7.2 is just fine, Fedora 23 gives these >> failures: >> ==> /var/log/sssd/sssd_ssh.log <== >> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received >> client version [0]. >> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered >> version [0]. >> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): >> name 'martin' matched without domain, user is martin >> >> ==> /var/log/sssd/sssd_stefany.eu.log <== >> (Mon Jun 20 21:58:14 2016) [sssd[be[stefany.eu]]] [be_get_account_info] >> (0x0200): Got request for [0x1][BE_REQ_USER][1][name=martin] >> >> ==> /var/log/sssd/sssd_ssh.log <== >> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): >> cert_to_ssh_key failed. >> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): >> decode_and_add_base64_data failed. >> >> And that's right, the last - ghost - "sshpubkey" is invalid base64 string. So >> Fedora 23 fails because of some extra validation in SSSD... >> >> I can't tell where this invalid base64 stuff is coming from, and yes, I have >> stopped both IPA servers, run sss_cache -E on both of them and on clients, and >> started IPA servers serially one by one, the invalid key is still there. >> >> I have a plan B to delete the account, put it back and see if it cleans up, but >> I would prefer to figure out what is actually wrong here and what's introducing >> the wrong sshpubkey. And why is sssd_ssh connecting to some port 80 somewhere >> >> Thank you in advance! >> >> Kind regards, >> Martin >> >> >> >> >> > > > >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- -- Martin From sbose at redhat.com Tue Jun 21 11:16:18 2016 From: sbose at redhat.com (Sumit Bose) Date: Tue, 21 Jun 2016 13:16:18 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> References: <1466455573.2729.22.camel@stefany.eu> <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> Message-ID: <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> On Tue, Jun 21, 2016 at 12:43:23PM +0200, Martin ?tefany wrote: > Hello Sumit, > > putting SELinux to permissive mode and/or enabling nis_enabled seboolean > seemed not help at all. And you are right, my user has userCertificate > (needed for secure libvirtd connection). > > > [martin at desk2 ~]$ sss_ssh_authorizedkeys martin > Error looking up public keys > [martin at desk2 ~]$ sudo setenforce 0 > [sudo] password for martin: > [martin at desk2 ~]$ sss_ssh_authorizedkeys martin > Error looking up public keys > [martin at desk2 ~]$ sudo setsebool nis_enabled on > [martin at desk2 ~]$ sss_ssh_authorizedkeys martin > Error looking up public keys > [martin at desk2 ~]$ sudo sss_cache -E > [martin at desk2 ~]$ sss_ssh_authorizedkeys martin > Error looking up public keys > > [have a coffee... really] > > [martin at desk2 ~]$ sss_ssh_authorizedkeys martin > ssh-rsa AAA... > ssh-rsa AAA... > ssh-ed25519 AAA... > ssh-rsa AAA... > ssh-rsa AAA... If I understand it correctly you get the same result as on CentOS, including the unexpected key derived from the certificate, after waiting for some time? Can you send the sssd_ssh.log with the sequence from above (if you prefer directly to me) so that I can check why it failed in the first attempt and later succeeds. bye, Sumit > > > RH bug for selinux-policy: > https://bugzilla.redhat.com/show_bug.cgi?id=1348447 > > Thank you! > Martin > > > On 6/21/2016 9:43 AM, Sumit Bose wrote: > > On Mon, Jun 20, 2016 at 10:46:13PM +0200, Martin ?tefany wrote: > > > Hello all, > > > > > > I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I > > > figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) systems > > > while I can to CentOS 7.2 (ipa-client and ipa-server) systems within same IPA > > > domain. I will appreciate any help whatsoever. > > > IPA servers (and most of the clients) are IPA 4.2.0 on CentOS 7.2 with latest > > > updates, affected clients are IPA clients 4.2.4 on Fedora 23 with latest > > > updates. > > > > > > I started by looking to the journal: > > > j?n 20 13:02:50 desk2.stefany.eu sshd[25162]: Connection > > > from 144.xxx.xxx.xxx port 22543 on 172.17.100.191 port 22 > > > ... > > > j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc: denied { name_connect > > > } for pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 > > > tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 > > > j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 > > > success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe2a50 items=0 > > > ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > sgid=0 > > > > Does the user by chance have a certificate added to his entry including > > a link to an OCSP responder? > > > > Recent version of SSSD have the ability to generate public ssh-keys from > > valid certificates added to the user entry to support the ssh Smartcard > > feature (see e.g. the -I option in the ssh man page for details or > > https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1#RunningsshclientwithSmartcardsupport) > > > > While trying to validate thecertificate via OCSP sssd_ssh must connect > > to a http server. To allow this setting the 'nis_enabled' SELinux > > boolean to true should help. > > > > Nevertheless, since this should work by default, it would be nice if you > > can open a bugzilla ticket for the SELinux policy on F23 to allow this > > by default. > > > > HTH > > > > bye, > > Sumit > > > > > ... > > > j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc: denied { name_connect > > > } for pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 > > > tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 > > > j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 > > > success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe42d0 items=0 > > > ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > sgid=0 > > > ... > > > j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: AuthorizedKeysCommand > > > /usr/bin/sss_ssh_authorizedkeys martin failed, status 1 > > > ... > > > j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Failed publickey for martin > > > from 144.xxx.xxx.xxx port 22543 ssh2: RSA SHA256:uyzB4[stripped] > > > ... > > > j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: Received disconnect > > > from 144.xxx.xxx.xxx port 22543:14: No supported authentication methods > > > available [preauth] > > > j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Disconnected from 144.xxx.xxx.xxx > > > port 22543 [preauth] > > > > > > which was weird, because the same key would nicely work elsewhere (on any other > > > CentOS 7.2 system, while no Fedora 23 system would work as I have figured out) > > > > > > I have tried putting SELinux into permissive mode, or generating custom module > > > with custom policy allowing this, but it doesn't help, and even tcpdump capture > > > doesn't capture anything when such connection to 'somewhere' port 80 is opened. > > > > > > I moved on to testing the '/usr/bin/sss_ssh_authorizedkeys martin' command. > > > Fedora 23: > > > # sss_ssh_authorizedkeys martin > > > Error looking up public keys > > > > > > CentOS 7.2: > > > # sss_ssh_authorizedkeys martin > > > ssh-rsa AAA... > > > ssh-rsa AAA... > > > ssh-ed25519 AAA... > > > ssh-rsa AAA... > > > ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsox... (???) -->> this is one is not in > > > LDAP (checked with ldapsearch & ipa user-show martin --all --raw), not present > > > in dc=stefany,dc=eu tree or in compat tree > > > > > > So, I have turned on debug_level = 0x0250 in sssd.conf in both Fedora 23 and > > > CentOS 7.2 and checked the logs. CentOS 7.2 is just fine, Fedora 23 gives these > > > failures: > > > ==> /var/log/sssd/sssd_ssh.log <== > > > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received > > > client version [0]. > > > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered > > > version [0]. > > > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): > > > name 'martin' matched without domain, user is martin > > > > > > ==> /var/log/sssd/sssd_stefany.eu.log <== > > > (Mon Jun 20 21:58:14 2016) [sssd[be[stefany.eu]]] [be_get_account_info] > > > (0x0200): Got request for [0x1][BE_REQ_USER][1][name=martin] > > > > > > ==> /var/log/sssd/sssd_ssh.log <== > > > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): > > > cert_to_ssh_key failed. > > > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): > > > decode_and_add_base64_data failed. > > > > > > And that's right, the last - ghost - "sshpubkey" is invalid base64 string. So > > > Fedora 23 fails because of some extra validation in SSSD... > > > > > > I can't tell where this invalid base64 stuff is coming from, and yes, I have > > > stopped both IPA servers, run sss_cache -E on both of them and on clients, and > > > started IPA servers serially one by one, the invalid key is still there. > > > > > > I have a plan B to delete the account, put it back and see if it cleans up, but > > > I would prefer to figure out what is actually wrong here and what's introducing > > > the wrong sshpubkey. And why is sssd_ssh connecting to some port 80 somewhere > > > > > > Thank you in advance! > > > > > > Kind regards, > > > Martin > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- > -- > Martin From Dan.Finkelstein at high5games.com Tue Jun 21 11:21:39 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Tue, 21 Jun 2016 11:21:39 +0000 Subject: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone In-Reply-To: <1685b2c7-44d9-793e-affb-e78ffeab28af@redhat.com> References: <5160A8F1-CBD5-4F53-BEE7-84223B2B764C@high5games.com> <1685b2c7-44d9-793e-affb-e78ffeab28af@redhat.com> Message-ID: <797F2FEE-8B25-41B9-ABB8-A70F6C658BEF@high5games.com> Hi Petr, Top level means the root zone of the various DNS trees we serve. For example, h5g.com would be the root and dev.h5g.com, test.h5g.com, etc., would be the subdomains. Our subdomains query fine, but any hosts in the root domain no longer resolve. An example of an unresolvable name is IPA itself: ipa.h5g.com. Here's output from dig: root at ipa ~]# dig ipa.h5g.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> ipa.h5g.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52405 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ipa.h5g.com. IN A ;; Query time: 0 msec ;; SERVER: 10.55.10.31#53(10.55.10.31) ;; WHEN: Tue Jun 21 07:15:14 EDT 2016 ;; MSG SIZE rcvd: 42 We expect that its IP address returns from dig, but it doesn't. We have 100 zones defined, including forward and reverse zones ? all active. We do use DNS forwarding, but in a very unsophisticated way: we set up the forwarders to go to Google if our DNS can't resolve a name. Thanks and regards, Dan [cid:image001.jpg at 01D1CB8D.8C7ACB60] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: on behalf of Petr Spacek Organization: Red Hat Date: Tuesday, June 21, 2016 at 06:04 To: "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone On 21.6.2016 11:23, Dan.Finkelstein at high5games.com wrote: We've recently set up a "clean" install of FreeIPA replete with replicas, but we just noticed an odd behavior in the DNS service: hosts in the top level domain (like ipa.example.com) do not resolve, whereas hosts in subdomains (like ipa.dev.example.com) do. I'm not sure what to look for in the various log files but I don't see any obvious errors. I thought perhaps this might have some guidance https://www.redhat.com/archives/freeipa-users/2015-July/msg00102.html, and maybe it does, but I'm not sure how to rescue my top-level domain names. Hi, we can certainly debug this but first of all, please clarify what 'top-level' means. If you really want help please do not obfuscate any DNS names. It often hides real problems while not improving security in any way. (BTW you do not need to hide domain names like 'NY5-EXMB1.High5.local' because these already leaked through e-mail headers :-) So, here are the important questions: 0) What name is unresolvable? $ dig the.problematic.name.example. 1) What is the expected result from "dig"? 2) What DNS zones are configured in IPA? $ ipa dnszone-find 3) Do you use DNS forwarding? (--forwarders option during IPA install or commands ipa dnsforwardzone-*, ipa dnsconfig-mod etc.) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: From martin at stefany.eu Tue Jun 21 11:23:11 2016 From: martin at stefany.eu (=?UTF-8?Q?Martin_=c5=a0tefany?=) Date: Tue, 21 Jun 2016 13:23:11 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <1466455573.2729.22.camel@stefany.eu> <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: On 6/21/2016 1:16 PM, Sumit Bose wrote: > On Tue, Jun 21, 2016 at 12:43:23PM +0200, Martin ?tefany wrote: >> Hello Sumit, >> >> putting SELinux to permissive mode and/or enabling nis_enabled seboolean >> seemed not help at all. And you are right, my user has userCertificate >> (needed for secure libvirtd connection). >> >> >> [martin at desk2 ~]$ sss_ssh_authorizedkeys martin >> Error looking up public keys >> [martin at desk2 ~]$ sudo setenforce 0 >> [sudo] password for martin: >> [martin at desk2 ~]$ sss_ssh_authorizedkeys martin >> Error looking up public keys >> [martin at desk2 ~]$ sudo setsebool nis_enabled on >> [martin at desk2 ~]$ sss_ssh_authorizedkeys martin >> Error looking up public keys >> [martin at desk2 ~]$ sudo sss_cache -E >> [martin at desk2 ~]$ sss_ssh_authorizedkeys martin >> Error looking up public keys >> >> [have a coffee... really] >> >> [martin at desk2 ~]$ sss_ssh_authorizedkeys martin >> ssh-rsa AAA... >> ssh-rsa AAA... >> ssh-ed25519 AAA... >> ssh-rsa AAA... >> ssh-rsa AAA... > > If I understand it correctly you get the same result as on CentOS, > including the unexpected key derived from the certificate, after waiting > for some time? Can you send the sssd_ssh.log with the sequence from > above (if you prefer directly to me) so that I can check why it failed > in the first attempt and later succeeds. > > bye, > Sumit > Hi, yes, now the results are the same, including the originally unexpected key from certificate, and actual SSH pubkey auth finally works. I would send you sssd_ssh.log, but it's empty - I have turned off debug_level sooner, sorry. :( Isn't it the case that sss_cache -E takes few seconds to actually expire the cache entries? Thank you. Martin >> >> >> RH bug for selinux-policy: >> https://bugzilla.redhat.com/show_bug.cgi?id=1348447 >> >> Thank you! >> Martin >> >> >> On 6/21/2016 9:43 AM, Sumit Bose wrote: >>> On Mon, Jun 20, 2016 at 10:46:13PM +0200, Martin ?tefany wrote: >>>> Hello all, >>>> >>>> I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I >>>> figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) systems >>>> while I can to CentOS 7.2 (ipa-client and ipa-server) systems within same IPA >>>> domain. I will appreciate any help whatsoever. >>>> IPA servers (and most of the clients) are IPA 4.2.0 on CentOS 7.2 with latest >>>> updates, affected clients are IPA clients 4.2.4 on Fedora 23 with latest >>>> updates. >>>> >>>> I started by looking to the journal: >>>> j?n 20 13:02:50 desk2.stefany.eu sshd[25162]: Connection >>>> from 144.xxx.xxx.xxx port 22543 on 172.17.100.191 port 22 >>>> ... >>>> j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc: denied { name_connect >>>> } for pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 >>>> tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 >>>> j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 >>>> success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe2a50 items=0 >>>> ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>>> sgid=0 >>> >>> Does the user by chance have a certificate added to his entry including >>> a link to an OCSP responder? >>> >>> Recent version of SSSD have the ability to generate public ssh-keys from >>> valid certificates added to the user entry to support the ssh Smartcard >>> feature (see e.g. the -I option in the ssh man page for details or >>> https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1#RunningsshclientwithSmartcardsupport) >>> >>> While trying to validate thecertificate via OCSP sssd_ssh must connect >>> to a http server. To allow this setting the 'nis_enabled' SELinux >>> boolean to true should help. >>> >>> Nevertheless, since this should work by default, it would be nice if you >>> can open a bugzilla ticket for the SELinux policy on F23 to allow this >>> by default. >>> >>> HTH >>> >>> bye, >>> Sumit >>> >>>> ... >>>> j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc: denied { name_connect >>>> } for pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 >>>> tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 >>>> j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 >>>> success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe42d0 items=0 >>>> ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>>> sgid=0 >>>> ... >>>> j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: AuthorizedKeysCommand >>>> /usr/bin/sss_ssh_authorizedkeys martin failed, status 1 >>>> ... >>>> j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Failed publickey for martin >>>> from 144.xxx.xxx.xxx port 22543 ssh2: RSA SHA256:uyzB4[stripped] >>>> ... >>>> j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: Received disconnect >>>> from 144.xxx.xxx.xxx port 22543:14: No supported authentication methods >>>> available [preauth] >>>> j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Disconnected from 144.xxx.xxx.xxx >>>> port 22543 [preauth] >>>> >>>> which was weird, because the same key would nicely work elsewhere (on any other >>>> CentOS 7.2 system, while no Fedora 23 system would work as I have figured out) >>>> >>>> I have tried putting SELinux into permissive mode, or generating custom module >>>> with custom policy allowing this, but it doesn't help, and even tcpdump capture >>>> doesn't capture anything when such connection to 'somewhere' port 80 is opened. >>>> >>>> I moved on to testing the '/usr/bin/sss_ssh_authorizedkeys martin' command. >>>> Fedora 23: >>>> # sss_ssh_authorizedkeys martin >>>> Error looking up public keys >>>> >>>> CentOS 7.2: >>>> # sss_ssh_authorizedkeys martin >>>> ssh-rsa AAA... >>>> ssh-rsa AAA... >>>> ssh-ed25519 AAA... >>>> ssh-rsa AAA... >>>> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsox... (???) -->> this is one is not in >>>> LDAP (checked with ldapsearch & ipa user-show martin --all --raw), not present >>>> in dc=stefany,dc=eu tree or in compat tree >>>> >>>> So, I have turned on debug_level = 0x0250 in sssd.conf in both Fedora 23 and >>>> CentOS 7.2 and checked the logs. CentOS 7.2 is just fine, Fedora 23 gives these >>>> failures: >>>> ==> /var/log/sssd/sssd_ssh.log <== >>>> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received >>>> client version [0]. >>>> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered >>>> version [0]. >>>> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): >>>> name 'martin' matched without domain, user is martin >>>> >>>> ==> /var/log/sssd/sssd_stefany.eu.log <== >>>> (Mon Jun 20 21:58:14 2016) [sssd[be[stefany.eu]]] [be_get_account_info] >>>> (0x0200): Got request for [0x1][BE_REQ_USER][1][name=martin] >>>> >>>> ==> /var/log/sssd/sssd_ssh.log <== >>>> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): >>>> cert_to_ssh_key failed. >>>> (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): >>>> decode_and_add_base64_data failed. >>>> >>>> And that's right, the last - ghost - "sshpubkey" is invalid base64 string. So >>>> Fedora 23 fails because of some extra validation in SSSD... >>>> >>>> I can't tell where this invalid base64 stuff is coming from, and yes, I have >>>> stopped both IPA servers, run sss_cache -E on both of them and on clients, and >>>> started IPA servers serially one by one, the invalid key is still there. >>>> >>>> I have a plan B to delete the account, put it back and see if it cleans up, but >>>> I would prefer to figure out what is actually wrong here and what's introducing >>>> the wrong sshpubkey. And why is sssd_ssh connecting to some port 80 somewhere >>>> >>>> Thank you in advance! >>>> >>>> Kind regards, >>>> Martin >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >> >> -- >> -- >> Martin -- -- Martin From jan.karasek at elostech.cz Tue Jun 21 11:55:54 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Tue, 21 Jun 2016 13:55:54 +0200 (CEST) Subject: [Freeipa-users] AD trust with POSIX attributes Message-ID: <208644782.851245.1466510154786.JavaMail.zimbra@elostech.cz> Hi all, I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD. I have set up trust with this parameters: ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix --admin=administrator [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range Range name: EXAMPLE.TT_id_range First Posix ID of the range: 1392000000 Number of IDs in the range: 200000 Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 Range type: Active Directory trust range with POSIX attributes I have set attributes in AD for user at EXAMPLE.TT - uidNumber -10000 - homeDirectory -/home/user - loginShell - /bin/bash Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can run id and getent passwd user at example.tt and I can use user at example.tt for ssh. Problem is, that I am not getting uid from AD but from idrange: uid=1392001107(user at example.tt) Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = true in sssd.conf but no luck. I know, that it is probably better to use ID views for this, but in our case we need to set centrally managed environment, where all users information are externally inserted to AD from HR system - included POSIX attributes and we need IPA to read them from AD. So my questions are: Is it possible to read user's POSIX attributes directly from AD - namely uid ? Which atributes can be stored in AD ? Am I doing something wrong ? my sssd.conf: [domain/a.example.tt] debug_level = 5 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = a.example.tt id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.a.example.tt chpass_provider = ipa ipa_server = ipa1.a.example.tt ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt #ldap_id_mapping = true #subdomain_inherit = ldap_user_principal #ldap_user_principal = nosuchattribute [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = a.example.tt [nss] debug_level = 5 homedir_substring = /home enum_cache_timeout = 2 entry_negative_timeout = 2 [pam] debug_level = 5 [sudo] [autofs] [ssh] debug_level = 4 [pac] debug_level = 4 [ifp] Thanks, Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dan.Finkelstein at high5games.com Tue Jun 21 13:03:56 2016 From: Dan.Finkelstein at high5games.com (Dan.Finkelstein at high5games.com) Date: Tue, 21 Jun 2016 13:03:56 +0000 Subject: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone In-Reply-To: <797F2FEE-8B25-41B9-ABB8-A70F6C658BEF@high5games.com> References: <5160A8F1-CBD5-4F53-BEE7-84223B2B764C@high5games.com> <1685b2c7-44d9-793e-affb-e78ffeab28af@redhat.com> <797F2FEE-8B25-41B9-ABB8-A70F6C658BEF@high5games.com> Message-ID: <8881226E-6F4C-49D3-9F92-D1F03F544760@high5games.com> Solution found (or, if not, a workaround): IPA replicas must be named in the root domain/zone and not in a subdomain, else DNS fails to serve records in the root domain. Once we changed our configuration to reflect this, DNS returned to normal. ?Dan [cid:image001.jpg at 01D1CB9B.D6819140] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: on behalf of Daniel Finkestein Date: Tuesday, June 21, 2016 at 07:21 To: "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone Hi Petr, Top level means the root zone of the various DNS trees we serve. For example, h5g.com would be the root and dev.h5g.com, test.h5g.com, etc., would be the subdomains. Our subdomains query fine, but any hosts in the root domain no longer resolve. An example of an unresolvable name is IPA itself: ipa.h5g.com. Here's output from dig: root at ipa ~]# dig ipa.h5g.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> ipa.h5g.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52405 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ipa.h5g.com. IN A ;; Query time: 0 msec ;; SERVER: 10.55.10.31#53(10.55.10.31) ;; WHEN: Tue Jun 21 07:15:14 EDT 2016 ;; MSG SIZE rcvd: 42 We expect that its IP address returns from dig, but it doesn't. We have 100 zones defined, including forward and reverse zones ? all active. We do use DNS forwarding, but in a very unsophisticated way: we set up the forwarders to go to Google if our DNS can't resolve a name. Thanks and regards, Dan [cid:image002.jpg at 01D1CB9B.D6819140] Daniel Alex Finkelstein| Lead Dev Ops Engineer Dan.Finkelstein at h5g.com | 212.604.3447 One World Trade Center, New York, NY 10007 www.high5games.com Play High 5 Casino and Shake the Sky Follow us on: Facebook, Twitter, YouTube, Linkedin This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. From: on behalf of Petr Spacek Organization: Red Hat Date: Tuesday, June 21, 2016 at 06:04 To: "freeipa-users at redhat.com" Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone On 21.6.2016 11:23, Dan.Finkelstein at high5games.com wrote: We've recently set up a "clean" install of FreeIPA replete with replicas, but we just noticed an odd behavior in the DNS service: hosts in the top level domain (like ipa.example.com) do not resolve, whereas hosts in subdomains (like ipa.dev.example.com) do. I'm not sure what to look for in the various log files but I don't see any obvious errors. I thought perhaps this might have some guidance https://www.redhat.com/archives/freeipa-users/2015-July/msg00102.html, and maybe it does, but I'm not sure how to rescue my top-level domain names. Hi, we can certainly debug this but first of all, please clarify what 'top-level' means. If you really want help please do not obfuscate any DNS names. It often hides real problems while not improving security in any way. (BTW you do not need to hide domain names like 'NY5-EXMB1.High5.local' because these already leaked through e-mail headers :-) So, here are the important questions: 0) What name is unresolvable? $ dig the.problematic.name.example. 1) What is the expected result from "dig"? 2) What DNS zones are configured in IPA? $ ipa dnszone-find 3) Do you use DNS forwarding? (--forwarders option during IPA install or commands ipa dnsforwardzone-*, ipa dnsconfig-mod etc.) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4333 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 4334 bytes Desc: image002.jpg URL: From calin at immotop.lu Tue Jun 21 13:23:19 2016 From: calin at immotop.lu (Ciociu Calin) Date: Tue, 21 Jun 2016 15:23:19 +0200 Subject: [Freeipa-users] FreeIPA+FreeRadius+OpenVPN Message-ID: Hello everyone, I recently started using FreeIPA and FreeRadius so I might still have some misconceptions. What I am trying to achieve is to have clients use client certificate to login into OpenVPN using FreeRadius and FreeIPA. So far clients can connect to OpenVPN (radiusplugin) with FreeRadius (through kerberos) through FreeIPA using username+password login which works as intended. My question now is how would I go about creating client certificates in FreeIPA (created through the web gui for example) which clients can use to login into OpenVPN. I don?t want them to login with username+password but rather with certificates which are managed by FreeIPA. I was looking into EAP-TLS but I am not sure I am on the right path. OpenVPN is on a separate server running Debian 8 FreeRadius and FreeIPA are both running on another Debian 8 machine. (they are both on the same machine though) Is this possible and if so how would I have to configure the services, or am I doing things more complicated than actually needed? Sincerely yours, Calin From cal-s at blue-bolt.com Tue Jun 21 13:46:48 2016 From: cal-s at blue-bolt.com (Cal Sawyer) Date: Tue, 21 Jun 2016 14:46:48 +0100 Subject: [Freeipa-users] OS X Yosemite unable to authenticate In-Reply-To: References: Message-ID: <57694548.6000805@blue-bolt.com> As usual, apologies for any formatting issues due to extracting message threads out of digests ... Anyhow., i have determined where everything goes terribly wrong with OSX clients: OSX 10.10.3 ("out of the box" Yosemite) works fine using linsec.ca's guidance. However, the second you patch to 10.10.5 or upgrade to El Capitan (10.11.5), authentication fails absolutely in the ways described in earlier threads. Colleagues who i've spoken with who are trying to set up IPA at their facilities report the same problem and it's a total show-stopper. Interesting how all(?) of what is written on the topic of OSX and IPA dries up after 10.8, although we've seen in an earlier thread reports of 10.9 working. I've repeated this test a few times and the result is always the same. - 10.10.3 is the last OSX capable of authenticating against IPA using currently available knowledge. Running tcpdump on 10.10.3 and a 10.10.5 clients show very different authentication dialogues. I'm afraid, however, that i lack the skills to interpret where exactly the later OSX release is failing. I have my (unfounded) suspicions - that SASL binding for LDAP and kerberos are implicated. 10.10.3 certainly shows no kerberos transactions whereas 10.10.5 Re DNS: both client types resolve all SRV records hosted in IPA fine. I even went so far as setting up rudimentary ipv6 as there were some AAAA requests that were going unanswered and it thought it might related (not, as it turns out) So, would anyone on the IPA team be interested in looking at some packet captures? I'm completely up for working with you, providing whatever is needed and doing testing. It would be fantastic to restore IPA-based auth for newer OSX releases. best regards, - cal sawyer From: John Obaterspok To: Nicola Canepa Cc:"freeipa-users at redhat.com" , Cal Sawyer Hi, Are you only having problems to login to login to OSX with the IPA user now? If that is the case then check the DNS settings you are using and make sure the IPA server is listed first and that it has full name. Exactly the same problem occurred for me with the slow logins to OSX which was due to the DNS settings and that OSX only used short name of IPA server during login (if I logged in as local user I could ping and lookup hosts using short name) -- john 2015-12-21 17:49 GMT+01:00 Nicola Canepa : >> I had to configure /etc/krb5.conf, and to avoid the requested reboot, I >> did a "dscacheutil -flushcache", both as the logged in user and as root. >> I tried enabling the anonymous bind and now also the directory browser >> (and all the login process) works as expected. >> >> Nicola >> >> Il 21/12/15 17:39, Cal Sawyer ha scritto: >> >> Thanks, John and Nicola >> >> Kerberos occurred to me as well late in the day yesterday. Happily (?), >> knit works fine simply specifying the user in question with no need to >> suffix with the kerberos realm >> >> I did find that my test user had an expired password, which i fixed on the >> IPA server. This was never flagged up under Linux, btw. It has not change >> anything, however, other than not prompting for password changes that never >> take effect. Funnily, it expired in the midst of testing - fun. >> >> I was mistaken when i said i was unable to log in - it turns out that it >> takes almost 10 minutes for a login from the frintend to complete - i just >> didn't wait long enough. 10 mins is of course unacceptable :) "su - user" >> and "login user" fail outright after rejecting accept any user's password >> >> DNS is fine and i can resolve ldap and kerberos SRV records from the Mac >> >> In line with Nicola's experience, i can browse groups and users in the >> Directory Editor and all attributes appear spot on. >> >> Besides modding /etc/pam.d/authorization, adding a corrected >> edu.mit.kerberos to /LibraryPreferences and setting up the directory per >> linsec.ca, can anyone think of something i may have missed? It's a real >> shame that the documentation on this stops around 5 years ago. >> >> IPA devs: is there anything i should be on the lookout for in the dirsrv >> or krb5 logs on the IPA master? I've disabled the secondary to prevent >> replication from clouding the log events >> >> thanks, everyone >> >> Cal Sawyer | Systems Engineer | BlueBolt Ltd >> 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com >> >> On 21/12/15 07:57, Nicola Canepa wrote: >> >> Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the >> opposite problem: kinit works fine, while I'm unable to see users with >> Directory Admin ((it always says it cant' connect, either with or without >> SSL) >> I disabled anonymous searches in 389-ds, by the way. >> >> Nicola >> >> Il 21/12/15 07:50, John Obaterspok ha scritto: >> >> Hi Cal, >> >> Does a kinit work from a terminal? Does it work if you use "kinit user" or >> just if you use "kinit user at REALM.suffix" >> >> -- john >> >> >> 2015-12-20 15:09 GMT+01:00 Cal Sawyer : >> >>> Hi, all >>> >>> I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX >>> 10.10.5 (Yosemite) client >>> >>> Using the excellent instructions at >>> >>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server, >>> I've populated the specified files, d/l'd the cert, am able to configure >>> Users and Groups objects/attribs and browse both from within OSX's >>> Directory Utility. ldapsearch similarly returns the expected results. >>> >>> In spite of this, i'm unable to authenticate as any IPA-LDAP user on this >>> system >>> >>> dirsrv log on the ipa master shows no apparent errors - remote auth >>> attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the >>> truth, there so much stuff there and being rather inexperienced with LDAP >>> diags i might easily be missing something in the details >>> >>> The linsec.ca instructions were written in the 10.7-10.8 era so >>> something may have changed since. Having said that, we've had no problems >>> authenticating against our existing OpenLDAP server (which IPA is slated to >>> replace) right up to 10.10.5 with no zero to our Directory Utility setup. >>> >>> Hoping someone here has some contemporary experience with OSX and IPA and >>> for whom this issue rings a bell? >>> >>> many thanks >>> >>> Cal Sawyer | Systems Engineer | BlueBolt Ltd >>> 15-16 Margaret Street | London W1W 8RW >>> +44 (0)20 7637 5575 <%2B44%20%280%2920%207637%205575> | www.blue-bolt.com >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Jun 21 13:55:27 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 21 Jun 2016 15:55:27 +0200 Subject: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone In-Reply-To: <8881226E-6F4C-49D3-9F92-D1F03F544760@high5games.com> References: <5160A8F1-CBD5-4F53-BEE7-84223B2B764C@high5games.com> <1685b2c7-44d9-793e-affb-e78ffeab28af@redhat.com> <797F2FEE-8B25-41B9-ABB8-A70F6C658BEF@high5games.com> <8881226E-6F4C-49D3-9F92-D1F03F544760@high5games.com> Message-ID: <38d2c2d2-cdaf-85c6-47ad-823360ff8cc2@redhat.com> On 21.6.2016 15:03, Dan.Finkelstein at high5games.com wrote: > Solution found (or, if not, a workaround): > IPA replicas must be named in the root domain/zone and not in a subdomain, else DNS fails to serve records in the root domain. Once we changed our configuration to reflect this, DNS returned to normal. This is most likely a workaround for some sort of misconfiguration, FreeIPA itself does not require anything like that. Petr^2 Spacek > From: on behalf of Daniel Finkestein > Date: Tuesday, June 21, 2016 at 07:21 > To: "freeipa-users at redhat.com" > Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone > > Hi Petr, > > Top level means the root zone of the various DNS trees we serve. For example, h5g.com would be the root and dev.h5g.com, test.h5g.com, etc., would be the subdomains. Our subdomains query fine, but any hosts in the root domain no longer resolve. > > An example of an unresolvable name is IPA itself: ipa.h5g.com. Here's output from dig: > > root at ipa ~]# dig ipa.h5g.com > > ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> ipa.h5g.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52405 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;ipa.h5g.com. IN A > > ;; Query time: 0 msec > ;; SERVER: 10.55.10.31#53(10.55.10.31) > ;; WHEN: Tue Jun 21 07:15:14 EDT 2016 > ;; MSG SIZE rcvd: 42 > > We expect that its IP address returns from dig, but it doesn't. > > We have 100 zones defined, including forward and reverse zones ? all active. > > We do use DNS forwarding, but in a very unsophisticated way: we set up the forwarders to go to Google if our DNS can't resolve a name. > > Thanks and regards, > Dan > > [cid:image002.jpg at 01D1CB9B.D6819140] > Daniel Alex Finkelstein| Lead Dev Ops Engineer > Dan.Finkelstein at h5g.com | 212.604.3447 > One World Trade Center, New York, NY 10007 > www.high5games.com > Play High 5 Casino and Shake the Sky > Follow us on: Facebook, Twitter, YouTube, Linkedin > > This message and any attachments may contain confidential or privileged information and are only for the use of the intended recipient of this message. If you are not the intended recipient, please notify the sender by return email, and delete or destroy this and all copies of this message and all attachments. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful. > > From: on behalf of Petr Spacek > Organization: Red Hat > Date: Tuesday, June 21, 2016 at 06:04 > To: "freeipa-users at redhat.com" > Subject: Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone > > On 21.6.2016 11:23, Dan.Finkelstein at high5games.com wrote: > We've recently set up a "clean" install of FreeIPA replete with replicas, but we just noticed an odd behavior in the DNS service: hosts in the top level domain (like ipa.example.com) do not resolve, whereas hosts in subdomains (like ipa.dev.example.com) do. I'm not sure what to look for in the various log files but I don't see any obvious errors. I thought perhaps this might have some guidance https://www.redhat.com/archives/freeipa-users/2015-July/msg00102.html, and maybe it does, but I'm not sure how to rescue my top-level domain names. > > Hi, > > we can certainly debug this but first of all, please clarify what 'top-level' > means. > > If you really want help please do not obfuscate any DNS names. It often hides > real problems while not improving security in any way. (BTW you do not need to > hide domain names like 'NY5-EXMB1.High5.local' because these already leaked > through e-mail headers :-) > > So, here are the important questions: > 0) What name is unresolvable? > $ dig the.problematic.name.example. > > 1) What is the expected result from "dig"? > > 2) What DNS zones are configured in IPA? > $ ipa dnszone-find > > 3) Do you use DNS forwarding? (--forwarders option during IPA install or > commands ipa dnsforwardzone-*, ipa dnsconfig-mod etc.) From jdito at domeyard.com Tue Jun 21 14:07:00 2016 From: jdito at domeyard.com (Joe DiTommasso) Date: Tue, 21 Jun 2016 10:07:00 -0400 Subject: [Freeipa-users] OS X Yosemite unable to authenticate In-Reply-To: <57694548.6000805@blue-bolt.com> References: <57694548.6000805@blue-bolt.com> Message-ID: I've actually got a whole stack of El Capitan clients authenticating against FreeIPA: mac-mini-01:~ jdito$ system_profiler SPSoftwareDataType Software: System Software Overview: System Version: OS X 10.11.5 (15F34) Kernel Version: Darwin 15.5.0 Boot Volume: Macintosh HD Boot Mode: Normal Computer Name: admin?s Mac mini User Name: Joe DiTommasso (jdito) Secure Virtual Memory: Enabled System Integrity Protection: Enabled Time since boot: 14 days 15:00 The Linsec guide worked for me. The only real issue is that it only sees the user's primary group, and not supplemental groups. I'm not terribly good with Macs, but happy to assist in troubleshooting. Joe On Tue, Jun 21, 2016 at 9:46 AM, Cal Sawyer wrote: > As usual, apologies for any formatting issues due to extracting message > threads out of digests ... > > Anyhow., i have determined where everything goes terribly wrong with OSX > clients: OSX 10.10.3 ("out of the box" Yosemite) works fine using > linsec.ca's guidance. However, the second you patch to 10.10.5 or > upgrade to El Capitan (10.11.5), authentication fails absolutely in the > ways described in earlier threads. Colleagues who i've spoken with who are > trying to set up IPA at their facilities report the same problem and it's a > total show-stopper. Interesting how all(?) of what is written on the topic > of OSX and IPA dries up after 10.8, although we've seen in an earlier > thread reports of 10.9 working. I've repeated this test a few times and > the result is always the same. - 10.10.3 is the last OSX capable of > authenticating against IPA using currently available knowledge. > > Running tcpdump on 10.10.3 and a 10.10.5 clients show very different > authentication dialogues. I'm afraid, however, that i lack the skills to > interpret where exactly the later OSX release is failing. I have my > (unfounded) suspicions - that SASL binding for LDAP and kerberos are > implicated. 10.10.3 certainly shows no kerberos transactions whereas 10.10.5 > > Re DNS: both client types resolve all SRV records hosted in IPA fine. I > even went so far as setting up rudimentary ipv6 as there were some AAAA > requests that were going unanswered and it thought it might related (not, > as it turns out) > > So, would anyone on the IPA team be interested in looking at some packet > captures? I'm completely up for working with you, providing whatever is > needed and doing testing. It would be fantastic to restore IPA-based auth > for newer OSX releases. > > best regards, > > - cal sawyer > > From: John Obaterspok > To: Nicola Canepa > Cc: "freeipa-users at redhat.com" , Cal Sawyer > > > Hi, Are you only having problems to login to login to OSX with the IPA > user now? If that is the case then check the DNS settings you are using and > make sure the IPA server is listed first and that it has full name. Exactly > the same problem occurred for me with the slow logins to OSX which was due > to the DNS settings and that OSX only used short name of IPA server during > login (if I logged in as local user I could ping and lookup hosts using > short name) -- john 2015-12-21 17:49 GMT+01:00 Nicola Canepa > : > > I had to configure /etc/krb5.conf, and to avoid the requested reboot, I > did a "dscacheutil -flushcache", both as the logged in user and as root. > I tried enabling the anonymous bind and now also the directory browser > (and all the login process) works as expected. > > Nicola > > Il 21/12/15 17:39, Cal Sawyer ha scritto: > > Thanks, John and Nicola > > Kerberos occurred to me as well late in the day yesterday. Happily (?), > knit works fine simply specifying the user in question with no need to > suffix with the kerberos realm > > I did find that my test user had an expired password, which i fixed on the > IPA server. This was never flagged up under Linux, btw. It has not change > anything, however, other than not prompting for password changes that never > take effect. Funnily, it expired in the midst of testing - fun. > > I was mistaken when i said i was unable to log in - it turns out that it > takes almost 10 minutes for a login from the frintend to complete - i just > didn't wait long enough. 10 mins is of course unacceptable :) "su - user" > and "login user" fail outright after rejecting accept any user's password > > DNS is fine and i can resolve ldap and kerberos SRV records from the Mac > > In line with Nicola's experience, i can browse groups and users in the > Directory Editor and all attributes appear spot on. > > Besides modding /etc/pam.d/authorization, adding a corrected > edu.mit.kerberos to /LibraryPreferences and setting up the directory perlinsec.ca, can anyone think of something i may have missed? It's a real > shame that the documentation on this stops around 5 years ago. > > IPA devs: is there anything i should be on the lookout for in the dirsrv > or krb5 logs on the IPA master? I've disabled the secondary to prevent > replication from clouding the log events > > thanks, everyone > > Cal Sawyer | Systems Engineer | BlueBolt Ltd > 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com > > On 21/12/15 07:57, Nicola Canepa wrote: > > Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the > opposite problem: kinit works fine, while I'm unable to see users with > Directory Admin ((it always says it cant' connect, either with or without > SSL) > I disabled anonymous searches in 389-ds, by the way. > > Nicola > > Il 21/12/15 07:50, John Obaterspok ha scritto: > > Hi Cal, > > Does a kinit work from a terminal? Does it work if you use "kinit user" or > just if you use "kinit user at REALM.suffix" > > -- john > > > 2015-12-20 15:09 GMT+01:00 Cal Sawyer : > > > Hi, all > > I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX > 10.10.5 (Yosemite) client > > Using the excellent instructions at http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server, > I've populated the specified files, d/l'd the cert, am able to configure > Users and Groups objects/attribs and browse both from within OSX's > Directory Utility. ldapsearch similarly returns the expected results. > > In spite of this, i'm unable to authenticate as any IPA-LDAP user on this > system > > dirsrv log on the ipa master shows no apparent errors - remote auth > attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the > truth, there so much stuff there and being rather inexperienced with LDAP > diags i might easily be missing something in the details > > The linsec.ca instructions were written in the 10.7-10.8 era so > something may have changed since. Having said that, we've had no problems > authenticating against our existing OpenLDAP server (which IPA is slated to > replace) right up to 10.10.5 with no zero to our Directory Utility setup. > > Hoping someone here has some contemporary experience with OSX and IPA and > for whom this issue rings a bell? > > many thanks > > Cal Sawyer | Systems Engineer | BlueBolt Ltd > 15-16 Margaret Street | London W1W 8RW > +44 (0)20 7637 5575 <%2B44%20%280%2920%207637%205575> | www.blue-bolt.com > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cal-s at blue-bolt.com Tue Jun 21 14:42:33 2016 From: cal-s at blue-bolt.com (Cal Sawyer) Date: Tue, 21 Jun 2016 15:42:33 +0100 Subject: [Freeipa-users] OS X Yosemite unable to authenticate In-Reply-To: References: <57694548.6000805@blue-bolt.com> Message-ID: <57695259.8000608@blue-bolt.com> Wow, that's surprising, Joe. I'm also using the linsec recipe. Yours required no fiddling? You can login straight off from the graphical loginWindow? Yes, very interested in any help you can offer. Are you authenticating against IPA 3 or 4, for sake of curiosity. BTW: you can get your secondary groups by: In Groups add attribute 'GroupMembership' mapped to 'memberUID' thanks! Cal Sawyer | Systems Engineer | BlueBolt Ltd 15-16 Margaret Street | London W1W 8RW +44 (0)20 7637 5575 | www.blue-bolt.com On 21/06/16 15:07, Joe DiTommasso wrote: > I've actually got a whole stack of El Capitan clients authenticating > against FreeIPA: > > mac-mini-01:~ jdito$ system_profiler SPSoftwareDataType > Software: > > System Software Overview: > > System Version: OS X 10.11.5 (15F34) > Kernel Version: Darwin 15.5.0 > Boot Volume: Macintosh HD > Boot Mode: Normal > Computer Name: admin?s Mac mini > User Name: Joe DiTommasso (jdito) > Secure Virtual Memory: Enabled > System Integrity Protection: Enabled > Time since boot: 14 days 15:00 > > The Linsec guide worked for me. The only real issue is that it only > sees the user's primary group, and not supplemental groups. I'm not > terribly good with Macs, but happy to assist in troubleshooting. > > Joe > > On Tue, Jun 21, 2016 at 9:46 AM, Cal Sawyer > wrote: > > As usual, apologies for any formatting issues due to extracting > message threads out of digests ... > > Anyhow., i have determined where everything goes terribly wrong > with OSX clients: OSX 10.10.3 ("out of the box" Yosemite) works > fine using linsec.ca 's guidance. However, the > second you patch to 10.10.5 or upgrade to El Capitan (10.11.5), > authentication fails absolutely in the ways described in earlier > threads. Colleagues who i've spoken with who are trying to set up > IPA at their facilities report the same problem and it's a total > show-stopper. Interesting how all(?) of what is written on the > topic of OSX and IPA dries up after 10.8, although we've seen in > an earlier thread reports of 10.9 working. I've repeated this > test a few times and the result is always the same. - 10.10.3 is > the last OSX capable of authenticating against IPA using currently > available knowledge. > > Running tcpdump on 10.10.3 and a 10.10.5 clients show very > different authentication dialogues. I'm afraid, however, that i > lack the skills to interpret where exactly the later OSX release > is failing. I have my (unfounded) suspicions - that SASL binding > for LDAP and kerberos are implicated. 10.10.3 certainly shows no > kerberos transactions whereas 10.10.5 > > Re DNS: both client types resolve all SRV records hosted in IPA > fine. I even went so far as setting up rudimentary ipv6 as there > were some AAAA requests that were going unanswered and it thought > it might related (not, as it turns out) > > So, would anyone on the IPA team be interested in looking at some > packet captures? I'm completely up for working with you, > providing whatever is needed and doing testing. It would be > fantastic to restore IPA-based auth for newer OSX releases. > > best regards, > > - cal sawyer > > From: John Obaterspok > To: Nicola Canepa > Cc:"freeipa-users at redhat.com" , Cal Sawyer > > > Hi, Are you only having problems to login to login to OSX > with the IPA user now? If that is the case then check the > DNS settings you are using and make sure the IPA server is > listed first and that it has full name. Exactly the same > problem occurred for me with the slow logins to OSX which > was due to the DNS settings and that OSX only used short > name of IPA server during login (if I logged in as local > user I could ping and lookup hosts using short name) -- > john 2015-12-21 17:49 GMT+01:00 Nicola Canepa > : >>> I had to configure /etc/krb5.conf, and to avoid the requested reboot, I >>> did a "dscacheutil -flushcache", both as the logged in user and as root. >>> I tried enabling the anonymous bind and now also the directory browser >>> (and all the login process) works as expected. >>> >>> Nicola >>> >>> Il 21/12/15 17:39, Cal Sawyer ha scritto: >>> >>> Thanks, John and Nicola >>> >>> Kerberos occurred to me as well late in the day yesterday. Happily (?), >>> knit works fine simply specifying the user in question with no need to >>> suffix with the kerberos realm >>> >>> I did find that my test user had an expired password, which i fixed on the >>> IPA server. This was never flagged up under Linux, btw. It has not change >>> anything, however, other than not prompting for password changes that never >>> take effect. Funnily, it expired in the midst of testing - fun. >>> >>> I was mistaken when i said i was unable to log in - it turns out that it >>> takes almost 10 minutes for a login from the frintend to complete - i just >>> didn't wait long enough. 10 mins is of course unacceptable :) "su - user" >>> and "login user" fail outright after rejecting accept any user's password >>> >>> DNS is fine and i can resolve ldap and kerberos SRV records from the Mac >>> >>> In line with Nicola's experience, i can browse groups and users in the >>> Directory Editor and all attributes appear spot on. >>> >>> Besides modding /etc/pam.d/authorization, adding a corrected >>> edu.mit.kerberos to /LibraryPreferences and setting up the directory per >>> linsec.ca , can anyone think of something i may have missed? It's a real >>> shame that the documentation on this stops around 5 years ago. >>> >>> IPA devs: is there anything i should be on the lookout for in the dirsrv >>> or krb5 logs on the IPA master? I've disabled the secondary to prevent >>> replication from clouding the log events >>> >>> thanks, everyone >>> >>> Cal Sawyer | Systems Engineer | BlueBolt Ltd >>> 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 |www.blue-bolt.com >>> >>> On 21/12/15 07:57, Nicola Canepa wrote: >>> >>> Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the >>> opposite problem: kinit works fine, while I'm unable to see users with >>> Directory Admin ((it always says it cant' connect, either with or without >>> SSL) >>> I disabled anonymous searches in 389-ds, by the way. >>> >>> Nicola >>> >>> Il 21/12/15 07:50, John Obaterspok ha scritto: >>> >>> Hi Cal, >>> >>> Does a kinit work from a terminal? Does it work if you use "kinit user" or >>> just if you use "kinit >>> user at REALM.suffix >>> " >>> >>> -- john >>> >>> >>> 2015-12-20 15:09 GMT+01:00 Cal Sawyer : >>> >>>> Hi, all >>>> >>>> I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX >>>> 10.10.5 (Yosemite) client >>>> >>>> Using the excellent instructions at >>>> >>>> >>>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server, >>>> I've populated the specified files, d/l'd the cert, am able to configure >>>> Users and Groups objects/attribs and browse both from within OSX's >>>> Directory Utility. ldapsearch similarly returns the expected results. >>>> >>>> In spite of this, i'm unable to authenticate as any IPA-LDAP user on this >>>> system >>>> >>>> dirsrv log on the ipa master shows no apparent errors - remote auth >>>> attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the >>>> truth, there so much stuff there and being rather inexperienced with LDAP >>>> diags i might easily be missing something in the details >>>> >>>> Thelinsec.ca instructions were written in the 10.7-10.8 era so >>>> something may have changed since. Having said that, we've had no problems >>>> authenticating against our existing OpenLDAP server (which IPA is slated to >>>> replace) right up to 10.10.5 with no zero to our Directory Utility setup. >>>> >>>> Hoping someone here has some contemporary experience with OSX and IPA and >>>> for whom this issue rings a bell? >>>> >>>> many thanks >>>> >>>> Cal Sawyer | Systems Engineer | BlueBolt Ltd >>>> 15-16 Margaret Street | London W1W 8RW >>>> +44 (0)20 7637 5575 <%2B44%20%280%2920%207637%205575> |www.blue-bolt.com >>>> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdito at domeyard.com Tue Jun 21 15:07:37 2016 From: jdito at domeyard.com (Joe DiTommasso) Date: Tue, 21 Jun 2016 11:07:37 -0400 Subject: [Freeipa-users] OS X Yosemite unable to authenticate In-Reply-To: <57695259.8000608@blue-bolt.com> References: <57694548.6000805@blue-bolt.com> <57695259.8000608@blue-bolt.com> Message-ID: No fiddling that I remember. Basically got the setup working once and then have been pushing out plist files to all new installs. Graphical login works, as does sudo, sort of-still have to add the user as an administrator on the local machine, but then their kerberos password works for authentication. Running up-to-date-ish IPA 4 on CentOS 7. jdito at sum-freeipa-01:~$ rpm -qa | grep ipa *ipa*-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64 *ipa*-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 python-in*ipa*rse-0.4-9.el7.noarch *ipa*-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 sssd-*ipa*-1.13.0-40.el7_2.4.x86_64 *ipa*-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 python-lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64 *ipa*-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 Let me know what you'd like to see from my config. Thanks for the tip on the secondary groups-I already had that in there, but looking at it realized that I needed to point at the compat tree, because the regular one doesn't expose memberUID. On Tue, Jun 21, 2016 at 10:42 AM, Cal Sawyer wrote: > Wow, that's surprising, Joe. I'm also using the linsec recipe. Yours > required no fiddling? You can login straight off from the graphical > loginWindow? > > Yes, very interested in any help you can offer. Are you authenticating > against IPA 3 or 4, for sake of curiosity. > > BTW: you can get your secondary groups by: > > In Groups add attribute 'GroupMembership' mapped to 'memberUID' > > thanks! > > Cal Sawyer | Systems Engineer | BlueBolt Ltd > 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com > > On 21/06/16 15:07, Joe DiTommasso wrote: > > I've actually got a whole stack of El Capitan clients authenticating > against FreeIPA: > > mac-mini-01:~ jdito$ system_profiler SPSoftwareDataType > Software: > > System Software Overview: > > System Version: OS X 10.11.5 (15F34) > Kernel Version: Darwin 15.5.0 > Boot Volume: Macintosh HD > Boot Mode: Normal > Computer Name: admin?s Mac mini > User Name: Joe DiTommasso (jdito) > Secure Virtual Memory: Enabled > System Integrity Protection: Enabled > Time since boot: 14 days 15:00 > > The Linsec guide worked for me. The only real issue is that it only sees > the user's primary group, and not supplemental groups. I'm not terribly > good with Macs, but happy to assist in troubleshooting. > > Joe > > On Tue, Jun 21, 2016 at 9:46 AM, Cal Sawyer wrote: > >> As usual, apologies for any formatting issues due to extracting message >> threads out of digests ... >> >> Anyhow., i have determined where everything goes terribly wrong with OSX >> clients: OSX 10.10.3 ("out of the box" Yosemite) works fine using >> linsec.ca's guidance. However, the second you patch to 10.10.5 or >> upgrade to El Capitan (10.11.5), authentication fails absolutely in the >> ways described in earlier threads. Colleagues who i've spoken with who are >> trying to set up IPA at their facilities report the same problem and it's a >> total show-stopper. Interesting how all(?) of what is written on the topic >> of OSX and IPA dries up after 10.8, although we've seen in an earlier >> thread reports of 10.9 working. I've repeated this test a few times and >> the result is always the same. - 10.10.3 is the last OSX capable of >> authenticating against IPA using currently available knowledge. >> >> Running tcpdump on 10.10.3 and a 10.10.5 clients show very different >> authentication dialogues. I'm afraid, however, that i lack the skills to >> interpret where exactly the later OSX release is failing. I have my >> (unfounded) suspicions - that SASL binding for LDAP and kerberos are >> implicated. 10.10.3 certainly shows no kerberos transactions whereas 10.10.5 >> >> Re DNS: both client types resolve all SRV records hosted in IPA fine. I >> even went so far as setting up rudimentary ipv6 as there were some AAAA >> requests that were going unanswered and it thought it might related (not, >> as it turns out) >> >> So, would anyone on the IPA team be interested in looking at some packet >> captures? I'm completely up for working with you, providing whatever is >> needed and doing testing. It would be fantastic to restore IPA-based auth >> for newer OSX releases. >> >> best regards, >> >> - cal sawyer >> >> From: John Obaterspok >> To: Nicola Canepa >> Cc: "freeipa-users at redhat.com" , Cal Sawyer >> >> >> Hi, Are you only having problems to login to login to OSX with the IPA >> user now? If that is the case then check the DNS settings you are using and >> make sure the IPA server is listed first and that it has full name. Exactly >> the same problem occurred for me with the slow logins to OSX which was due >> to the DNS settings and that OSX only used short name of IPA server during >> login (if I logged in as local user I could ping and lookup hosts using >> short name) -- john 2015-12-21 17:49 GMT+01:00 Nicola Canepa >> : >> >> I had to configure /etc/krb5.conf, and to avoid the requested reboot, I >> did a "dscacheutil -flushcache", both as the logged in user and as root. >> I tried enabling the anonymous bind and now also the directory browser >> (and all the login process) works as expected. >> >> Nicola >> >> Il 21/12/15 17:39, Cal Sawyer ha scritto: >> >> Thanks, John and Nicola >> >> Kerberos occurred to me as well late in the day yesterday. Happily (?), >> knit works fine simply specifying the user in question with no need to >> suffix with the kerberos realm >> >> I did find that my test user had an expired password, which i fixed on the >> IPA server. This was never flagged up under Linux, btw. It has not change >> anything, however, other than not prompting for password changes that never >> take effect. Funnily, it expired in the midst of testing - fun. >> >> I was mistaken when i said i was unable to log in - it turns out that it >> takes almost 10 minutes for a login from the frintend to complete - i just >> didn't wait long enough. 10 mins is of course unacceptable :) "su - user" >> and "login user" fail outright after rejecting accept any user's password >> >> DNS is fine and i can resolve ldap and kerberos SRV records from the Mac >> >> In line with Nicola's experience, i can browse groups and users in the >> Directory Editor and all attributes appear spot on. >> >> Besides modding /etc/pam.d/authorization, adding a corrected >> edu.mit.kerberos to /LibraryPreferences and setting up the directory perlinsec.ca, can anyone think of something i may have missed? It's a real >> shame that the documentation on this stops around 5 years ago. >> >> IPA devs: is there anything i should be on the lookout for in the dirsrv >> or krb5 logs on the IPA master? I've disabled the secondary to prevent >> replication from clouding the log events >> >> thanks, everyone >> >> Cal Sawyer | Systems Engineer | BlueBolt Ltd >> 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com >> >> On 21/12/15 07:57, Nicola Canepa wrote: >> >> Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the >> opposite problem: kinit works fine, while I'm unable to see users with >> Directory Admin ((it always says it cant' connect, either with or without >> SSL) >> I disabled anonymous searches in 389-ds, by the way. >> >> Nicola >> >> Il 21/12/15 07:50, John Obaterspok ha scritto: >> >> Hi Cal, >> >> Does a kinit work from a terminal? Does it work if you use "kinit user" or >> just if you use "kinit user at REALM.suffix" >> >> -- john >> >> >> 2015-12-20 15:09 GMT+01:00 Cal Sawyer : >> >> >> Hi, all >> >> I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX >> 10.10.5 (Yosemite) client >> >> Using the excellent instructions at http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server, >> I've populated the specified files, d/l'd the cert, am able to configure >> Users and Groups objects/attribs and browse both from within OSX's >> Directory Utility. ldapsearch similarly returns the expected results. >> >> In spite of this, i'm unable to authenticate as any IPA-LDAP user on this >> system >> >> dirsrv log on the ipa master shows no apparent errors - remote auth >> attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the >> truth, there so much stuff there and being rather inexperienced with LDAP >> diags i might easily be missing something in the details >> >> The linsec.ca instructions were written in the 10.7-10.8 era so >> something may have changed since. Having said that, we've had no problems >> authenticating against our existing OpenLDAP server (which IPA is slated to >> replace) right up to 10.10.5 with no zero to our Directory Utility setup. >> >> Hoping someone here has some contemporary experience with OSX and IPA and >> for whom this issue rings a bell? >> >> many thanks >> >> Cal Sawyer | Systems Engineer | BlueBolt Ltd >> 15-16 Margaret Street | London W1W 8RW >> +44 (0)20 7637 5575 <%2B44%20%280%2920%207637%205575> | www.blue-bolt.com >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aalam at paperlesspost.com Tue Jun 21 15:19:53 2016 From: aalam at paperlesspost.com (Ash Alam) Date: Tue, 21 Jun 2016 11:19:53 -0400 Subject: [Freeipa-users] Replication time and relation to cache size In-Reply-To: References: Message-ID: anyone have any thoughts on this? Thank You On Fri, Jun 10, 2016 at 2:59 PM, Ash Alam wrote: > Hello > > I have been going through the lists but i have not found the answer i am > looking for. I am seeing few issues for which i am looking for some > clarification. > > 1. What is the relationship between replication time and cache size? > > - I am noticing that it's taking up to 5 minutes for some things to > replication when change is made on one node and there are two additional > masters. The ipa nodes are all virtual machines within the same cluster. > > - WARNING: changelog: entry cache size 2097152B is less than db size > 116154368B; We recommend to increase the entry cache size > nsslapd-cachememsize. > > - I don't understand the cache size. Would't increasing it cause the same > issue when we hit the new limit? > > - connection - conn=3779 fd=175 Incoming BER Element was 3 bytes, max > allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in > cn=config to increase. > > > 2. Is there a definitive solution to this error? This seems to pop up > every so often. > > - NSMMReplicationPlugin - agmt="cn=meToipa009.pp" (ipa009:389): Warning: > Attempting to release replica, but unable to receive endReplication > extended operation response from the replica. Error -5 (Timed out) > > > Thank You > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cal-s at blue-bolt.com Tue Jun 21 16:11:55 2016 From: cal-s at blue-bolt.com (Cal Sawyer) Date: Tue, 21 Jun 2016 17:11:55 +0100 Subject: [Freeipa-users] OS X Yosemite unable to authenticate In-Reply-To: References: <57694548.6000805@blue-bolt.com> <57695259.8000608@blue-bolt.com> Message-ID: <5769674B.8020004@blue-bolt.com> ... "have to add the user as an administrator on the local machine"? That's pretty intriguing, but not great security-wise, unfortunately. Not a big deal at the moment, though ok, just made my user account an admin but it's still dragging on login. My IPA setup is the same: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 Any chance i could get a denatured plist from you offline, Joe? cheers Cal Sawyer | Systems Engineer | BlueBolt Ltd 15-16 Margaret Street | London W1W 8RW +44 (0)20 7637 5575 | www.blue-bolt.com On 21/06/16 16:07, Joe DiTommasso wrote: > No fiddling that I remember. Basically got the setup working once and > then have been pushing out plist files to all new installs. Graphical > login works, as does sudo, sort of-still have to add the user as an > administrator on the local machine, but then their kerberos password > works for authentication. Running up-to-date-ish IPA 4 on CentOS 7. > > jdito at sum-freeipa-01:~$ rpm -qa | grep ipa > > *ipa*-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64 > > *ipa*-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > python-in*ipa*rse-0.4-9.el7.noarch > > *ipa*-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > sssd-*ipa*-1.13.0-40.el7_2.4.x86_64 > > *ipa*-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > python-lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64 > > *ipa*-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > > Let me know what you'd like to see from my config. Thanks for the tip > on the secondary groups-I already had that in there, but looking at it > realized that I needed to point at the compat tree, because the > regular one doesn't expose memberUID. > > > On Tue, Jun 21, 2016 at 10:42 AM, Cal Sawyer > wrote: > > Wow, that's surprising, Joe. I'm also using the linsec recipe. > Yours required no fiddling? You can login straight off from the > graphical loginWindow? > > Yes, very interested in any help you can offer. Are you > authenticating against IPA 3 or 4, for sake of curiosity. > > BTW: you can get your secondary groups by: > > In Groups add attribute 'GroupMembership' mapped to 'memberUID' > > thanks! > > Cal Sawyer | Systems Engineer | BlueBolt Ltd 15-16 Margaret Street > | London W1W 8RW +44 (0)20 7637 5575 > |www.blue-bolt.com > > On 21/06/16 15:07, Joe DiTommasso wrote: >> I've actually got a whole stack of El Capitan clients >> authenticating against FreeIPA: >> >> mac-mini-01:~ jdito$ system_profiler SPSoftwareDataType >> Software: >> >> System Software Overview: >> >> System Version: OS X 10.11.5 (15F34) >> Kernel Version: Darwin 15.5.0 >> Boot Volume: Macintosh HD >> Boot Mode: Normal >> Computer Name: admin?s Mac mini >> User Name: Joe DiTommasso (jdito) >> Secure Virtual Memory: Enabled >> System Integrity Protection: Enabled >> Time since boot: 14 days 15:00 >> >> The Linsec guide worked for me. The only real issue is that it >> only sees the user's primary group, and not supplemental groups. >> I'm not terribly good with Macs, but happy to assist in >> troubleshooting. >> >> Joe >> >> On Tue, Jun 21, 2016 at 9:46 AM, Cal Sawyer > > wrote: >> >> As usual, apologies for any formatting issues due to >> extracting message threads out of digests ... >> >> Anyhow., i have determined where everything goes terribly >> wrong with OSX clients: OSX 10.10.3 ("out of the box" >> Yosemite) works fine using linsec.ca 's >> guidance. However, the second you patch to 10.10.5 or >> upgrade to El Capitan (10.11.5), authentication fails >> absolutely in the ways described in earlier threads. >> Colleagues who i've spoken with who are trying to set up IPA >> at their facilities report the same problem and it's a total >> show-stopper. Interesting how all(?) of what is written on >> the topic of OSX and IPA dries up after 10.8, although we've >> seen in an earlier thread reports of 10.9 working. I've >> repeated this test a few times and the result is always the >> same. - 10.10.3 is the last OSX capable of authenticating >> against IPA using currently available knowledge. >> >> Running tcpdump on 10.10.3 and a 10.10.5 clients show very >> different authentication dialogues. I'm afraid, however, >> that i lack the skills to interpret where exactly the later >> OSX release is failing. I have my (unfounded) suspicions - >> that SASL binding for LDAP and kerberos are implicated. >> 10.10.3 certainly shows no kerberos transactions whereas 10.10.5 >> >> Re DNS: both client types resolve all SRV records hosted in >> IPA fine. I even went so far as setting up rudimentary ipv6 >> as there were some AAAA requests that were going unanswered >> and it thought it might related (not, as it turns out) >> >> So, would anyone on the IPA team be interested in looking at >> some packet captures? I'm completely up for working with >> you, providing whatever is needed and doing testing. It >> would be fantastic to restore IPA-based auth for newer OSX >> releases. >> >> best regards, >> >> - cal sawyer >> >> From: John Obaterspok >> >> To: Nicola Canepa >> Cc:"freeipa-users at redhat.com" , Cal Sawyer >> >> >> Hi, Are you only having problems to login to login to >> OSX with the IPA user now? If that is the case then >> check the DNS settings you are using and make sure >> the IPA server is listed first and that it has full >> name. Exactly the same problem occurred for me with >> the slow logins to OSX which was due to the DNS >> settings and that OSX only used short name of IPA >> server during login (if I logged in as local user I >> could ping and lookup hosts using short name) -- john >> 2015-12-21 17:49 GMT+01:00 Nicola Canepa >> : >>>> I had to configure /etc/krb5.conf, and to avoid the requested reboot, I >>>> did a "dscacheutil -flushcache", both as the logged in user and as root. >>>> I tried enabling the anonymous bind and now also the directory browser >>>> (and all the login process) works as expected. >>>> >>>> Nicola >>>> >>>> Il 21/12/15 17:39, Cal Sawyer ha scritto: >>>> >>>> Thanks, John and Nicola >>>> >>>> Kerberos occurred to me as well late in the day yesterday. Happily (?), >>>> knit works fine simply specifying the user in question with no need to >>>> suffix with the kerberos realm >>>> >>>> I did find that my test user had an expired password, which i fixed on the >>>> IPA server. This was never flagged up under Linux, btw. It has not change >>>> anything, however, other than not prompting for password changes that never >>>> take effect. Funnily, it expired in the midst of testing - fun. >>>> >>>> I was mistaken when i said i was unable to log in - it turns out that it >>>> takes almost 10 minutes for a login from the frintend to complete - i just >>>> didn't wait long enough. 10 mins is of course unacceptable :) "su - user" >>>> and "login user" fail outright after rejecting accept any user's password >>>> >>>> DNS is fine and i can resolve ldap and kerberos SRV records from the Mac >>>> >>>> In line with Nicola's experience, i can browse groups and users in the >>>> Directory Editor and all attributes appear spot on. >>>> >>>> Besides modding /etc/pam.d/authorization, adding a corrected >>>> edu.mit.kerberos to /LibraryPreferences and setting up the directory per >>>> linsec.ca , can anyone think of something i may have missed? It's a real >>>> shame that the documentation on this stops around 5 years ago. >>>> >>>> IPA devs: is there anything i should be on the lookout for in the dirsrv >>>> or krb5 logs on the IPA master? I've disabled the secondary to prevent >>>> replication from clouding the log events >>>> >>>> thanks, everyone >>>> >>>> Cal Sawyer | Systems Engineer | BlueBolt Ltd >>>> 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 >>>> |www.blue-bolt.com >>>> >>>> On 21/12/15 07:57, Nicola Canepa wrote: >>>> >>>> Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the >>>> opposite problem: kinit works fine, while I'm unable to see users with >>>> Directory Admin ((it always says it cant' connect, either with or without >>>> SSL) >>>> I disabled anonymous searches in 389-ds, by the way. >>>> >>>> Nicola >>>> >>>> Il 21/12/15 07:50, John Obaterspok ha scritto: >>>> >>>> Hi Cal, >>>> >>>> Does a kinit work from a terminal? Does it work if you use "kinit user" or >>>> just if you use "kinit >>>> user at REALM.suffix >>>> " >>>> >>>> -- john >>>> >>>> >>>> 2015-12-20 15:09 GMT+01:00 Cal Sawyer : >>>> >>>>> Hi, all >>>>> >>>>> I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX >>>>> 10.10.5 (Yosemite) client >>>>> >>>>> Using the excellent instructions at >>>>> >>>>> >>>>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server, >>>>> I've populated the specified files, d/l'd the cert, am able to configure >>>>> Users and Groups objects/attribs and browse both from within OSX's >>>>> Directory Utility. ldapsearch similarly returns the expected results. >>>>> >>>>> In spite of this, i'm unable to authenticate as any IPA-LDAP user on this >>>>> system >>>>> >>>>> dirsrv log on the ipa master shows no apparent errors - remote auth >>>>> attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the >>>>> truth, there so much stuff there and being rather inexperienced with LDAP >>>>> diags i might easily be missing something in the details >>>>> >>>>> Thelinsec.ca instructions were written in the 10.7-10.8 era so >>>>> something may have changed since. Having said that, we've had no problems >>>>> authenticating against our existing OpenLDAP server (which IPA is slated to >>>>> replace) right up to 10.10.5 with no zero to our Directory Utility setup. >>>>> >>>>> Hoping someone here has some contemporary experience with OSX and IPA and >>>>> for whom this issue rings a bell? >>>>> >>>>> many thanks >>>>> >>>>> Cal Sawyer | Systems Engineer | BlueBolt Ltd >>>>> 15-16 Margaret Street | London W1W 8RW >>>>> +44 (0)20 7637 5575 <%2B44%20%280%2920%207637%205575> |www.blue-bolt.com >>>>> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdito at domeyard.com Tue Jun 21 16:40:02 2016 From: jdito at domeyard.com (Joe DiTommasso) Date: Tue, 21 Jun 2016 12:40:02 -0400 Subject: [Freeipa-users] OS X Yosemite unable to authenticate In-Reply-To: <5769674B.8020004@blue-bolt.com> References: <57694548.6000805@blue-bolt.com> <57695259.8000608@blue-bolt.com> <5769674B.8020004@blue-bolt.com> Message-ID: You don't have to add them as an administrator for login to work, just sudo. Will send one over in a second. On Tue, Jun 21, 2016 at 12:11 PM, Cal Sawyer wrote: > ... "have to add the user as an administrator on > the local machine"? That's pretty intriguing, but not great security-wise, > unfortunately. Not a big deal at the moment, though > > ok, just made my user account an admin but it's still dragging on login. > > My IPA setup is the same: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > Any chance i could get a denatured plist from you offline, Joe? > > cheers > > Cal Sawyer | Systems Engineer | BlueBolt Ltd > 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com > > On 21/06/16 16:07, Joe DiTommasso wrote: > > No fiddling that I remember. Basically got the setup working once and then > have been pushing out plist files to all new installs. Graphical login > works, as does sudo, sort of-still have to add the user as an administrator > on the local machine, but then their kerberos password works for > authentication. Running up-to-date-ish IPA 4 on CentOS 7. > > jdito at sum-freeipa-01:~$ rpm -qa | grep ipa > > *ipa*-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64 > > *ipa*-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > python-in*ipa*rse-0.4-9.el7.noarch > > *ipa*-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > sssd-*ipa*-1.13.0-40.el7_2.4.x86_64 > > *ipa*-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > python-lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64 > > *ipa*-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > > Let me know what you'd like to see from my config. Thanks for the tip on > the secondary groups-I already had that in there, but looking at it > realized that I needed to point at the compat tree, because the regular one > doesn't expose memberUID. > > On Tue, Jun 21, 2016 at 10:42 AM, Cal Sawyer wrote: > >> Wow, that's surprising, Joe. I'm also using the linsec recipe. Yours >> required no fiddling? You can login straight off from the graphical >> loginWindow? >> >> Yes, very interested in any help you can offer. Are you authenticating >> against IPA 3 or 4, for sake of curiosity. >> >> BTW: you can get your secondary groups by: >> >> In Groups add attribute 'GroupMembership' mapped to 'memberUID' >> >> thanks! >> >> Cal Sawyer | Systems Engineer | BlueBolt Ltd >> 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com >> >> On 21/06/16 15:07, Joe DiTommasso wrote: >> >> I've actually got a whole stack of El Capitan clients authenticating >> against FreeIPA: >> >> mac-mini-01:~ jdito$ system_profiler SPSoftwareDataType >> Software: >> >> System Software Overview: >> >> System Version: OS X 10.11.5 (15F34) >> Kernel Version: Darwin 15.5.0 >> Boot Volume: Macintosh HD >> Boot Mode: Normal >> Computer Name: admin?s Mac mini >> User Name: Joe DiTommasso (jdito) >> Secure Virtual Memory: Enabled >> System Integrity Protection: Enabled >> Time since boot: 14 days 15:00 >> >> The Linsec guide worked for me. The only real issue is that it only sees >> the user's primary group, and not supplemental groups. I'm not terribly >> good with Macs, but happy to assist in troubleshooting. >> >> Joe >> >> On Tue, Jun 21, 2016 at 9:46 AM, Cal Sawyer < >> cal-s at blue-bolt.com> wrote: >> >>> As usual, apologies for any formatting issues due to extracting message >>> threads out of digests ... >>> >>> Anyhow., i have determined where everything goes terribly wrong with OSX >>> clients: OSX 10.10.3 ("out of the box" Yosemite) works fine using >>> linsec.ca's guidance. However, the second you patch to 10.10.5 or >>> upgrade to El Capitan (10.11.5), authentication fails absolutely in the >>> ways described in earlier threads. Colleagues who i've spoken with who are >>> trying to set up IPA at their facilities report the same problem and it's a >>> total show-stopper. Interesting how all(?) of what is written on the topic >>> of OSX and IPA dries up after 10.8, although we've seen in an earlier >>> thread reports of 10.9 working. I've repeated this test a few times and >>> the result is always the same. - 10.10.3 is the last OSX capable of >>> authenticating against IPA using currently available knowledge. >>> >>> Running tcpdump on 10.10.3 and a 10.10.5 clients show very different >>> authentication dialogues. I'm afraid, however, that i lack the skills to >>> interpret where exactly the later OSX release is failing. I have my >>> (unfounded) suspicions - that SASL binding for LDAP and kerberos are >>> implicated. 10.10.3 certainly shows no kerberos transactions whereas 10.10.5 >>> >>> Re DNS: both client types resolve all SRV records hosted in IPA fine. I >>> even went so far as setting up rudimentary ipv6 as there were some AAAA >>> requests that were going unanswered and it thought it might related (not, >>> as it turns out) >>> >>> So, would anyone on the IPA team be interested in looking at some packet >>> captures? I'm completely up for working with you, providing whatever is >>> needed and doing testing. It would be fantastic to restore IPA-based auth >>> for newer OSX releases. >>> >>> best regards, >>> >>> - cal sawyer >>> >>> From: John Obaterspok >>> To: Nicola Canepa >>> Cc: "freeipa-users at redhat.com" , Cal Sawyer >>> >>> >>> Hi, Are you only having problems to login to login to OSX with the IPA >>> user now? If that is the case then check the DNS settings you are using and >>> make sure the IPA server is listed first and that it has full name. Exactly >>> the same problem occurred for me with the slow logins to OSX which was due >>> to the DNS settings and that OSX only used short name of IPA server during >>> login (if I logged in as local user I could ping and lookup hosts using >>> short name) -- john 2015-12-21 17:49 GMT+01:00 Nicola Canepa >>> : >>> >>> I had to configure /etc/krb5.conf, and to avoid the requested reboot, I >>> did a "dscacheutil -flushcache", both as the logged in user and as root. >>> I tried enabling the anonymous bind and now also the directory browser >>> (and all the login process) works as expected. >>> >>> Nicola >>> >>> Il 21/12/15 17:39, Cal Sawyer ha scritto: >>> >>> Thanks, John and Nicola >>> >>> Kerberos occurred to me as well late in the day yesterday. Happily (?), >>> knit works fine simply specifying the user in question with no need to >>> suffix with the kerberos realm >>> >>> I did find that my test user had an expired password, which i fixed on the >>> IPA server. This was never flagged up under Linux, btw. It has not change >>> anything, however, other than not prompting for password changes that never >>> take effect. Funnily, it expired in the midst of testing - fun. >>> >>> I was mistaken when i said i was unable to log in - it turns out that it >>> takes almost 10 minutes for a login from the frintend to complete - i just >>> didn't wait long enough. 10 mins is of course unacceptable :) "su - user" >>> and "login user" fail outright after rejecting accept any user's password >>> >>> DNS is fine and i can resolve ldap and kerberos SRV records from the Mac >>> >>> In line with Nicola's experience, i can browse groups and users in the >>> Directory Editor and all attributes appear spot on. >>> >>> Besides modding /etc/pam.d/authorization, adding a corrected >>> edu.mit.kerberos to /LibraryPreferences and setting up the directory perlinsec.ca, can anyone think of something i may have missed? It's a real >>> shame that the documentation on this stops around 5 years ago. >>> >>> IPA devs: is there anything i should be on the lookout for in the dirsrv >>> or krb5 logs on the IPA master? I've disabled the secondary to prevent >>> replication from clouding the log events >>> >>> thanks, everyone >>> >>> Cal Sawyer | Systems Engineer | BlueBolt Ltd >>> 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com >>> >>> On 21/12/15 07:57, Nicola Canepa wrote: >>> >>> Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the >>> opposite problem: kinit works fine, while I'm unable to see users with >>> Directory Admin ((it always says it cant' connect, either with or without >>> SSL) >>> I disabled anonymous searches in 389-ds, by the way. >>> >>> Nicola >>> >>> Il 21/12/15 07:50, John Obaterspok ha scritto: >>> >>> Hi Cal, >>> >>> Does a kinit work from a terminal? Does it work if you use "kinit user" or >>> just if you use "kinit user at REALM.suffix" >>> >>> -- john >>> >>> >>> 2015-12-20 15:09 GMT+01:00 Cal Sawyer : >>> >>> >>> Hi, all >>> >>> I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX >>> 10.10.5 (Yosemite) client >>> >>> Using the excellent instructions at http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server, >>> I've populated the specified files, d/l'd the cert, am able to configure >>> Users and Groups objects/attribs and browse both from within OSX's >>> Directory Utility. ldapsearch similarly returns the expected results. >>> >>> In spite of this, i'm unable to authenticate as any IPA-LDAP user on this >>> system >>> >>> dirsrv log on the ipa master shows no apparent errors - remote auth >>> attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the >>> truth, there so much stuff there and being rather inexperienced with LDAP >>> diags i might easily be missing something in the details >>> >>> The linsec.ca instructions were written in the 10.7-10.8 era so >>> something may have changed since. Having said that, we've had no problems >>> authenticating against our existing OpenLDAP server (which IPA is slated to >>> replace) right up to 10.10.5 with no zero to our Directory Utility setup. >>> >>> Hoping someone here has some contemporary experience with OSX and IPA and >>> for whom this issue rings a bell? >>> >>> many thanks >>> >>> Cal Sawyer | Systems Engineer | BlueBolt Ltd >>> 15-16 Margaret Street | London W1W 8RW >>> +44 (0)20 7637 5575 <%2B44%20%280%2920%207637%205575> | www.blue-bolt.com >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Tue Jun 21 17:01:29 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Tue, 21 Jun 2016 10:01:29 -0700 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: References: Message-ID: Noticed something else really goofy in the DNS logs on master ipa client 10.9.0.1#58094: query failed (SERVFAIL) for serv1.domain.local.domain.local/IN/AAAA at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.10.0.1#44147: query failed (SERVFAIL) for serv2.in-addr.arpa/IN/PTR at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.10.0.1#56466: query failed (SERVFAIL) for serv2.in-addr.arpa/IN/PTR at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.110.0.1#53367: query failed (SERVFAIL) for serv3.domain.local.domain.local/IN/A at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.110.0.1#53367: query failed (SERVFAIL) for serv3.domain.local.domain.local/IN/AAAA at query.c:6569 On a replica I see this [bob at replica2 data]# tail -f named.run dispatch 0x7f408c187970: open_socket(0.0.0.0#1935) -> permission denied: continuing dispatch 0x7f408c187970: open_socket(0.0.0.0#8610) -> permission denied: continuing dispatch 0x7f408c187970: open_socket(0.0.0.0#6514) -> permission denied: continuing dispatch 0x7f408c187970: open_socket(0.0.0.0#8610) -> permission denied: continuing dispatch 0x7f408c187970: open_socket(0.0.0.0#1935) -> permission denied: continuing Feel like I am caught in a troubleshooting loop being to close to it.. has anyone seen this before? Sean Hogan From: Sean Hogan/Durham/IBM To: Sean Hogan/Durham/IBM at IBMUS Cc: freeipa-users Date: 06/20/2016 12:49 PM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Also seeing this in the upgrade log on the first master but not on the 7 ipas. ERROR Failed to restart named: Command '/sbin/service named restart ' returned non-zero exit status 7 which led me to https://bugzilla.redhat.com/show_bug.cgi?id=895298 Sean Hogan From: Sean Hogan/Durham/IBM at IBMUS To: freeipa-users Date: 06/20/2016 11:46 AM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Sent by: freeipa-users-bounces at redhat.com Hi All.. I thought we fixed this issue by rebooting the KVM host but it is showing again. Our First Master IPA is being rebooted 2 -5 times a day now just to keep it alive. What we are seeing: God at FirstMaster log]# kinit admin kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting initial credentials DNS is not working as nslookup is failing to a replica.... think once we lose DNS it all goes down hill which makes sense. [god at FirstMaster log]# ipactl stop -----> Just hangs forever.. no replies.. no error.. nothing I try service named stop and nothing happens I have the box hard shutdown from KVM console. Reboot it and it works for a little while but eventually back to same behavior. At this point I can service named stop and it responds... ipactl status and it responds.. but when if I try service named restart I get [god at FirstMaster log]# service named stop Stopping named: ...... [god at Firstmaster log]# service named start Starting named: [FAILED] [god at FirstMaster log]# service named status rndc: connect failed: 127.0.0.1#953: connection refused named dead but pid file exists Rebooted box and it is hung on shutting down domain-local and never fully shuts down.. have to get it hard shutdown again. During an attempt to gracefully shut down we see this Shutting Down dirsrv: PKI-IPA OK DOMAIN-LOCAL FAILED *** Error: 1 instance(s) unsuccessfully stopped FAILED Then it moves on to shut other things down and returns to dirsrv Shutting Down dirsrv: PKI-IPA....server already stopped FAILED {Makes sense.. it died earlier} DOMAIN-LOCAL... {this sits here til we hard shutdown} bind-libs-9.8.2-0.47.rc1.el6.x86_64 bind-9.8.2-0.47.rc1.el6.x86_64 bind-utils-9.8.2-0.47.rc1.el6.x86_64 ipa-client-3.0.0-50.el6.1.x86_64 ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64 sssd-ipa-1.13.3-22.el6.x86_64 /var/log/dirsrv/slapd-DOMAIN-LOCAL [20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 starting up [20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=domain,dc=local [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 5688d8e6001000070000] which is present in RUV [changelog max RUV] [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica dc=domain,dc=local there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [20/Jun/2016:13:29:07 -0400] - Listening on All Interfaces port 636 for LDAPS requests [20/Jun/2016:13:29:07 -0400] - Listening on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meTo1server.domain.local" (1server:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:16 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:29:16 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:00 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 starting up [20/Jun/2016:13:59:00 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [20/Jun/2016:13:59:01 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=domain,dc=local [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 5688d8e6001000070000] which is present in RUV [changelog max RUV] [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica dc=domain,dc=local there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meTobldvxl0011.domain.local" (1server:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [20/Jun/2016:13:59:48 -0400] - Listening on All Interfaces port 636 for LDAPS requests [20/Jun/2016:13:59:48 -0400] - Listening on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:59:57 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth resumed Sean Hogan Inactive hide details for Sean Hogan---06/02/2016 09:24:39 AM---Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.Sean Hogan---06/02/2016 09:24:39 AM---Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not sure on this From: Sean Hogan/Durham/IBM To: freeipa-users Date: 06/02/2016 09:24 AM Subject: IPA 3.0.47 to 3.0.50 Upgrade problem Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not sure on this yet) that they changed ntp.. ntp used to point at my ipas.. but they look like they are now pointing elsewhere. Everything was stable at 6.7 3.0.47 pointing to IPA for NTP. However.. they all seem to have the same date. My master first IPA is acting up. Replication is off, kerberos seems to be off, DNS is off and I think IPA in general on it is toast. We do have 8 IPAs.. only FirstMaster is acting up it seems right now and all either running on KVM or ESXI. [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# kinit admin kinit: Generic error (see e-text) while getting initial credential slapd-DOMAIN-LOCAL [01/Jun/2016:18:25:43 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'DOMAIN.LOCAL')) errno 115 (Operation now in progress) [01/Jun/2016:18:25:43 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv2.domain.local" (ipaserv2:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv3.domain.local" (ipaserv3:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv4.domain.local" (ipaserv4:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv5.domain.local" (ipaserv5:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:28:04 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [01/Jun/2016:18:28:04 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2016:18:28:13 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [01/Jun/2016:18:28:13 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:33:03 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [01/Jun/2016:18:33:03 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2016:18:33:18 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [01/Jun/2016:18:33:18 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:38:03 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipa-replica-manage -v list --------------> just hangs and never returns [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipactl start ------------->Just hangs here as well.. never gets to the KDC. Starting Directory Service Starting dirsrv: PKI-IPA... already running [ OK ] DOMAIN-LOCAL... already running [ OK ] If I run nslookup it fails over to a Replica for the DNS resolution instead of resolving ips itself. PKI log shows a bunch of this: [02/Jun/2016:11:15:25 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" (ipaserver2:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:11:15:34 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" (ipaserver2:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:11:16:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:16:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:21:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:22:06 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:26:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:26:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:31:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:31:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:36:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:36:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:41:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:41:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:45:16 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:45:16 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:11:45:25 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:11:46:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:46:56 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:51:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:51:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:56:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:56:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:01:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:01:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:05:33 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:05:33 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:12:06:01 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:06:06 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:12:06:31 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:06:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) NTP seems OK [God at FirstMasterIPA slapd-PKI-IPA]# date Thu Jun 2 12:23:00 EDT 2016 [God at ipaserver3 ~]# date Thu Jun 2 12:23:02 EDT 2016 Sean Hogan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From rcritten at redhat.com Tue Jun 21 17:33:10 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Jun 2016 13:33:10 -0400 Subject: [Freeipa-users] CA: IPA certificates not renewing In-Reply-To: References: <57602152.9090104@redhat.com> <5762B625.7060803@redhat.com> Message-ID: <57697A56.7080906@redhat.com> Marc Wiatrowski wrote: > Thanks for the reply Rob, > > So should fixing replication be more than running a re-initialize? > I've tried this with no luck. Still the same errors in renewing the IPA > certs. re-init drops one database and replaces it with another. If you really did that then you have potentially lost a ton of records if indeed replication was stalled. Knowing what commands you ran would help to know for sure. > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe000f not found)) > > Is there a procedure for getting these serial numbers back in to the > system? or manually recreating somehow? When IPA gets a certificate request and the host/service it is requesting it for already has a certificate, a revocation is done on the existing certificate (which in this case is failing because the cert is unknown). If you wipe out the usercertificate field from the entry ldap/spider01a.iglass.net then that should do it. > > I was able to clear 4301 error. One ipaCert needed to be updated. Great! rob > > thanks > > On Thu, Jun 16, 2016 at 10:22 AM, Rob Crittenden > wrote: > > Marc Wiatrowski wrote: > > Thanks Rob, > > Any suggestions on how make the CA aware of the current serial > number? > > > Serial numbers are dolled out like uid numbers, by the 389-ds DNA > Plugin. So each CA that has ever issued a certificate has its own > range, hence the quite different serial number values. > > Given that some issued certificates are unknown it stands to reason > that replication is broken between one or more masters. Fixing that > should resolve (most of) the other issues. > > Also started seeing the following error from two of the servers, > spider01b and spider01o, but not spider01a when to navigate in > the web > gui. Though it doesn't appear to stop me from doing anything. > > IPA Error 4301 > Certificate operation cannot be completed: EXCEPTION (Invalid > Crential.) > > > Dogtag does some of its access control by comparing the incoming > client certificate with an expected value in its LDAP database, in > this case uid=ipara,ou=People,o=ipaca. There you'll find a copy of > the client certificate and a description field that contains the > expected serial #, subject and issuer. > > These are out-of-whack if you're getting Invalid Credentials. It > could be a number of things so I'd proceed cautiously. Given you > have a working master I'd use that as a starting point. > > Look at the the RA cert is in /etc/httpd/alias: > > # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial > > See if it is the same on all masters, it should be. > > If it is, look at the uid=ipara entry on all the masters. Again, > should be the same. > > Note that fixing this won't address any replication issues. > > rob > > > Marc > > On Tue, Jun 14, 2016 at 2:07 PM, Marc Wiatrowski > >> wrote: > > > > On Tue, Jun 14, 2016 at 11:22 AM, Rob Crittenden > > >> wrote: > > Marc Wiatrowski wrote: > > Hello, I'm having issues with the 3 ipa > certificates of type > CA: IPA > renewing on 2 of 3 replicas. Particularly on the 2 > that are > not the CA > master. The other 5 certificates from getcert list > do renew > and all > certificates on the CA master do look to renew. > > Both servers running > ipa-server-3.0.0-50.el6.centos.1.x86_64 I've done > full updates and rebooted. > > > Can you check on the replication status for each CA? > > $ ipa-csreplica-manage list -v ipa.example.com > > > > The hostname is important because including that will > show the > agreements that host has. Do this for each master with > a CA. > > The CA being asked to do the renewal is unaware of the > current > serial number so it is refusing to proceed. > > rob > > > > [root at spider01o]$ ipa-csreplica-manage list -v > spider01a.iglass.net > > Directory Manager password: > > spider01b.iglass.net > > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: > Incremental > update succeeded > last update ended: 2016-06-14 17:49:16+00:00 > spider01o.iglass.net > > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: > Incremental > update started > last update ended: 2016-06-14 17:55:20+00:00 > > [root at spider01o]$ ipa-csreplica-manage list -v > spider01o.iglass.net > > Directory Manager password: > > spider01a.iglass.net > > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: > Incremental > update started > last update ended: 2016-06-14 17:57:44+00:00 > spider01b.iglass.net > > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: > Incremental > update started > last update ended: 2016-06-14 17:57:41+00:00 > > [root at spider01o]$ ipa-csreplica-manage list -v > spider01b.iglass.net > > Directory Manager password: > > spider01a.iglass.net > > last init status: 0 Total update succeeded > last init ended: 2016-06-03 19:43:12+00:00 > last update status: 0 Replica acquired successfully: > Incremental > update succeeded > last update ended: 2016-06-14 17:44:17+00:00 > spider01o.iglass.net > > last init status: 0 Total update succeeded > last init ended: 2016-06-03 19:44:38+00:00 > last update status: 0 Replica acquired successfully: > Incremental > update started > last update ended: 2016-06-14 17:57:53+00:00 > spider01a.iglass.net > > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: > Incremental > update succeeded > last update ended: 2016-06-14 17:44:13+00:00 > spider01o.iglass.net > > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: > Incremental > update started > last update ended: 2016-06-14 17:57:54+00:00 > > > Not sure what this is telling... This an issue with the > last being > doubled? Thanks > > > > The failed renews look like: > > [root at spider01a]$ getcert list -i 20141202144354 > Number of certificates and requests being tracked: 8. > Request ID '20141202144354': > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml > failed request, > will retry: 4301 (RPC failed at server. Certificate > operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe0010 > not found)). > stuck: no > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > > > > subject: CN=spider01a.iglass.net > > >,O=IGLASS.NET > > > > expires: 2016-12-02 14:38:45 UTC > key usage: > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > PKI-IPA > track: yes > auto-renew: yes > > [root at spider01a]$ getcert list -i 20141202144616 > Number of certificates and requests being tracked: 8. > Request ID '20141202144616': > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml > failed request, > will retry: 4301 (RPC failed at server. Certificate > operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe000f > not found)). > stuck: no > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > > > > subject: CN=spider01a.iglass.net > > >,O=IGLASS.NET > > > > expires: 2016-12-02 14:38:43 UTC > key usage: > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > IGLASS-NET > track: yes > auto-renew: yes > > [root at spider01a]$ getcert list -i 20141202144733 > Number of certificates and requests being tracked: 8. > Request ID '20141202144733': > status: CA_UNREACHABLE > ca-error: Server at https://spider01a.iglass.net/ipa/xml > failed request, > will retry: 4301 (RPC failed at server. Certificate > operation cannot be > completed: EXCEPTION (Certificate serial number 0x3ffe0011 > not found)). > stuck: no > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IGLASS.NET > > > > subject: CN=spider01a.iglass.net > > >,O=IGLASS.NET > > > > expires: 2016-12-02 14:38:46 UTC > key usage: > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > > From > [root at spider01a]$ getcert resubmit -i 20141202144354 > > On the replica issuing the resubmit > > ==> /var/log/httpd/access_log <== > 192.168.176.2 - - [13/Jun/2016:15:49:32 -0400] "POST > /ipa/xml HTTP/1.1" > 401 1370 > > ==> /var/log/httpd/error_log <== > [Mon Jun 13 15:49:33 2016] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION > (Certificate > serial number 0x3ffe0010 not found) > [Mon Jun 13 15:49:33 2016] [error] ipa: INFO: > host/spider01a.iglass.net at IGLASS.NET > > > > > >>: > > cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', > principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET > > > > > >>', add=True): > CertificateOperationError > > ==> /var/log/httpd/access_log <== > 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST > /ca/agent/ca/displayBySerial HTTP/1.1" 200 262 > 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET > > > > > >> [13/Jun/2016:15:49:32 > -0400] > "POST /ipa/xml HTTP/1.1" 200 376 > > ==> /var/log/pki-ca/system <== > 2508.TP-Processor6 - [13/Jun/2016:15:49:33 EDT] [3] [3] Servlet > caDisplayBySerial: Error encountered in DisplayBySerial. > Error Record > not found. > > > On the CA master spider01o: > > ==> /var/log/httpd/access_log <== > 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST > /ipa/xml HTTP/1.1" > 401 1370 > > ==> krb5kdc.log <== > Jun 13 15:49:34 spider01o.iglass.net > > > > krb5kdc[1963](info): TGS_REQ (4 etypes {18 17 16 23}) > 192.168.177.2 > >: ISSUE: authtime > 1465847372, etypes {rep=18 > tkt=18 ses=18}, host/spider01a.iglass.net at IGLASS.NET > > > > > >> for > ldap/spider01o.iglass.net at IGLASS.NET > > > > > >> > > ==> /var/log/httpd/error_log <== > [Mon Jun 13 15:49:34 2016] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION > (Invalid > Credential.) > [Mon Jun 13 15:49:34 2016] [error] ipa: INFO: > host/spider01a.iglass.net at IGLASS.NET > > > > > >>: > > cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', > principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET > > > > > >>', add=True): > CertificateOperationError > > ==> /var/log/httpd/access_log <== > 192.168.177.2 - - [13/Jun/2016:15:49:34 -0400] "POST > /ca/agent/ca/displayBySerial HTTP/1.1" 200 235 > 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET > > > > > >> [13/Jun/2016:15:49:33 > -0400] > "POST /ipa/xml HTTP/1.1" 200 349 > > ==> /var/log/pki-ca/system <== > 2231.TP-Processor3 - [13/Jun/2016:15:49:34 EDT] [6] [3] Cannot > authenticate agent with certificate Serial 0x5ffc0008 > Subject DN CN=IPA > RA,O=IGLASS.NET > >. Error: User not found > > > I realize they expire at the end of the year, but I've had my > certificates expire before and would rather not go through > that again. > Any idea on what's wrong or suggestions on where to look > would be > appreciated. > > Thanks, > Marc > > > > > > From rcritten at redhat.com Tue Jun 21 17:34:35 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Jun 2016 13:34:35 -0400 Subject: [Freeipa-users] CentOS 6.8: uninstalling IPA client causes python error In-Reply-To: References: <0BAA0171-449C-46F2-8B2A-D5108E8A7F8C@high5games.com> <57660ACB.6000109@redhat.com> Message-ID: <57697AAB.3080103@redhat.com> Dan.Finkelstein at high5games.com wrote: > Oh, I disabled that first. I turn on services and restrictions > one-by-one after things are working, not before. I guess brute force via strace then. Something is throwing a permission error. rob > > ?Dan > > > > *Daniel Alex Finkelstein*| Lead Dev Ops Engineer > > _Dan.Finkelstein at h5g.com _| 212.604.3447 > > One World Trade Center, New York, NY 10007 > > www.high5games.com > > Play High 5 Casino and Shake > the Sky > > Follow us on: Facebook , Twitter > , YouTube > , Linkedin > > > // > > /This message and any attachments may contain confidential or privileged > information and are only for the use of the intended recipient of this > message. If you are not the intended recipient, please notify the sender > by return email, and delete or destroy this and all copies of this > message and all attachments. Any unauthorized disclosure, use, > distribution, or reproduction of this message or any attachments is > prohibited and may be unlawful./ > > *From: *Rob Crittenden > *Date: *Saturday, June 18, 2016 at 23:00 > *To: *Daniel Finkestein , > "freeipa-users at redhat.com" > *Subject: *Re: [Freeipa-users] CentOS 6.8: uninstalling IPA client > causes python error > > I'd check for SELinux errors, that might explain things. > > rob > > > From rcritten at redhat.com Tue Jun 21 17:38:19 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Jun 2016 13:38:19 -0400 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 In-Reply-To: <20160620080714.GA275278@mother.pipebreaker.pl> References: <20160527122848.GA333519@mother.pipebreaker.pl> <5763C3A6.3050802@redhat.com> <20160618171354.GA439585@mother.pipebreaker.pl> <57660B3F.2010308@redhat.com> <20160620080714.GA275278@mother.pipebreaker.pl> Message-ID: <57697B8B.3020600@redhat.com> Tomasz Torcz wrote: > On Sat, Jun 18, 2016 at 11:02:23PM -0400, Rob Crittenden wrote: >>> >>> Most of the functions work, but 5) I cannot get Authentication?Certificates >>> list: >>> >>> On okda, going to Certificates list yields ?Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)? >>> and error_log contains: >>> [Sat Jun 18 18:59:10.523796 2016] [wsgi:error] [pid 748083] falsefalsefalsefalsefalsetruefalsefalsefalsefalsefalsefalse >>> [Sat Jun 18 18:59:11.244206 2016] [wsgi:error] [pid 748083] ipa: DEBUG: HTTP Response code: 500 >>> [Sat Jun 18 18:59:11.248305 2016] [wsgi:error] [pid 748083] ipa: ERROR: ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS (Internal Server Error) >>> [Sat Jun 18 18:59:11.336576 2016] [wsgi:error] [pid 748083] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): >>> [Sat Jun 18 18:59:11.336895 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in wsgi_execute >>> [Sat Jun 18 18:59:11.337011 2016] [wsgi:error] [pid 748083] result = self.Command[name](*args, **options) >>> [Sat Jun 18 18:59:11.337086 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 446, in __call__ >>> [Sat Jun 18 18:59:11.337156 2016] [wsgi:error] [pid 748083] ret = self.run(*args, **options) >>> [Sat Jun 18 18:59:11.337241 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 763, in run >>> [Sat Jun 18 18:59:11.337311 2016] [wsgi:error] [pid 748083] return self.execute(*args, **options) >>> [Sat Jun 18 18:59:11.337373 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py", line 819, in execute >>> [Sat Jun 18 18:59:11.337417 2016] [wsgi:error] [pid 748083] result=self.Backend.ra.find(options) >>> [Sat Jun 18 18:59:11.337455 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1861, in find >>> [Sat Jun 18 18:59:11.337493 2016] [wsgi:error] [pid 748083] detail=e.msg) >>> [Sat Jun 18 18:59:11.337566 2016] [wsgi:error] [pid 748083] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1331, in raise_certificate_operation_error >>> [Sat Jun 18 18:59:11.337653 2016] [wsgi:error] [pid 748083] raise errors.CertificateOperationError(error=err_msg) >>> [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) >>> [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083] >>> [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: [jsonserver_session] admin at PIPEBREAKER.PL: cert_find(version=u'2.164'): CertificateOperationError >>> >>> How to fix those? >> >> You'll need to look at the dogtag debug log for the reason it threw a 500, >> it's in /var/log/pki-tomcat/ca or something close to that. > > > I've looked into the logs but I'm not wiser. Is there a setting to get > rid of java traceback from logs and get more useful messages? There seem > to be a problem with SSL connection to port 636, maybe because it seems to use > expired certificate? Not that I know of. The debug log is sure a firehose but you've identified the problem. > $ echo | openssl s_client -connect okda.pipebreaker.pl:636 | openssl x509 -noout > depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority > verify return:1 > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl > verify error:num=10:certificate has expired > notAfter=Nov 17 12:19:28 2015 GMT > verify return:1 > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl > notAfter=Nov 17 12:19:28 2015 GMT > verify return:1 > DONE Run getcert list and look at the expiration dates. What you want to do is kill ntpd, set the date back to say a week before the oldest date, restart the dirsrv, restart the pki-tomcat/pki-cad service then restart certmonger. This should force a renewal attempt. Use getcert and syslog to watch progress. It may require a few restarts of certmonger to get all the certs renewed. Ideally that all happens fairly gracefully so then you move forward in time again, run ipactl restart and things work as usual. rob > > > > Log from /var/log/pki/pki-tomcat/ca/system: > > 0.localhost-startStop-1 - [18/Jun/2016:18:54:09 CEST] [8] [3] In Ldap (bound) connection pool to host okda.pipebreaker.pl port 636, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) > > > > Log from /var/log/pki/pki-tomcat/ca/debug: > > [18/Jun/2016:18:54:03][localhost-startStop-1]: ============================================ > [18/Jun/2016:18:54:03][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= > [18/Jun/2016:18:54:03][localhost-startStop-1]: ============================================ > [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false > [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca > [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca > [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: done init id=debug > [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: initialized debug > [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: initSubsystem id=log > [18/Jun/2016:18:54:03][localhost-startStop-1]: CMSEngine: ready to init id=log > [18/Jun/2016:18:54:04][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) > [18/Jun/2016:18:54:09][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) > [18/Jun/2016:18:54:09][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: done init id=log > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: initialized log > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: initSubsystem id=jss > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: ready to init id=jss > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: done init id=jss > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: initialized jss > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine: ready to init id=dbs > [18/Jun/2016:18:54:09][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true > [18/Jun/2016:18:54:09][localhost-startStop-1]: Creating LdapBoundConnFactor(DBSubsystem) > [18/Jun/2016:18:54:09][localhost-startStop-1]: LdapBoundConnFactory: init > [18/Jun/2016:18:54:09][localhost-startStop-1]: LdapBoundConnFactory:doCloning true > [18/Jun/2016:18:54:09][localhost-startStop-1]: LdapAuthInfo: init() > [18/Jun/2016:18:54:09][localhost-startStop-1]: LdapAuthInfo: init begins > [18/Jun/2016:18:54:09][localhost-startStop-1]: LdapAuthInfo: init ends > [18/Jun/2016:18:54:09][localhost-startStop-1]: init: before makeConnection errorIfDown is true > [18/Jun/2016:18:54:09][localhost-startStop-1]: makeConnection: errorIfDown true > [18/Jun/2016:18:54:09][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca > Could not connect to LDAP server host okda.pipebreaker.pl port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) > at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) > at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) > at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) > at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1166) > at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1072) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:568) > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:122) > at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226) > at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151) > at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038) > at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4997) > at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5289) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) > at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) > at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:585) > at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1794) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Internal Database Error encountered: Could not connect to LDAP server host okda.pipebreaker.pl port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) > at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1166) > at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1072) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:568) > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:122) > at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226) > at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151) > at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038) > at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4997) > at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5289) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) > at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) > at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:585) > at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1794) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > [18/Jun/2016:18:54:09][localhost-startStop-1]: CMSEngine.shutdown() > > From rcritten at redhat.com Tue Jun 21 17:41:24 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Jun 2016 13:41:24 -0400 Subject: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias In-Reply-To: <43130555.CD4bVCgrSr@techz> References: <27123231.2vVFdNkPoa@techz> <4468326.xlZGrDGMFj@techz> <574EE932.1040501@redhat.com> <43130555.CD4bVCgrSr@techz> Message-ID: <57697C44.6010206@redhat.com> G?nther J. Niederwimmer wrote: > Hello Rob, > > Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden: >> G?nther J. Niederwimmer wrote: >>> Hello, >>> >>> Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: >>>> G?nther J. Niederwimmer wrote: >>>>> Hello >>>>> I found any Help for the IPA Certificate but I found no way to import >>>>> the >>>>> IPA CA ? >>>>> I like to create a webserver with a owncloud virtualhost and other.. >>>>> >>>>> But it is for me not possible to create the /etc/httpd/alias correct ? >>>>> >>>>> I found this in IPA DOCS >>>>> >>>>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt >>>>> >>>>> but with this command line I have a Error /etc/ipa/ca.crt have wrong >>>>> format ? >>>>> >>>>> Have any a link with a working example >>>> >>>> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled >>>> clients so the documentation is written from that perspective. >>> >>> Yes. >>> >>>> You can grab a copy from any enrolled system, including an IPA Master. >>>> Otherwise the command looks ok assuming you were sitting in >>>> /etc/httpd/alias when the command was executed (-d .). >>> >>> Yes ;-). >>> but certutil mean it is a wrong format from the Certificate >> >> $ mkdir /tmp/testdb && cd /tmp/testdb >> $ certutil -N -d . >> $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt > > On my system I have this message after install ca.crt > > p11-kit: objects of this type cannot be created ? > is this correct ? I'm not sure. > A other question, have I to change the Attribute (?), IPA-server create / > IMPORT this ca.crt with -t "CT,C,C" It isn't super important. The order of those fields is SSL, S/MIME, code-signing. Chances are S/MIME will never be used and code-signing is used in some older releases but only once at install, so not having those set isn't a big deal. If you want things to be consistent you can use certutil -M -d . -t CT,C,C -n 'EXAMPLE.COM IPA CA' rob > >> $ certutil -L -d . >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> EXAMPLE.COM IPA CA CT,, >> >> I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You >> can use openssl for that: >> >> $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt >> >>> Something is wrong on my system !! >>> >>> for me it is not possible to have on a enrolled ipa-client a working >>> webserver (apache) with mod_NSS >>> >>> The last Tests apache mean it is the wrong "passwd" for the DB and don't >>> start? >>> >>> So now I start again with a new clean /etc/httpd/alias >> >> Not knowing how you created the database or what your nss.conf looks >> like it's hard to say what is going on. If you set a NSS database >> password then you need to tell mod_nss about it. >> >> Typically you'd set this in nss.conf: >> >> NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf" >> >> and create /etc/httpd/conf/password.conf with contents like: >> >> internal:SecretPassword123 >> >> Ensure that the file is owned by apache:apache and mode 0400. > > This is the best INFO for this file ;-) > > Thanks > From pvoborni at redhat.com Tue Jun 21 17:56:20 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Jun 2016 19:56:20 +0200 Subject: [Freeipa-users] Announcing FreeIPA 4.4.0 alpha1 Message-ID: == FreeIPA 4.4.0 Alpha 1 === The FreeIPA team would like to announce FreeIPA v4.4.0 alpha1 release! A tarball can be downloaded from http://www.freeipa.org/page/Downloads == Highlights in 4.4.0 Alpha 1 == Enhancements: * Improved Topology Management * Added Overview of IPA server roles: * Added support certificates for AD users: * Added support of UPN for trusted domains * Added support for Kerberos Authentication Indicators * Added DNS Location Mechanism * Several performance improvements * Refactored IPA command line tool * Added support for Sub-CAs == Detailed Changelog since 4.3.1 == Abhijeet Kasurde (12): Added kpasswd_server directive in client krb5.conf Fixed login error message box in LoginScreen page Added fix for notifying user about Kerberos principal expiration in WebUI Added description related to 'status' in ipactl man page Added warning to user for Internet Explorer Added fix for notifying user about locked user account in WebUI Updated ipa command man page Fix added to ipa-compat-manage command line help Removed custom implementation of CalledProcessError Replaced find_hostname with api.env.host Added exception handling for mal-formatted XML Parsing Added missing translation to automount.py method Alexander Bokovoy (11): slapi-nis: update configuration to allow external members of IPA groups extdom: do not fail to process error case when no request is specified otptoken: support Python 3 for the qr code trusts: Add support for an external trust to Active Directory domain adtrust: remove nttrustpartner parameter adtrust: remove nttrustpartner parameter adtrust: support GSSAPI authentication to LDAP as Active Directory user adtrust: support UPNs for trusted domain users webui: show UPN suffixes in trust properties webui: support external flag to trust-add adtrust: optimize forest root LDAP filter Christian Heimes (3): Require Dogtag 10.2.6-13 to fix KRA uninstall Modernize mod_nss's cipher suites Move user/group constants for PKI and DS into ipaplatform David Kupka (28): installer: Propagate option values from components instead of copying them. installer: Fix logic of reading option values from cache. ipa-dns-install: Do not check for zone overlap when DNS installed. ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options installer: Change reverse zones question to better reflect reality. Fix: Use unattended parameter instead of options.unattended CI: Add '2-connected' topology generator. CI: Add simple replication test in 2-connected topology. CI: Add test for 2-connected topology generator. CI: Fix pep8 errors in 2-connected topology generator CI: add empty topology test for 2-connected topology generator CI: Add double circle topology. CI: Add replication test utilizing double-circle topology. CI: Add test for double-circle topology generator. CI: Make double circle topology python3 compatible upgrade: Match whole pre/post command not just basename. dsinstance: add start_tracking_certificates method httpinstance: add start_tracking_certificates method Look up HTTPD_USER's UID and GID during installation. test: test_cli: Do not expect defaults in kwargs. man: Decribe ipa-client-install workaround for broken D-Bus enviroment. installer: positional_arguments must be tuple or list of strings installer: index() raises ValueError Remove unused locking "context manager" schema: Add fingerprint and TTL schema: Add known_fingerprints option to schema command schema: Cache schema in api instance schema: return fingerprint as unicode text Filip Skola (9): Refactor test_user_plugin, use UserTracker for tests Refactor test_replace Refactor test_attr Refactor test_sudocmd_plugin Refactor test_sudocmdgroup_plugin Refactor test_group_plugin, use GroupTracker for tests Refactor test_nesting, create HostGroupTracker Refactor test_hostgroup_plugin Refactor test_automember_plugin, create AutomemberTracker Florence Blanc-Renaud (5): Add missing CA options to the manpage for ipa-replica-install Add the culprit line when a configuration file has an incorrect format add context to exception on LdapEntry decode error batch command can be used to trigger internal errors on server Always qualify requests for admin in ipa-replica-conncheck Fraser Tweedale (22): Do not decode HTTP reason phrase from Dogtag Remove workaround for CA running check caacl: correctly handle full user principal name Prevent replica install from overwriting cert profiles Detect and repair incorrect caIPAserviceCert config Remove service and host cert issuer validation Allow CustodiaClient to be used by arbitrary principals Load server plugins in certmonger renewal helper Add ACIs for Dogtag custodia client Optionally add service name to Custodia key DNs Setup lightweight CA key retrieval on install/upgrade Authorise CA Agent to manage lightweight CAs Add custodia store for lightweight CA key replication Add 'ca' plugin Add IPA CA entry on install / upgrade Update 'caacl' plugin to support lightweight CAs Add CA argument to ra.request_certificate Update cert-request to allow specifying CA Add issuer options to cert-show and cert-find replica-install: configure key retriever before starting Dogtag upgrade: do not try to start CA if not configured restart scripts: bootstrap api with in_server=True Gabe Alford (1): ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind' Jakub Hrozek (1): sudo: Fix a typo in the --help output of sudocmdgroup James Groffen (1): Set close button type attribute to 'button'. Jan Barta (1): pylint: fix: multiple-statements Jan Cholasta (112): ipautil: remove unused import causing cyclic import in tests ipalib: assume version 2.0 when skip_version_check is enabled ipapython: remove default_encoding_utf8 ipapython: port p11helper C code to Python ipapython: use python-cryptography instead of libcrypto in p11helper spec file: package python-ipalib as noarch cert renewal: import all external CA certs on IPA CA cert renewal replica install: validate DS and HTTP server certificates replica promotion: fix AVC denials in remote connection check cacert install: fix trust chain validation client: stop using /etc/pki/nssdb ipalib: provide per-call command context ipalib: add convenient Command method for adding messages certdb: never use the -r option of certutil spec file: bump minimum required pki-core version build: fix client-only build makeapi: use the same formatting for `int` and `long` values replica install: do not set CA renewal master flag rpc: do not crash when unable to parse JSON parameters: remove unused ConversionError and ValidationError arguments rpc: include structured error information in responses frontend: re-raise remote RequirementError using CLI name in CLI frontend: remove the unused Command.soft_validate method frontend: perform argument value validation only on server batch: do not crash when no argument is specified ipalib: make optional positional command arguments actually optional frontend: do not forward unspecified positional arguments to server user: do not assume the preserve flags have value in user_del frontend: do not forward argument defaults to server makeapi: optimize API.txt ipalib: remove the unused `csv` argument of Param makeaci: load additional plugins using API.add_module plugable: replace API.import_plugins with new API.add_package ipalib, ipaserver: migrate all plugins to Registry-based registration ipalib, ipaserver: fix incorrect API.register calls in docstrings plugable: remove the unused deprecated API.register method plugable: switch API to Registry-based plugin discovery frontend: merge baseldap.CallbackRegistry into Command frontend: move the interactive_prompt callback type to Command automount: do not inherit automountlocation_import from LDAPQuery dns: move code called on client to the module level dns: do not rely on server data structures in code called on client otptoken: fix import of DN otptoken_yubikey: fix otptoken_add_yubikey arguments vault: move client-side code to the module level vault: copy arguments of client commands from server counterparts ipalib: use relative imports for cross-plugin imports frontend: allow commands to have an argument named `name` cli: make optional positional command arguments actually optional dns: fix dnsrecord interactive mode ipaclient: introduce ipaclient.plugins ipalib: move client-side plugins to ipaclient help, makeapi: allow setting command topic explicitly help, makeapi: specify module topic by name help, makeapi: do not use hardcoded plugin package name plugable: turn Plugin attributes into properties plugable: simplify API plugin initialization code plugable: remember overriden plugins in API frontend: turn Method attributes into properties ipaclient: add client-side command override class dns: move code shared by client and server to separate module ipalib: split off client-side plugin code into ipaclient parameters: introduce cli_metavar keyword argument parameters: introduce no_convert keyword argument ipalib: replace DeprecatedParam with `deprecated` Param argument ipalib: introduce API schema plugins rpc: respect API config in RPCClient.create_connection rpc: allow overriding NSS DB directory in API config rpc: specify connection options in API config rpc: optimize JSON-RPC response handling rpc: do not validate command name in RPCClient.forward client install: finalize API after CA certs are available ipactl: use server API ipalib: move File command arguments to ipaclient misc: hide the unused --all option of `env` and `plugins` in CLI ipaclient: implement thin client ipalib: move server-side plugins to ipaserver frontend: do not check API minor version of the client schema: do not validate unrequested params in command_defaults replica install: use remote server API to create service entries schema: fix topic command output schema: fix typo spec file: require correct packages to get API plugins plugable: allow plugins to be non-classes plugable: initialize plugins on demand schema: generate client-side commands on demand batch, schema: use Dict instead of Any misc: fix empty CLI output of `env` and `plugins` commands dns, passwd: fix outputs of `dns_resolve` and `passwd` commands frontend: call `execute` rather than `forward` in Local schema: exclude local commands schema: fix client-side dynamic defaults makeaci, makeapi: use in-server API frontend: don't copy command arguments to output params frontend: skip `value` output in output_for_cli frontend: do not crash on missing output in output_for_cli automember: add object plugin for automember_rebuild dns: do not rely on custom param fields in record attributes misc: skip `count` and `total` output in env.output_for_cli passwd: handle sort order of passwd argument on the client permission: handle ipapermright deprecated CLI alias on the client schema: add object class schema schema: remove output_params schema: merge command args and options schema: remove redundant information schema: remove `no_cli` from command schema replica install: fix thin client regression ldap: fix handling of binary data in search filters cert: add object plugin cert: add owner information cert: allow search by certificate dns: fix dns_update_system_records to work with thin client J?r?me Fenal (1): Fix the man page part for shorter sentences, to avoid dual understanding, and punctuation, all spotted while translating to French. Lenka Doudova (5): WebUI tests: fix failing of tests due to unclicable label WebUI test: ID views WebUI: Test creating user without private group Test fix: Cleanup for host certificate Test: Maximum username length higher than 255 cannot be set Ludwig Krispenz (2): prevent moving of topology entries out of managed scope by modrdn operations v2 - avoid crash in topology plugin when host list contains host with no hostname Luk?? Slebodn?k (6): extdom: Remove unused macro IPA-SAM: Fix build with samba 4.4 CONFIGURE: Replace obsolete macros ipa-sam: Do not redefine LDAP_PAGE_SIZE SPEC: Remove unused build dependency on libwbclient BUILD: Remove detection of libcheck Martin Babinsky (44): raise more descriptive Backend connection-related exceptions harden domain level 1 topology connectivity checks ipalib/x509.py: revert deletion of ipalib api import prevent crash of CA-less server upgrade due to absent certmonger use FFI call to rpmvercmp function for version comparison tests for package version comparison fix Py3 incompatible exception instantiation in replica install code ipa-csreplica-manage: remove extraneous ldap2 connection IPA upgrade: move replication ACIs to the mapping tree entry uninstallation: more robust check for master removal from topology correctly set LDAP bind related attributes when setting up replication disable RA plugins when promoting a replica from CA-less master fix standalone installation of externally signed CA on IPA master reset ldap.conf to point to newly installer replica after promotion always start certmonger during IPA server configuration upgrade upgrade: unconditional import of certificate profiles into LDAP CI tests: use old schema when testing hostmask-based sudo rules use LDAPS during standalone CA/KRA subsystem deployment test_cert_plugin: use only first part of the hostname to construct short name only search for Kerberos SRV records when autodiscovery was requested spec: add conflict with bind-chroot to freeipa-server-dns spec: require python-cryptography newer than 0.9 ipa-replica-manage: print traceback on unexpected error when in verbose mode otptoken-add: improve the robustness of QR code printing differentiate between limit types when LDAP search exceeds configured limits specify type of exceeded limit when warning about truncated search results replica-prepare: do not add PTR records if there is no IPA managed reverse zone Server Roles: definitions of server roles and attributes Server Roles: Backend plugin to query roles and attributes Test suite for `serverroles` backend Server Roles: public API for server roles Server Roles: make server-{show,find} utilize role information Server Roles: make *config-show consume relevant roles/attributes Server Roles: provide an API for setting CA renewal master Add NTP to the list of services stored in IPA masters LDAP subtree Introduce "NTP server" role ipaserver module for working with managed topology delegate removal of master DNS record and replica keys to separate functions server-del: perform full master removal in managed topology CI test suite for `server-del` ipa-replica-manage: use `server_del` when removing domain level 1 replica remove the master from managed topology during uninstallation Fix listing of enabled roles in `server-find` Do not update result of *-config-show with empty server attributes Martin Ba?ti (147): Fix DNS tests: dns-resolve returns warning Remove unused code in server installer related to KRA Fix version comparison Fix: replace mkdir with chmod Use module variables for timedate_services Remove empty test file Remove unused imports Remove wildcard imports Enable multiple warnings checks in Pylint Enable pylint lost exception check Enable pylint duplicated-key check Enable pylint trailing-whitespace check Enable pylint missing-final-newline check Enable pylint unused-format-string-key check Enable pylint expression-not-assigned check Enable pylint empty-docstring check Enable pylint unnecessary-pass check update_uniqueness plugin: fix referenced before assigment error Allow to used mixed case for sysrestore Upgrade: Fix upgrade of NIS Server configuration DNSSEC test: fix adding zones with --skip-overlap-check DNSSEC CI: add missing ldns-utils dependency Enable pylint unpacking-non-sequence check Enable pylint unbalanced-tuple-unpacking check CI test: fix regression in task.install_kra Warn about potential loss of CA, KRA, DNSSEC during uninstall Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter Exclude o=ipaca subtree from Retro Changelog (syncrepl) Fix DNSSEC test: add glue record Warn user when ipa *-find reach limit DNSSEC CI: fix zone delegations make lint: use config file and plugin for pylint Upgrade: log to ipaupgrade.log when IPA server is not installed Disable new pylint checks Py3: do not use dict.iteritems() upgrade: fix config of sidgen and extdom plugins trusts: use ipaNTTrustPartner attribute to detect trust entries Warn user if trust is broken fix upgrade: wait for proper DS socket after DS restart Revert "test: Temporarily increase timeout in vault test." Remove duplicated except Pylint: add missing attributes of errors to definitions fix permission: Read Replication Agreements Make PTR records check optional for IPA installation Fix connections to DS during installation pylint: supress false positive no-member errors CI: allow customized DS install test to work with domain levels fix suspicious except statements Remove unused arguments from update_ssh_keys method Configure 389ds with "default" cipher suite krb5conf: use 'true' instead of 'yes' for forwardable option stageuser-activate: Normalize manager value Remove redundant parameters from CS.cfg in dogtaginstance Use platform path constant for SSSD log dir Fix broken trust warnings spec: Add missing dependencies to python*-ipalib package client: enable ChallengeResponseAuthentication in sshd_config pylint: remove bare except Pylint: fix definition of global variables Pylint: enable pointless-except check Pylint: enable reimported check Pylint: use list comprehension instead of iteration Pylint: import max one module per line Pylint: remove unnecessary-semicolon Pylint: enable invalid-name check SPEC: do not run upgrade when ipa server is not installed Fix: catch Exception instead of more specific exception types Fix stageuser-activate - managers test Add missing pre_common_callback to stageuser_add host_del: fix removal of host records host_del: replace dns-record find command with show host_del: remove unneeded dnszone-show command call host_del: split removing A/AAAA and PTR records to separate functions host_del: remove only A, AAAA, SSHFP, PTR records host_del: update help for --updatedns option host-del --updatedns: print warnings instead of error Use netifaces module instead of 'ip' command Limit max username length to 255 in config-mod Increase API version for 'ipamaxusernamelength' attribute change Configure httpd service from installer instead of directly from RPM Performace: don't download password attributes in host/user-find Do not do extra search for ipasshpubkey to generate fingerprints Always set hostname Remove deprecated hostname restoration from Fedora18 Remove unused hostname variables Log errors from backup_and_replace hostname to logger Tasks: raise NotImplementedError for not implemented methods fix stageuser tests (removal of has_keytab and has_password from find) make: fail when ACI.txt or API.txt differs from values in source code ipactl: advertise --ignore-service-failure option Remove unused variable and finally block in SchemaCache Fix referenced before assigment variables in except statements Upgrade: always start CA Remove unused variables in automount plugin fix pylint false positive errors Translations: remove deprecated locale configuration Make option --no-members public in CLI Performance: Find commands: do not process members by default Test: fix failing host_test Fix: replace incorrect no_cli with no_option flag Fix: topologysuffix_find doesn't have no_members option DNS Locations: Always create DNS related privileges DNS Locations: add new attributes and objectclasses DNS Locations: location-* commands DNS Locations: API tests Allow to use non-Str attributes as keys for members DNS Locations: extend server-* command with locations DNS Location: location-show: return list of servers in location DNS Locations: when removing location remove it from servers first DNS Locations: extend tests with server-* commands Upgrade mod_wsgi socket-timeout on existing installation Exclude unneeded dirs and files from pylint check Fix resolve_rrsets: RRSet is not hashable Revert "adtrust: remove nttrustpartner parameter" Fix: Local variable s_indent might be referenced before defined Revert "Switch /usr/bin/ipa to Python 3" Use python2 for ipa cli DNS Locations: add index for ipalocation attribute DNS Locations: fix location-del DNS Locations: add idnsTemplateObject objectclass DNS Locations: DNS data management DNS Locations: permission: allow to read status of services DNS Locations: add ACI for template attribute DNS Locations: command dns-update-system-records DNS Locations: use dns_update_service_records in installers DNS Locations: adtrustinstance simplify dns management DNS Locations: use automatic records update in ipa-adtrust-install DNS Locations: server-mod: add automatic records update DNS Locations: dnsservers: add required objectclasses DNS Locations: dnsserver-* commands DNS Locations: dnsserver: put server_id option into named.conf DNS Locations: dnsserver: use the newer config way in installer DNS Locations: dnsserver: remove config when replica is removed DNS Locations: set proper substitution variable DNS Locations: require to restart named-pkcs11 affter location change DNS Locations: show warning if there is no DNS servers in location DNS Locations: prevent to remove used locations DNS Locations: do not generate location records for unused locations DNS Locations: location-del: remove location record DNS Locations: Rename ipalocationweight to ipaserviceweight DNS Locations: generate NTP records upgrade: don't fail if zone does not exists in in find DNS Location: add list of roles and DNS servers to location-show DNS Locations: dnsserver: print specific error when DNS is not installed Fix possibly undefined variable in ipa_smb_conf_exists() Updated IPA translations Replica promotion: use the correct IPA domain for replica Martin Ko?ek (1): Update Developers in Contributors.txt Matt Rogers (1): ipa_kdb: add krbPrincipalAuthInd handling Michael Simacek (1): Fix bytes/string handling in rpc Milan Kub?k (11): ipatests: replace the test-example.com domain in tests ipatests: Roll back the forwarder config after a test case ipatests: Fix configuration problems in dns tests ipatests: Make the A record for hosts in topology conditional ipatests: fix the install of external ca ipatests: Add missing certificate profile fixture ipatests: extend permission plugin test with new expected output spec file: rename the python-polib dependency name to python2-polib ipatests: fix for change_principal context manager ipatests: Add test case for requesting a certificate with full principal. spec: Add python-sssdconfig dependency for python-ipatests package Nathaniel McCallum (7): Don't error when find_base() fails if a base is not required Rename syncreq.[ch] to otpctrl.[ch] Ensure that ipa-otpd bind auths validate an OTP Return password-only preauth if passwords are allowed Enable authentication indicators for OTP and RADIUS Migrate from #ifndef guards to #pragma once Enable service authentication indicator management Oleg Fayans (26): CI tests: Enabled automatic creation of reverse zone during master installation CI tests: Added domain realm as a parameter to master installation in integration tests Fixed install_ca and install_kra under domain level 0 fixed an issue with master installation not creating reverse zone Enabled recreation of test directory in apply_common_fixes function Updated connect/disconnect replica to work with both domainlevels Removed --ip-address option from replica installation Removed messing around with resolv.conf Integration tests for replica promotion feature Enabled setting domain level explicitly in test class Removed a constantly failing call to prepare_host Made apply_common_fixes call at replica installation independent on domain_level Workaround for ticket 5627 Added copyright info to replica promotion tests rewrite a misprocessed teardown_method method as a custom decorator Reverted changes in mh fixture causing some tests to fail Fixed a bug with prepare_host failing upon existing ipatests folder Added a kdestroy call to clean ccache at master/client uninstallation Added 5 more tests to Replica Promotion testsuite Fixed a failure in legacy_client tests Add test if replica is working after domain upgrade Improve reporting of failed tests in topology test suite Bugfixes in managed topology tests A workaround for ticket N 5348 Added necessary A record for the replica to root zone Increased certmonger timeout Patrice Duc-Jacquet (2): Incorrect message when KRA already installed Add more information regarding where to find revocation reason in "ipa cert_revoke -h" and "ipa cert_find -h". Pavel Vomacka (41): Add tool tips for Revert, Refresh, Undo, and Undo All Add support for the 'user' url parameter for the reset_password.html Add validation to Issue new certificate dialog Add pan and zoom functionality to the topology graph Nodes stay fixed after initial animation. Add field for group id in user add dialog Resize topology graph canvas according to window size Add X-Frame-Options and frame-ancestors options Add activate option to stage user details page Add 'skip overlap check' checkbox into add zone dialog Add 'skip overlap check' checkbox to the add dns forward zone dialog Add option to show OTP when adding host Update the delete dialog on details user page Add ability to stage multiple users Add option to stage user from details page Change lang.hitch to javascript bind method Change 'Restore' to 'Remove Hold' Extend the certificate request dialog Auth Indicators WebUI part Fix bad searching of reverse DNS zone Add adapter attribute for choosing record DNS Locations: WebUI part Add lists of hosts allowed to create or retrieve keytabs Correct a jslint warning Association table can be read only Extend table facet Add server roles on topology page Search facet can be without search field Add ability to review cert request dialog Add new webui plugin - ca Extend certificate entity page Extend caacl entity Make Actions string translatable Extend DNS config page Extend trust config page Add creating a segment using mouse Add listener which opens add segment dialog Add placeholder to add segment dialog Add DNS default TTL field Allow to set weight of a server without location DNS Servers: Web UI part Peter Lacko (1): Ping module tests. Petr Viktorin (46): Package ipapython, ipalib, ipaplatform, ipatests for Python 3 Use explicit truncating division Don't index exceptions directly Use print_function future definition wherever print() is used Alias "unicode" to "str" under Python 3 Avoid builtins that were removed in Python 3 dnsutil: Rename __nonzero__ to __bool__ Remove deprecated contrib/RHEL4 make-lint: Allow running pylint --py3k to detect Python3 issues Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts) test_parameters: Ignore specific error message ipaldap, ldapupdate: Encoding fixes for Python 3 ipautil.run, kernel_keyring: Encoding fixes for Python 3 tests: Use absolute imports ipautil: Use mode 'w+' in write_tmp_file test_util: str/bytes check fixes for Python 3 p11helper: Port to Python 3 cli: Don't encode/decode for stdin/stdout on Python 3 Package python3-ipaclient Move get_ipa_basedn from ipautil to ipadiscovery ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn() ipapython.sysrestore: Use str methods instead of functions from the string module ipalib.x809: Accept bytes for make_pem dns plugin: Fix zone normalization under Python 3 sysrestore: Iterate over a list of dict keys test_xmlrpc: Use absolute imports xmlrpc_test: Rename exception instance before working with it radiusproxy plugin: Use str(error) rather than error.message xmlrpc_test: Expect bytes rather than strings for binary attributes ipalib.rpc: Send base64-encoded data as string under Python 3 range plugin tests: Use bytes with MockLDAP under Python 3 radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret certprofile plugin: Use binary mode for file with binary data test_add_remove_cert_cmd: Use bytes for base64.b64encode() Switch /usr/bin/ipa to Python 3 Fix remaining relative import and enable Pylint check ipalib.cli: Improve reporting of binary values in the CLI test_cert_plugin: Encode 'certificate' for comparison with 'usercertificate' ipaldap: Keep attribute names as text, not bytes ipapython.secrets.kem: Use ConfigParser from six.moves test_topology_plugin: Don't rely on order of an attribute's values test_rpcserver: Expect updated error message under Python 3 ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison test_ipaserver.test_ldap: Use bytestrings for raw LDAP values ipaldap: Convert dict items to list before iterating test_ipaserver.test_ldap: Adjust tests to Python 3's KeyView Petr Voborn?k (16): Bump 4.4 development version to 4.3.90 webui: add examples to network address validator error message webui: pwpolicy cospriority field was marked as required spec: do not require arch specific ipalib package from noarch packages webui: dislay server suffixes in server search page stop installer when setup-ds.pl fail webui: crash nicely if sessionStorage is not available webui: remove moot error from webui build webui: use API call ca_is_enabled instead of enable_ra env variable. webui: fixed showing of success message after password change on login advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins cookie parser: do not fail on cookie with empty value fix incorrect name of ipa-winsync-migrate command in help webui: fail nicely if cookies are disabled ipa-client-install: fix typo in nslcd service name Become IPA 4.4.0 Alpha 1 Petr ?pa?ek (51): dns: Handle SERVFAIL in check if domain already exists. DNSSEC: Improve error reporting from ipa-ods-exporter DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP DNSSEC: Make sure that current key state in LDAP matches key state in BIND DNSSEC: remove obsolete TODO note DNSSEC: add debug mode to ldapkeydb.py DNSSEC: logging improvements in ipa-ods-exporter DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP DNSSEC: ipa-ods-exporter: add ldap-cleanup command DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal DNSSEC: Log debug messages at log level DEBUG Fix --auto-reverse option in --unattended mode. Fix dns_is_enabled() API command to throw exceptions as appropriate Fix DNS zone overlap check to allow ipa-replica-install to work Fix ipa-adtrust-install to always generate SRV records with FQDNs Fix URL for reporting bugs in strings Pylint: enable parallelism Makefile: replace perl with sed Remove function ipapython.ipautil.host_exists() Extend installers with --forward-policy option Move automatic empty zone list into ipapython.dnsutil and make it reusable Add assert_absolute_dnsname() helper to ipapython.dnsutil Move function is_auto_empty_zone() into ipapython.dnsutil Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone() Add function ipapython.dnsutil.inside_auto_empty_zone() Auto-detect default value for --forward-policy option in installers ipa-nis-manage: Replace text references to compat plugin with NIS ipa-nis-manage: mention return code 3 in man page DNS: Fix upgrade - master to forward zone transformation DNS installer: accept --auto-forwarders option in unattended mode Remove unused file install/share/fedora-ds.init.patch Batch command: avoid accessing potentially undefined context.principal pylint: replace Refactor category with individual check names ipa-nis-manage: add status option DNS: Warn if forwarding policy conflicts with automatic empty zones Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil Use root_logger for verify_host_resolvable() Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil Add ipaDNSVersion option to dnsconfig* commands and use new attribute DNS upgrade: separate backup logic to make it reusable Add function ipapython.dnsutil.related_to_auto_empty_zone() DNS upgrade: change forwarding policy to = only for conflicting forward zones DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used DNS upgrade: change global forwarding policy in named.conf to "only" if private IPs are used Require 389-ds-base >= 1.3.5.6 DNS Locations: make ipa-ca record generation more robust DNS: Support default TTL setting for master DNS zones DNS: Warn about restart when default TTL setting DNS is changed DNS: Fix realm domains integration with DNS zone add. Simo Sorce (6): Use only AES enctypes by default Always verify we have a valid ldap context. Improve keytab code to select the right principal. Convert ipa-sam to use the new getkeytab control Allow admins to disable preauth for SPNs. Allow to specify Kerberos authz data type per user Stanislav Laznicka (21): Listing and cleaning RUV extended for CA suffix Automatically detect and remove dangling RUVs Cosmetic changes to the code Fixes minor issues replica-manage: fail nicely when DM psswd required ipa-replica-manage refactoring abort-clean/list/clean-ruv now work for both suffixes Moved password check from clean_dangling_ruv Fix to clean-dangling-ruv for single CA topologies Added pyusb as a dependency Added some attributes to Modify Users permission Deprecated the domain-level option in ipa-server-install Increased mod_wsgi socket-timeout Added = mapping to krb5.conf Decreased timeout for IO blocking for DS fixes premature sys.exit in ipa-replica-manage del Remove dangling RUVs even if replicas are offline Added krb5.conf.d/ to included dirs in krb5.conf Removed dead code from LDAP{Remove,Add}ReverseMember Fixes CA always being presented as running Increase nsslapd-db-locks to 50000 Sumit Bose (3): ipa-kdb: get_authz_data_types() make sure entry can be NULL ipa-kdb: map_groups() consider all results extdom: add certificate request Thierry Bordaz (3): configure DNA plugin shared config entries to allow connection with GSSAPI DS deadlock when memberof scopes topology plugin updates Make sure ipapwd_extop takes precedence over passwd_modify_extop Thorsten Scherf (1): Fixed typo in service-add Timo Aaltonen (6): Use HTTPD_USER in dogtaginstance.py Move freeipa certmonger helpers to libexecdir. ipa_restore: Import only FQDN from ipalib.constants ipaplatform: Move remaining user/group constants to ipaplatform.constants. Use ODS_USER/ODS_GROUP in opendnssec_conf.template Fix kdc.conf.template to use ipaplatform.paths. Tom?? Babej (10): py3: Remove py3 incompatible exception handling logger: Use warning instead of warn Loggger: Use warning instead of warn - dns plugin ipa-getkeytab: Handle the possibility of not obtaining a result ipa-adtrust-install: Allow dash in the NETBIOS name spec: Bump required sssd version to 1.13.3-5 adtrustinstance: Make sure smb.conf exists l10n: Remove Transifex configuration ipalib: Fix user certificate docstrings idviews: Add user certificate attribute to user ID overrides Yuri Chornoivan (3): Fix minor typo Fix minor typos Fix minor typos -- Petr Vobornik From schogan at us.ibm.com Tue Jun 21 19:02:14 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Tue, 21 Jun 2016 12:02:14 -0700 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: References: Message-ID: Has anyone seen these before? First Master IPA DNS logs show: Looks like the host names are getting the domain twice domain.local.domain.local client 10.x.x.x#58094: query failed (SERVFAIL) for server1.domain.local.domain.local/IN/AAAA at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.x.x.x#44147: query failed (SERVFAIL) for x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.x.x.x#56466: query failed (SERVFAIL) for x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.x.x.x53367: query failed (SERVFAIL) for server2.domain.local.domain.local/IN/A at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.x.x.x#53367: query failed (SERVFAIL) for server2.domain.local.domain.local/IN/AAAA at query.c:6569 So enrolls are failing at this point when tyring to enroll to a replica: [bob at server1 log]# ipa-client-install ?enable-dns-updates Discovery was successful! Hostname: server1.watson.local Realm: DOMAIN.LOCAL DNS Domain: domain.local IPA Server: ipareplica.domain.local BaseDN: dc=domain,dc=local Continue to configure the system with these values? [no]: yes User authorized to enroll computers: bob Synchronizing time with KDC... Password for bob at DOMAIN.LOCAL: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=DOMAIN.LOCAL Issuer: CN=Certificate Authority,O=DOMAIN.LOCAL Valid From: Tue Jan 06 19:37:09 2015 UTC Valid Until: Sat Jan 06 19:37:09 2035 UTC Enrolled in IPA realm DOMAIN.LOCAL Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm DOMAIN.LOCAL trying https://ipareplica.domain.local/ipa/xml Cannot connect to the server due to Kerberos error: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/. Trying with delegate=True trying https://ipareplica.domain.local/ipa/xml Second connect with delegate=True also failed: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/ Cannot connect to the IPA server XML-RPC interface: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/ Installation failed. Rolling back changes. Unenrolling client from IPA server Unenrolling host failed: Error obtaining initial credentials: Generic error (see e-text). Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. Sean Hogan From: Sean Hogan/Durham/IBM To: Sean Hogan/Durham/IBM at IBMUS Cc: freeipa-users Date: 06/20/2016 12:49 PM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Also seeing this in the upgrade log on the first master but not on the 7 ipas. ERROR Failed to restart named: Command '/sbin/service named restart ' returned non-zero exit status 7 which led me to https://bugzilla.redhat.com/show_bug.cgi?id=895298 Sean Hogan From: Sean Hogan/Durham/IBM at IBMUS To: freeipa-users Date: 06/20/2016 11:46 AM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Sent by: freeipa-users-bounces at redhat.com Hi All.. I thought we fixed this issue by rebooting the KVM host but it is showing again. Our First Master IPA is being rebooted 2 -5 times a day now just to keep it alive. What we are seeing: God at FirstMaster log]# kinit admin kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting initial credentials DNS is not working as nslookup is failing to a replica.... think once we lose DNS it all goes down hill which makes sense. [god at FirstMaster log]# ipactl stop -----> Just hangs forever.. no replies.. no error.. nothing I try service named stop and nothing happens I have the box hard shutdown from KVM console. Reboot it and it works for a little while but eventually back to same behavior. At this point I can service named stop and it responds... ipactl status and it responds.. but when if I try service named restart I get [god at FirstMaster log]# service named stop Stopping named: ...... [god at Firstmaster log]# service named start Starting named: [FAILED] [god at FirstMaster log]# service named status rndc: connect failed: 127.0.0.1#953: connection refused named dead but pid file exists Rebooted box and it is hung on shutting down domain-local and never fully shuts down.. have to get it hard shutdown again. During an attempt to gracefully shut down we see this Shutting Down dirsrv: PKI-IPA OK DOMAIN-LOCAL FAILED *** Error: 1 instance(s) unsuccessfully stopped FAILED Then it moves on to shut other things down and returns to dirsrv Shutting Down dirsrv: PKI-IPA....server already stopped FAILED {Makes sense.. it died earlier} DOMAIN-LOCAL... {this sits here til we hard shutdown} bind-libs-9.8.2-0.47.rc1.el6.x86_64 bind-9.8.2-0.47.rc1.el6.x86_64 bind-utils-9.8.2-0.47.rc1.el6.x86_64 ipa-client-3.0.0-50.el6.1.x86_64 ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64 sssd-ipa-1.13.3-22.el6.x86_64 /var/log/dirsrv/slapd-DOMAIN-LOCAL [20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 starting up [20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=domain,dc=local [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 5688d8e6001000070000] which is present in RUV [changelog max RUV] [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica dc=domain,dc=local there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [20/Jun/2016:13:29:07 -0400] - Listening on All Interfaces port 636 for LDAPS requests [20/Jun/2016:13:29:07 -0400] - Listening on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meTo1server.domain.local" (1server:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:16 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:29:16 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:00 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 starting up [20/Jun/2016:13:59:00 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [20/Jun/2016:13:59:01 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=domain,dc=local [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 5688d8e6001000070000] which is present in RUV [changelog max RUV] [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica dc=domain,dc=local there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meTobldvxl0011.domain.local" (1server:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [20/Jun/2016:13:59:48 -0400] - Listening on All Interfaces port 636 for LDAPS requests [20/Jun/2016:13:59:48 -0400] - Listening on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:59:57 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth resumed Sean Hogan Inactive hide details for Sean Hogan---06/02/2016 09:24:39 AM---Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.Sean Hogan---06/02/2016 09:24:39 AM---Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not sure on this From: Sean Hogan/Durham/IBM To: freeipa-users Date: 06/02/2016 09:24 AM Subject: IPA 3.0.47 to 3.0.50 Upgrade problem Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not sure on this yet) that they changed ntp.. ntp used to point at my ipas.. but they look like they are now pointing elsewhere. Everything was stable at 6.7 3.0.47 pointing to IPA for NTP. However.. they all seem to have the same date. My master first IPA is acting up. Replication is off, kerberos seems to be off, DNS is off and I think IPA in general on it is toast. We do have 8 IPAs.. only FirstMaster is acting up it seems right now and all either running on KVM or ESXI. [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# kinit admin kinit: Generic error (see e-text) while getting initial credential slapd-DOMAIN-LOCAL [01/Jun/2016:18:25:43 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'DOMAIN.LOCAL')) errno 115 (Operation now in progress) [01/Jun/2016:18:25:43 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv2.domain.local" (ipaserv2:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv3.domain.local" (ipaserv3:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv4.domain.local" (ipaserv4:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv5.domain.local" (ipaserv5:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:28:04 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [01/Jun/2016:18:28:04 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2016:18:28:13 -0400] slapd_ldap_sasl_interactive_bind - Error:could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [01/Jun/2016:18:28:13 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:33:03 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [01/Jun/2016:18:33:03 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [01/Jun/2016:18:33:18 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [01/Jun/2016:18:33:18 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:38:03 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipa-replica-manage -v list --------------> just hangs and never returns [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# ipactl start ------------->Just hangs here as well.. never gets to the KDC. Starting Directory Service Starting dirsrv: PKI-IPA... already running [ OK ] DOMAIN-LOCAL... already running [ OK ] If I run nslookup it fails over to a Replica for the DNS resolution instead of resolving ips itself. PKI log shows a bunch of this: [02/Jun/2016:11:15:25 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" (ipaserver2:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:11:15:34 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver2.domain.local-pki-ca" (ipaserver2:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:11:16:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:16:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:21:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:22:06 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:26:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:26:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:31:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:31:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:36:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:36:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:41:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:41:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:45:16 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:45:16 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:11:45:25 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:11:46:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:46:56 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:51:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:51:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:11:56:46 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:11:56:51 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:01:36 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:01:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:05:33 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:05:33 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [02/Jun/2016:12:06:01 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [02/Jun/2016:12:06:06 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ipaserver3.domain.local-pki-ca" (ipaserver3:7389): Replication bind with SIMPLE auth resumed [02/Jun/2016:12:06:31 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [02/Jun/2016:12:06:41 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) NTP seems OK [God at FirstMasterIPA slapd-PKI-IPA]# date Thu Jun 2 12:23:00 EDT 2016 [God at ipaserver3 ~]# date Thu Jun 2 12:23:02 EDT 2016 Sean Hogan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From jhrozek at redhat.com Tue Jun 21 19:38:15 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 21 Jun 2016 21:38:15 +0200 Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: <208644782.851245.1466510154786.JavaMail.zimbra@elostech.cz> References: <208644782.851245.1466510154786.JavaMail.zimbra@elostech.cz> Message-ID: <20160621193815.GS29512@hendrix> On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: > Hi all, > > I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD. > > I have set up trust with this parameters: > > ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix --admin=administrator Did you add the POSIX attributes to AD after creating the trust maybe? > > [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range > Range name: EXAMPLE.TT_id_range > First Posix ID of the range: 1392000000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 > Range type: Active Directory trust range with POSIX attributes > > > I have set attributes in AD for user at EXAMPLE.TT > - uidNumber -10000 > - homeDirectory -/home/user > - loginShell - /bin/bash > > Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can run id and getent passwd user at example.tt and I can use user at example.tt for ssh. > > Problem is, that I am not getting uid from AD but from idrange: > > uid=1392001107(user at example.tt) > > Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = true in sssd.conf but no luck. This has no effect, in IPA-AD trust scenario, the id mapping properties are managed on the server. > > I know, that it is probably better to use ID views for this, but in our case we need to set centrally managed environment, where all users information are externally inserted to AD from HR system - included POSIX attributes and we need IPA to read them from AD. I think idviews are better for overriding POSIX attributes for a specific set of hosts, but in your environment, it sounds like you want to use the POSIX attributes across the board. > > So my questions are: > > Is it possible to read user's POSIX attributes directly from AD - namely uid ? Yes > Which atributes can be stored in AD ? Homedir is a bit special, for backwards compatibility the subdomains_homedir takes precedence. The others should be read from AD. I don't have the environment set at the moment, though, so I'm operating purely from memory. > Am I doing something wrong ? > > my sssd.conf: > [domain/a.example.tt] > debug_level = 5 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = a.example.tt > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ipa1.a.example.tt > chpass_provider = ipa > ipa_server = ipa1.a.example.tt > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > #ldap_id_mapping = true > #subdomain_inherit = ldap_user_principal > #ldap_user_principal = nosuchattribute > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = a.example.tt > [nss] > debug_level = 5 > homedir_substring = /home > enum_cache_timeout = 2 > entry_negative_timeout = 2 > > > [pam] > debug_level = 5 > [sudo] > > [autofs] > > [ssh] > debug_level = 4 > [pac] > > debug_level = 4 > [ifp] > > Thanks, > Jan > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From npmccallum at redhat.com Tue Jun 21 20:23:25 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 21 Jun 2016 16:23:25 -0400 Subject: [Freeipa-users] FreeOTP In-Reply-To: References: <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> <1465394017.2599.3.camel@redhat.com> <1465406113.2599.25.camel@redhat.com> <6fc25458-745c-51a5-0d1a-c28d3e18331b@dds.nl> <20160609084645.GB15524@p.Speedport_W_724V_Typ_A_05011603_00_009> <1465476179.2969.8.camel@redhat.com> <20160609165109.GN3302@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <1466540605.17252.4.camel@redhat.com> I have found and fixed what I believe to be the issue. I have submitted a patch upstream for review:?https://github.com/krb5/krb5/pull/471 Once merged, we will backport the fix into all existing Fedora releases. So you should get an update via a simple: dnf update. On Thu, 2016-06-16 at 10:28 +0200, Winfried de Heiden wrote: > Hi all, > > "So it looks a bit like a libverto 32bit issue"; any news or progress > on? > this? Bugzilla? > > Winny > > > Op 09-06-16 om 18:51 schreef Sumit Bose: > > On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum wrote: > > > On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote: > > > > On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden > > > > wrote: > > > > > Hi all, > > > > > > > > > > I can install libvert-libev but removing libverto-tevent will > > > > > remove 123 > > > > > dependencies also. (wget, tomcat and much more...) > > > > > > > > > > Hence, I installed libverto-libev, but dit not remove > > > > > libverto- > > > > > tevent to give > > > > > it a try. After ipactl restart still the same problem: > > > > fyi, I think I can reproduce the issue on 32bit Fedora. I tried > > > > libverto-libev as well but I removed libverto-tevent after > > > > installing > > > > libverto-libev with 'rpm -e --nodeps ....' to make sure > > > > libverto has > > > > no > > > > other chance. > > > > > > > > So it looks a bit like a libverto 32bit issue. I used > > > > libverto-0.2.6-4.fc22. Since I knew that is was working before > > > > on > > > > 32bits > > > > I tried libverto-0.2.5 and libverto-0.2.4 as well with no lock. > > > > > > > > Nathaniel, do you have any suggestions what to check with gdb? > > > It may not be a libverto issue at all. Just to summarize, krb5kdc > > > sends > > > the otp request to ipa-otpd using RADIUS-over-UNIX-socket. > > > > > > It appears that ipa-otpd receives the request and sends the > > > appropriate > > > response. However, krb5kdc never appears to receive the request > > > and > > > times out. Once it times out, it closes the socket and ipa-otpd > > > exits. > > > > > > The question is: why? > > > > > > This could be a bug in krb5kdc, libkrad or libverto. Does the > > > event > > > actually fire from libverto? Does libkrad process it correctly? > > > Does > > > krb5kdc process it correctly? > > > > > > There are lots of places to attach gdb. I would probably start > > > here: > > > https://github.com/krb5/krb5/blob/master/src/lib/krad/client.c#L1 > > > 93 > > It looks like the 3rd argument of recv(), the buffer length, > > becomes > > negative aka very big in on_io_read() > > > > ?????i = recv(verto_get_fd(rr->io), rr->buffer.data + rr- > > >buffer.length, > > ??????????????pktlen - rr->buffer.length, 0); > > > > because pktlen is 4 and rr->buffer.length is 16 on my 32bit system. > > I > > wonder if pktlen isn't sufficient here because it already is the > > result > > of 'len - buffer->length' which is calculated in > > krad_packet_bytes_needed() ? > > > > bye, > > Sumit > > > From rmeggins at redhat.com Tue Jun 21 21:26:39 2016 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Jun 2016 15:26:39 -0600 Subject: [Freeipa-users] Active Directory password sync fails with RC 34 In-Reply-To: References: Message-ID: Great! Glad you got that working. Next step is to use AD trust instead of sync . . . On 06/21/2016 12:58 AM, Toby Gale wrote: > Thanks for the help Rich. > > Looking at the log I noticed some extra characters in the DN that > corresponds to "Search Base". I got the Windows admin to share his > RDP session to the DC and had a look at the registry in > "HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync". I noticed the same > characters in the "Search Base" key. I think the extra characters > were accidentally copy-pasted from the documentation I sent them. > > Removing them and restarting the service has resolved the problem. > > > On Mon, Jun 20, 2016 at 3:49 PM, Rich Megginson > wrote: > > On 06/18/2016 05:47 AM, Toby Gale wrote: >> >> Hello, >> >> After successfully adding a 'winsync' agreement and loading AD >> data into FreeIPA I am trying to configure the password sync >> software on the domain controllers. >> >> I have installed the certificates and can successfully bind from >> the domain controller using ldp.exe and the >> 'uid=passsync,cn=sysaccounts,cn=etc,dc=my,dc=domain,dc=com' user. >> >> I have edited the registry to increase logging, by setting >> 'HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync\Log Level' to '1' and I >> am seeing the error: >> >> 06/17/16 08:47:32: Backoff time expired. Attempting sync >> 06/17/16 08:47:32: Password list has 1 entries >> 06/17/16 08:47:32: Attempting to sync password for some.user >> 06/17/16 08:47:32: Searching for (ntuserdomainid=some.user) >> 06/17/16 08:47:32: Ldap error in QueryUsername >> 34: Invalid DN syntax >> > > Take a look at the 389/dirsrv access log on your linux host at > /var/log/dirsrv/slapd-HOSTNAME/access - see if you can find the > error corresponding to this - it should be at the same approximate > date/time (make sure you check your time zones) and the RESULT > line should have err=34 > >> 06/17/16 08:47:32: Deferring password change for some.user >> 06/17/16 08:47:32: Backing off for 1024000ms >> >> When I run the query from the CLI, it is successful: >> >> $ ldapsearch -x -h ldaps://localhost -p 636 -D >> 'uid=passsync,cn=sysaccounts,cn=etc,dc=dc,my=domain,dc=com' -w >> 'password' -b 'cn=users,cn=accounts,dc=my,dc=domain,dc=com' >> '(ntuserdomainid=some.user)' >> >> Can anyone help me resolve this? >> >> Thanks. >> >> >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Wed Jun 22 00:56:03 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Tue, 21 Jun 2016 17:56:03 -0700 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: References: Message-ID: More info Krb5 log is showing: Jun 21 20:42:47 Firstmaster.domain.local krb5kdc[2141](info): AS_REQ (4 etypes {18 17 16 23}) 10.x.x.x: LOOKING_UP_CLIENT: admin at domain.LOCAL for krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL, Server error [bob at Firstmaster etc]# kinit -v admin kinit: Credentials cache file '/tmp/krb5cc_0' not found while validating credentials Sean Hogan From: Sean Hogan/Durham/IBM To: freeipa-users Date: 06/21/2016 12:02 PM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Has anyone seen these before? First Master IPA DNS logs show: Looks like the host names are getting the domain twice domain.local.domain.local client 10.x.x.x#58094: query failed (SERVFAIL) for server1.domain.local.domain.local/IN/AAAA at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.x.x.x#44147: query failed (SERVFAIL) for x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.x.x.x#56466: query failed (SERVFAIL) for x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.x.x.x53367: query failed (SERVFAIL) for server2.domain.local.domain.local/IN/A at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.x.x.x#53367: query failed (SERVFAIL) for server2.domain.local.domain.local/IN/AAAA at query.c:6569 So enrolls are failing at this point when tyring to enroll to a replica: [bob at server1 log]# ipa-client-install ?enable-dns-updates Discovery was successful! Hostname: server1.watson.local Realm: DOMAIN.LOCAL DNS Domain: domain.local IPA Server: ipareplica.domain.local BaseDN: dc=domain,dc=local Continue to configure the system with these values? [no]: yes User authorized to enroll computers: bob Synchronizing time with KDC... Password for bob at DOMAIN.LOCAL: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=DOMAIN.LOCAL Issuer: CN=Certificate Authority,O=DOMAIN.LOCAL Valid From: Tue Jan 06 19:37:09 2015 UTC Valid Until: Sat Jan 06 19:37:09 2035 UTC Enrolled in IPA realm DOMAIN.LOCAL Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm DOMAIN.LOCAL trying https://ipareplica.domain.local/ipa/xml Cannot connect to the server due to Kerberos error: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/. Trying with delegate=True trying https://ipareplica.domain.local/ipa/xml Second connect with delegate=True also failed: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/ Cannot connect to the IPA server XML-RPC interface: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/ Installation failed. Rolling back changes. Unenrolling client from IPA server Unenrolling host failed: Error obtaining initial credentials: Generic error (see e-text). Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete. Sean Hogan From: Sean Hogan/Durham/IBM To: Sean Hogan/Durham/IBM at IBMUS Cc: freeipa-users Date: 06/20/2016 12:49 PM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Also seeing this in the upgrade log on the first master but not on the 7 ipas. ERROR Failed to restart named: Command '/sbin/service named restart ' returned non-zero exit status 7 which led me to https://bugzilla.redhat.com/show_bug.cgi?id=895298 Sean Hogan From: Sean Hogan/Durham/IBM at IBMUS To: freeipa-users Date: 06/20/2016 11:46 AM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Sent by: freeipa-users-bounces at redhat.com Hi All.. I thought we fixed this issue by rebooting the KVM host but it is showing again. Our First Master IPA is being rebooted 2 -5 times a day now just to keep it alive. What we are seeing: God at FirstMaster log]# kinit admin kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting initial credentials DNS is not working as nslookup is failing to a replica.... think once we lose DNS it all goes down hill which makes sense. [god at FirstMaster log]# ipactl stop -----> Just hangs forever.. no replies.. no error.. nothing I try service named stop and nothing happens I have the box hard shutdown from KVM console. Reboot it and it works for a little while but eventually back to same behavior. At this point I can service named stop and it responds... ipactl status and it responds.. but when if I try service named restart I get [god at FirstMaster log]# service named stop Stopping named: ...... [god at Firstmaster log]# service named start Starting named: [FAILED] [god at FirstMaster log]# service named status rndc: connect failed: 127.0.0.1#953: connection refused named dead but pid file exists Rebooted box and it is hung on shutting down domain-local and never fully shuts down.. have to get it hard shutdown again. During an attempt to gracefully shut down we see this Shutting Down dirsrv: PKI-IPA OK DOMAIN-LOCAL FAILED *** Error: 1 instance(s) unsuccessfully stopped FAILED Then it moves on to shut other things down and returns to dirsrv Shutting Down dirsrv: PKI-IPA....server already stopped FAILED {Makes sense.. it died earlier} DOMAIN-LOCAL... {this sits here til we hard shutdown} bind-libs-9.8.2-0.47.rc1.el6.x86_64 bind-9.8.2-0.47.rc1.el6.x86_64 bind-utils-9.8.2-0.47.rc1.el6.x86_64 ipa-client-3.0.0-50.el6.1.x86_64 ipa-server-selinux-3.0.0-50.el6.1.x86_64 ipa-server-3.0.0-50.el6.1.x86_64 sssd-ipa-1.13.3-22.el6.x86_64 /var/log/dirsrv/slapd-DOMAIN-LOCAL [20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 starting up [20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=domain,dc=local [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 5688d8e6001000070000] which is present in RUV [changelog max RUV] [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica dc=domain,dc=local there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [20/Jun/2016:13:29:07 -0400] - Listening on All Interfaces port 636 for LDAPS requests [20/Jun/2016:13:29:07 -0400] - Listening on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meTo1server.domain.local" (1server:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:29:16 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:29:16 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:00 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 starting up [20/Jun/2016:13:59:00 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [20/Jun/2016:13:59:01 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=domain,dc=local [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 5688d8e6001000070000] which is present in RUV [changelog max RUV] [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica dc=domain,dc=local there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meTobldvxl0011.domain.local" (1server:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [20/Jun/2016:13:59:48 -0400] - Listening on All Interfaces port 636 for LDAPS requests [20/Jun/2016:13:59:48 -0400] - Listening on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with GSSAPI auth resumed [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)) errno 2 (No such file or directory) [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [20/Jun/2016:13:59:57 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin - agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with GSSAPI auth resumed Sean Hogan Inactive hide details for Sean Hogan---06/02/2016 09:24:39 AM---Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.Sean Hogan---06/02/2016 09:24:39 AM---Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not sure on this From: Sean Hogan/Durham/IBM To: freeipa-users Date: 06/02/2016 09:24 AM Subject: IPA 3.0.47 to 3.0.50 Upgrade problem Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not sure on this yet) that they changed ntp.. ntp used to point at my ipas.. but they look like they are now pointing elsewhere. Everything was stable at 6.7 3.0.47 pointing to IPA for NTP. However.. they all seem to have the same date. My master first IPA is acting up. Replication is off, kerberos seems to be off, DNS is off and I think IPA in general on it is toast. We do have 8 IPAs.. only FirstMaster is acting up it seems right now and all either running on KVM or ESXI. [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# kinit admin kinit: Generic error (see e-text) while getting initial credential slapd-DOMAIN-LOCAL [01/Jun/2016:18:25:43 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'DOMAIN.LOCAL')) errno 115 (Operation now in progress) [01/Jun/2016:18:25:43 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv2.domain.local" (ipaserv2:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv3.domain.local" (ipaserv3:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - agmt="cn=meToipaserv4.domain.local" (ipaserv4:389): Replication bind with GSSAPI auth resumed [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From pspacek at redhat.com Wed Jun 22 05:07:39 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 22 Jun 2016 07:07:39 +0200 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: References: Message-ID: <79454fce-7e51-eebf-44eb-c7a472cef1fd@redhat.com> On 22.6.2016 02:56, Sean Hogan wrote: > More info > > > Krb5 log is showing: > Jun 21 20:42:47 Firstmaster.domain.local krb5kdc[2141](info): AS_REQ (4 > etypes {18 17 16 23}) 10.x.x.x: LOOKING_UP_CLIENT: admin at domain.LOCAL for > krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL, Server error Hello, this is really fishy. I would bet that there is a problem with LDAP server and DNS errors are just consequence of it. I suspect that you will not be able to finish steps mentioned in https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a3.FailedtoinitcredentialsorFailedtogetinitialcredentialsDecryptintegritycheckfailedorClientscredentialshavebeenrevoked If it is the case I would turn your attention to krb5kdc.log and LDAP server logs in /var/log/dirsrv/* There must be something wrong with the LDAP server. Petr^2 Spacek > > [bob at Firstmaster etc]# kinit -v admin > kinit: Credentials cache file '/tmp/krb5cc_0' not found while validating > credentials > > > > > > > Sean Hogan > > > > > > > From: Sean Hogan/Durham/IBM > To: freeipa-users > Date: 06/21/2016 12:02 PM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > > > Has anyone seen these before? > > > > First Master IPA DNS logs show: Looks like the host names are getting the > domain twice domain.local.domain.local > > > client 10.x.x.x#58094: query failed (SERVFAIL) for > server1.domain.local.domain.local/IN/AAAA at query.c:6569 > timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; > potential deadlock? > client 10.x.x.x#44147: query failed (SERVFAIL) for > x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 > timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; > potential deadlock? > client 10.x.x.x#56466: query failed (SERVFAIL) for > x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 > timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; > potential deadlock? > client 10.x.x.x53367: query failed (SERVFAIL) for > server2.domain.local.domain.local/IN/A at query.c:6569 > timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; > potential deadlock? > client 10.x.x.x#53367: query failed (SERVFAIL) for > server2.domain.local.domain.local/IN/AAAA at query.c:6569 > > > > So enrolls are failing at this point when tyring to enroll to a replica: > > [bob at server1 log]# ipa-client-install ?enable-dns-updates > Discovery was successful! > Hostname: server1.watson.local > Realm: DOMAIN.LOCAL > DNS Domain: domain.local > IPA Server: ipareplica.domain.local > BaseDN: dc=domain,dc=local > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: bob > Synchronizing time with KDC... > Password for bob at DOMAIN.LOCAL: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=DOMAIN.LOCAL > Issuer: CN=Certificate Authority,O=DOMAIN.LOCAL > Valid From: Tue Jan 06 19:37:09 2015 UTC > Valid Until: Sat Jan 06 19:37:09 2035 UTC > > Enrolled in IPA realm DOMAIN.LOCAL > Attempting to get host TGT... > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm DOMAIN.LOCAL > trying https://ipareplica.domain.local/ipa/xml > Cannot connect to the server due to Kerberos error: Kerberos error: > Kerberos error: ('Unspecified GSS failure. Minor code may provide more > information', 851968)/('KDC returned error string: PROCESS_TGS', > -1765328324)/. Trying with delegate=True > trying https://ipareplica.domain.local/ipa/xml > Second connect with delegate=True also failed: Kerberos error: Kerberos > error: ('Unspecified GSS failure. Minor code may provide more > information', 851968)/('KDC returned error string: PROCESS_TGS', > -1765328324)/ > Cannot connect to the IPA server XML-RPC interface: Kerberos error: > Kerberos error: ('Unspecified GSS failure. Minor code may provide more > information', 851968)/('KDC returned error string: PROCESS_TGS', > -1765328324)/ > Installation failed. Rolling back changes. > Unenrolling client from IPA server > Unenrolling host failed: Error obtaining initial credentials: Generic error > (see e-text). > > Removing Kerberos service principals from /etc/krb5.keytab > Disabling client Kerberos and LDAP configurations > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved > to /etc/sssd/sssd.conf.deleted > Restoring client configuration files > nscd daemon is not installed, skip configuration > nslcd daemon is not installed, skip configuration > Client uninstall complete. > > > Sean Hogan > > > > > > > > > From: Sean Hogan/Durham/IBM > To: Sean Hogan/Durham/IBM at IBMUS > Cc: freeipa-users > Date: 06/20/2016 12:49 PM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > > > Also seeing this in the upgrade log on the first master but not on the 7 > ipas. > > ERROR Failed to restart named: Command '/sbin/service named restart ' > returned non-zero exit status 7 > > > which led me to > > https://bugzilla.redhat.com/show_bug.cgi?id=895298 > > > > > > Sean Hogan > > > > > > > > From: Sean Hogan/Durham/IBM at IBMUS > To: freeipa-users > Date: 06/20/2016 11:46 AM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > Sent by: freeipa-users-bounces at redhat.com > > > > Hi All.. > > I thought we fixed this issue by rebooting the KVM host but it is showing > again. Our First Master IPA is being rebooted 2 -5 times a day now just to > keep it alive. > > What we are seeing: > > God at FirstMaster log]# kinit admin > kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting > initial credentials > > DNS is not working as nslookup is failing to a replica.... think once we > lose DNS it all goes down hill which makes sense. > > [god at FirstMaster log]# ipactl stop -----> Just hangs forever.. no replies.. > no error.. nothing > > I try service named stop and nothing happens > > I have the box hard shutdown from KVM console. Reboot it and it works for a > little while but eventually back to same behavior. > > At this point I can service named stop and it responds... ipactl status and > it responds.. but when if I try service named restart I get > > [god at FirstMaster log]# service named stop > Stopping named: ...... > > [god at Firstmaster log]# service named start > Starting named: [FAILED] > > [god at FirstMaster log]# service named status > rndc: connect failed: 127.0.0.1#953: connection refused > named dead but pid file exists > > Rebooted box and it is hung on shutting down domain-local and never fully > shuts down.. have to get it hard shutdown again. > During an attempt to gracefully shut down we see this > > Shutting Down dirsrv: > PKI-IPA OK > DOMAIN-LOCAL FAILED > *** Error: 1 instance(s) unsuccessfully stopped FAILED > > Then it moves on to shut other things down and returns to dirsrv > Shutting Down dirsrv: > PKI-IPA....server already stopped FAILED {Makes sense.. it died earlier} > DOMAIN-LOCAL... {this sits here til we hard shutdown} > > > > bind-libs-9.8.2-0.47.rc1.el6.x86_64 > bind-9.8.2-0.47.rc1.el6.x86_64 > bind-utils-9.8.2-0.47.rc1.el6.x86_64 > > > ipa-client-3.0.0-50.el6.1.x86_64 > ipa-server-selinux-3.0.0-50.el6.1.x86_64 > ipa-server-3.0.0-50.el6.1.x86_64 > sssd-ipa-1.13.3-22.el6.x86_64 > > > /var/log/dirsrv/slapd-DOMAIN-LOCAL > [20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 > starting up > [20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries set > up under cn=computers, cn=compat,dc=domain,dc=local > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV > [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 > 5688d8e6001000070000] which is present in RUV [changelog max RUV] > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: for replica dc=domain,dc=local > there were some differences between the changelog max RUV and the database > RUV. If there are obsolete elements in the database RUV, you should remove > them using the CLEANALLRUV task. If they are not obsolete, you should check > their status to see why there are no changes from those servers in the > changelog. > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [20/Jun/2016:13:29:07 -0400] - Listening on All Interfaces port 636 for > LDAPS requests > [20/Jun/2016:13:29:07 -0400] - Listening > on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meTo1server.domain.local" (1server:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 0 (Success) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with > GSSAPI auth resumed > [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context) > [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth resumed > [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth resumed > [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:16 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > [20/Jun/2016:13:29:16 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [20/Jun/2016:13:59:00 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 > starting up > [20/Jun/2016:13:59:00 -0400] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [20/Jun/2016:13:59:01 -0400] schema-compat-plugin - warning: no entries set > up under cn=computers, cn=compat,dc=domain,dc=local > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV > [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 > 5688d8e6001000070000] which is present in RUV [changelog max RUV] > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: for replica dc=domain,dc=local > there were some differences between the changelog max RUV and the database > RUV. If there are obsolete elements in the database RUV, you should remove > them using the CLEANALLRUV task. If they are not obsolete, you should check > their status to see why there are no changes from those servers in the > changelog. > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meTobldvxl0011.domain.local" (1server:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [20/Jun/2016:13:59:48 -0400] - Listening on All Interfaces port 636 for > LDAPS requests > [20/Jun/2016:13:59:48 -0400] - Listening > on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 0 (Success) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth resumed > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > [20/Jun/2016:13:59:57 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth resumed > > > > > > Sean Hogan > > > > > Inactive hide details for Sean Hogan---06/02/2016 09:24:39 AM---Hello All, > Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.Sean Hogan---06/02/2016 > 09:24:39 AM---Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA > 3.0.50. I also think (not sure on this > > From: Sean Hogan/Durham/IBM > To: freeipa-users > Date: 06/02/2016 09:24 AM > Subject: IPA 3.0.47 to 3.0.50 Upgrade problem > > > Hello All, > > Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not > sure on this yet) that they changed ntp.. ntp used to point at my ipas.. > but they look like they are now pointing elsewhere. Everything was stable > at 6.7 3.0.47 pointing to IPA for NTP. However.. they all seem to have the > same date. > > > My master first IPA is acting up. Replication is off, kerberos seems to be > off, DNS is off and I think IPA in general on it is toast. > We do have 8 IPAs.. only FirstMaster is acting up it seems right now and > all either running on KVM or ESXI. > > > [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# kinit admin > kinit: Generic error (see e-text) while getting initial credential > > > slapd-DOMAIN-LOCAL > [01/Jun/2016:18:25:43 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Cannot contact any KDC > for realm 'DOMAIN.LOCAL')) errno 115 (Operation now in progress) > [01/Jun/2016:18:25:43 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv2.domain.local" (ipaserv2:389): Replication bind with > GSSAPI auth resumed > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv3.domain.local" (ipaserv3:389): Replication bind with > GSSAPI auth resumed > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv4.domain.local" (ipaserv4:389): Replication bind with > GSSAPI auth resumed > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > > > -- Petr^2 Spacek From tomek at pipebreaker.pl Wed Jun 22 08:28:12 2016 From: tomek at pipebreaker.pl (Tomasz Torcz) Date: Wed, 22 Jun 2016 10:28:12 +0200 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 In-Reply-To: <57697B8B.3020600@redhat.com> References: <20160527122848.GA333519@mother.pipebreaker.pl> <5763C3A6.3050802@redhat.com> <20160618171354.GA439585@mother.pipebreaker.pl> <57660B3F.2010308@redhat.com> <20160620080714.GA275278@mother.pipebreaker.pl> <57697B8B.3020600@redhat.com> Message-ID: <20160622082812.GA1285792@mother.pipebreaker.pl> On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote: > > > > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) > > > > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083] > > > > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: [jsonserver_session] admin at PIPEBREAKER.PL: cert_find(version=u'2.164'): CertificateOperationError > > > > > > > > How to fix those? > > > > > > You'll need to look at the dogtag debug log for the reason it threw a 500, > > > it's in /var/log/pki-tomcat/ca or something close to that. > > > > > > I've looked into the logs but I'm not wiser. Is there a setting to get > > rid of java traceback from logs and get more useful messages? There seem > > to be a problem with SSL connection to port 636, maybe because it seems to use > > expired certificate? > > Not that I know of. The debug log is sure a firehose but you've identified > the problem. > > > $ echo | openssl s_client -connect okda.pipebreaker.pl:636 | openssl x509 -noout > > depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority > > verify return:1 > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl > > verify error:num=10:certificate has expired > > notAfter=Nov 17 12:19:28 2015 GMT > > verify return:1 > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl > > notAfter=Nov 17 12:19:28 2015 GMT > > verify return:1 > > DONE > > Run getcert list and look at the expiration dates. What you want to do is > kill ntpd, set the date back to say a week before the oldest date, restart > the dirsrv, restart the pki-tomcat/pki-cad service then restart certmonger. > This should force a renewal attempt. Expiration date look fine: root at okda ~$ getcert list Number of certificates and requests being tracked: 1. Request ID '20131116123125': status: CA_UNREACHABLE ca-error: Server at https://okda.pipebreaker.pl/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (503)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=PIPEBREAKER.PL subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL expires: 2017-12-10 19:44:31 UTC principal name: HTTP/okda.pipebreaker.pl at PIPEBREAKER.PL key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes It's in 2017. The output seem quite short, on the other replica "getcert list" returns 9 certificates. P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing already expired CA certificate) didn't make into FreeIPA 4.4.0 alpha. :-( -- Tomasz Torcz Once you've read the dictionary, xmpp: zdzichubg at chrome.pl every other book is just a remix. From wdh at dds.nl Wed Jun 22 11:21:46 2016 From: wdh at dds.nl (Winfried de Heiden) Date: Wed, 22 Jun 2016 13:21:46 +0200 Subject: [Freeipa-users] FreeOTP In-Reply-To: <1466540605.17252.4.camel@redhat.com> References: <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> <1465394017.2599.3.camel@redhat.com> <1465406113.2599.25.camel@redhat.com> <6fc25458-745c-51a5-0d1a-c28d3e18331b@dds.nl> <20160609084645.GB15524@p.Speedport_W_724V_Typ_A_05011603_00_009> <1465476179.2969.8.camel@redhat.com> <20160609165109.GN3302@p.Speedport_W_724V_Typ_A_05011603_00_009> <1466540605.17252.4.camel@redhat.com> Message-ID: An HTML attachment was scrubbed... URL: From wia at iglass.net Wed Jun 22 14:10:26 2016 From: wia at iglass.net (Marc Wiatrowski) Date: Wed, 22 Jun 2016 10:10:26 -0400 Subject: [Freeipa-users] CA: IPA certificates not renewing In-Reply-To: <57697A56.7080906@redhat.com> References: <57602152.9090104@redhat.com> <5762B625.7060803@redhat.com> <57697A56.7080906@redhat.com> Message-ID: Thank you Rob! I now have two years till everything expires... On Tue, Jun 21, 2016 at 1:33 PM, Rob Crittenden wrote: > Marc Wiatrowski wrote: > >> Thanks for the reply Rob, >> >> So should fixing replication be more than running a re-initialize? >> I've tried this with no luck. Still the same errors in renewing the IPA >> certs. >> > > re-init drops one database and replaces it with another. If you really did > that then you have potentially lost a ton of records if indeed replication > was stalled. Knowing what commands you ran would help to know for sure. I'm thinking at some point in the past I may have done this backwards. So maybe not my original problem but making things worse. > > > status: CA_UNREACHABLE >> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, >> will retry: 4301 (RPC failed at server. Certificate operation cannot be >> completed: EXCEPTION (Certificate serial number 0x3ffe000f not found)) >> >> Is there a procedure for getting these serial numbers back in to the >> system? or manually recreating somehow? >> > > When IPA gets a certificate request and the host/service it is requesting > it for already has a certificate, a revocation is done on the existing > certificate (which in this case is failing because the cert is unknown). If > you wipe out the usercertificate field from the entry ldap/ > spider01a.iglass.net then that should do it. This did the trick! I also had to delete userCertificate for dogtagldap/ spider01a.iglass.net and HTTP/spider01a.iglass.net for the other two certificates not renewing. > > > >> I was able to clear 4301 error. One ipaCert needed to be updated. >> > > Great! > > rob > > >> thanks >> >> On Thu, Jun 16, 2016 at 10:22 AM, Rob Crittenden > > wrote: >> >> Marc Wiatrowski wrote: >> >> Thanks Rob, >> >> Any suggestions on how make the CA aware of the current serial >> number? >> >> >> Serial numbers are dolled out like uid numbers, by the 389-ds DNA >> Plugin. So each CA that has ever issued a certificate has its own >> range, hence the quite different serial number values. >> >> Given that some issued certificates are unknown it stands to reason >> that replication is broken between one or more masters. Fixing that >> should resolve (most of) the other issues. >> >> Also started seeing the following error from two of the servers, >> spider01b and spider01o, but not spider01a when to navigate in >> the web >> gui. Though it doesn't appear to stop me from doing anything. >> >> IPA Error 4301 >> Certificate operation cannot be completed: EXCEPTION (Invalid >> Crential.) >> >> >> Dogtag does some of its access control by comparing the incoming >> client certificate with an expected value in its LDAP database, in >> this case uid=ipara,ou=People,o=ipaca. There you'll find a copy of >> the client certificate and a description field that contains the >> expected serial #, subject and issuer. >> >> These are out-of-whack if you're getting Invalid Credentials. It >> could be a number of things so I'd proceed cautiously. Given you >> have a working master I'd use that as a starting point. >> >> Look at the the RA cert is in /etc/httpd/alias: >> >> # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial >> >> See if it is the same on all masters, it should be. >> >> If it is, look at the uid=ipara entry on all the masters. Again, >> should be the same. >> >> Note that fixing this won't address any replication issues. >> >> rob >> >> >> Marc >> >> On Tue, Jun 14, 2016 at 2:07 PM, Marc Wiatrowski > >> >> wrote: >> >> >> >> On Tue, Jun 14, 2016 at 11:22 AM, Rob Crittenden >> >> >> wrote: >> >> Marc Wiatrowski wrote: >> >> Hello, I'm having issues with the 3 ipa >> certificates of type >> CA: IPA >> renewing on 2 of 3 replicas. Particularly on the 2 >> that are >> not the CA >> master. The other 5 certificates from getcert list >> do renew >> and all >> certificates on the CA master do look to renew. >> >> Both servers running >> ipa-server-3.0.0-50.el6.centos.1.x86_64 I've done >> full updates and rebooted. >> >> >> Can you check on the replication status for each CA? >> >> $ ipa-csreplica-manage list -v ipa.example.com >> >> >> >> The hostname is important because including that will >> show the >> agreements that host has. Do this for each master with >> a CA. >> >> The CA being asked to do the renewal is unaware of the >> current >> serial number so it is refusing to proceed. >> >> rob >> >> >> >> [root at spider01o]$ ipa-csreplica-manage list -v >> spider01a.iglass.net >> >> Directory Manager password: >> >> spider01b.iglass.net >> >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: >> Incremental >> update succeeded >> last update ended: 2016-06-14 17:49:16+00:00 >> spider01o.iglass.net >> >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: >> Incremental >> update started >> last update ended: 2016-06-14 17:55:20+00:00 >> >> [root at spider01o]$ ipa-csreplica-manage list -v >> spider01o.iglass.net >> >> Directory Manager password: >> >> spider01a.iglass.net >> >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: >> Incremental >> update started >> last update ended: 2016-06-14 17:57:44+00:00 >> spider01b.iglass.net >> >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: >> Incremental >> update started >> last update ended: 2016-06-14 17:57:41+00:00 >> >> [root at spider01o]$ ipa-csreplica-manage list -v >> spider01b.iglass.net >> >> Directory Manager password: >> >> spider01a.iglass.net >> >> last init status: 0 Total update succeeded >> last init ended: 2016-06-03 19:43:12+00:00 >> last update status: 0 Replica acquired successfully: >> Incremental >> update succeeded >> last update ended: 2016-06-14 17:44:17+00:00 >> spider01o.iglass.net >> >> last init status: 0 Total update succeeded >> last init ended: 2016-06-03 19:44:38+00:00 >> last update status: 0 Replica acquired successfully: >> Incremental >> update started >> last update ended: 2016-06-14 17:57:53+00:00 >> spider01a.iglass.net >> >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: >> Incremental >> update succeeded >> last update ended: 2016-06-14 17:44:13+00:00 >> spider01o.iglass.net >> >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: >> Incremental >> update started >> last update ended: 2016-06-14 17:57:54+00:00 >> >> >> Not sure what this is telling... This an issue with the >> last being >> doubled? Thanks >> >> >> >> The failed renews look like: >> >> [root at spider01a]$ getcert list -i 20141202144354 >> Number of certificates and requests being tracked: 8. >> Request ID '20141202144354': >> status: CA_UNREACHABLE >> ca-error: Server at https://spider01a.iglass.net/ipa/xml >> failed request, >> will retry: 4301 (RPC failed at server. Certificate >> operation cannot be >> completed: EXCEPTION (Certificate serial number 0x3ffe0010 >> not found)). >> stuck: no >> key pair storage: >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >> certificate: >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IGLASS.NET >> >> > >> >> subject: CN=spider01a.iglass.net >> >> > >,O=IGLASS.NET >> >> >> > >> >> expires: 2016-12-02 14:38:45 UTC >> key usage: >> >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >> PKI-IPA >> track: yes >> auto-renew: yes >> >> [root at spider01a]$ getcert list -i 20141202144616 >> Number of certificates and requests being tracked: 8. >> Request ID '20141202144616': >> status: CA_UNREACHABLE >> ca-error: Server at https://spider01a.iglass.net/ipa/xml >> failed request, >> will retry: 4301 (RPC failed at server. Certificate >> operation cannot be >> completed: EXCEPTION (Certificate serial number 0x3ffe000f >> not found)). >> stuck: no >> key pair storage: >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS >> Certificate >> DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' >> certificate: >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IGLASS.NET >> >> > >> >> subject: CN=spider01a.iglass.net >> >> > >,O=IGLASS.NET >> >> >> > >> >> expires: 2016-12-02 14:38:43 UTC >> key usage: >> >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >> IGLASS-NET >> track: yes >> auto-renew: yes >> >> [root at spider01a]$ getcert list -i 20141202144733 >> Number of certificates and requests being tracked: 8. >> Request ID '20141202144733': >> status: CA_UNREACHABLE >> ca-error: Server at https://spider01a.iglass.net/ipa/xml >> failed request, >> will retry: 4301 (RPC failed at server. Certificate >> operation cannot be >> completed: EXCEPTION (Certificate serial number 0x3ffe0011 >> not found)). >> stuck: no >> key pair storage: >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=IGLASS.NET >> >> > >> >> subject: CN=spider01a.iglass.net >> >> > >,O=IGLASS.NET >> >> >> > >> >> expires: 2016-12-02 14:38:46 UTC >> key usage: >> >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> >> >> From >> [root at spider01a]$ getcert resubmit -i 20141202144354 >> >> On the replica issuing the resubmit >> >> ==> /var/log/httpd/access_log <== >> 192.168.176.2 - - [13/Jun/2016:15:49:32 -0400] "POST >> /ipa/xml HTTP/1.1" >> 401 1370 >> >> ==> /var/log/httpd/error_log <== >> [Mon Jun 13 15:49:33 2016] [error] ipa: ERROR: >> ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION >> (Certificate >> serial number 0x3ffe0010 not found) >> [Mon Jun 13 15:49:33 2016] [error] ipa: INFO: >> host/spider01a.iglass.net at IGLASS.NET >> >> > > >> > >> > >>: >> >> >> cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', >> principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET >> >> > > >> > >> > >>', add=True): >> CertificateOperationError >> >> ==> /var/log/httpd/access_log <== >> 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST >> /ca/agent/ca/displayBySerial HTTP/1.1" 200 262 >> 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET >> >> > > >> > >> > >> [13/Jun/2016:15:49:32 >> -0400] >> "POST /ipa/xml HTTP/1.1" 200 376 >> >> ==> /var/log/pki-ca/system <== >> 2508.TP-Processor6 - [13/Jun/2016:15:49:33 EDT] [3] [3] >> Servlet >> caDisplayBySerial: Error encountered in DisplayBySerial. >> Error Record >> not found. >> >> >> On the CA master spider01o: >> >> ==> /var/log/httpd/access_log <== >> 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST >> /ipa/xml HTTP/1.1" >> 401 1370 >> >> ==> krb5kdc.log <== >> Jun 13 15:49:34 spider01o.iglass.net >> >> > > >> krb5kdc[1963](info): TGS_REQ (4 etypes {18 17 16 23}) >> 192.168.177.2 >> >: ISSUE: >> authtime >> 1465847372, etypes {rep=18 >> tkt=18 ses=18}, host/spider01a.iglass.net at IGLASS.NET >> >> > > >> > >> > >> for >> ldap/spider01o.iglass.net at IGLASS.NET >> >> > > >> > >> > >> >> >> ==> /var/log/httpd/error_log <== >> [Mon Jun 13 15:49:34 2016] [error] ipa: ERROR: >> ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION >> (Invalid >> Credential.) >> [Mon Jun 13 15:49:34 2016] [error] ipa: INFO: >> host/spider01a.iglass.net at IGLASS.NET >> >> > > >> > >> > >>: >> >> >> cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', >> principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET >> >> > > >> > >> > >>', add=True): >> CertificateOperationError >> >> ==> /var/log/httpd/access_log <== >> 192.168.177.2 - - [13/Jun/2016:15:49:34 -0400] "POST >> /ca/agent/ca/displayBySerial HTTP/1.1" 200 235 >> 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET >> >> > > >> > >> > >> [13/Jun/2016:15:49:33 >> -0400] >> "POST /ipa/xml HTTP/1.1" 200 349 >> >> ==> /var/log/pki-ca/system <== >> 2231.TP-Processor3 - [13/Jun/2016:15:49:34 EDT] [6] [3] >> Cannot >> authenticate agent with certificate Serial 0x5ffc0008 >> Subject DN CN=IPA >> RA,O=IGLASS.NET >> > >. Error: User not found >> >> >> I realize they expire at the end of the year, but I've had my >> certificates expire before and would rather not go through >> that again. >> Any idea on what's wrong or suggestions on where to look >> would be >> appreciated. >> >> Thanks, >> Marc >> >> >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Jun 22 14:26:16 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Jun 2016 10:26:16 -0400 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 In-Reply-To: <20160622082812.GA1285792@mother.pipebreaker.pl> References: <20160527122848.GA333519@mother.pipebreaker.pl> <5763C3A6.3050802@redhat.com> <20160618171354.GA439585@mother.pipebreaker.pl> <57660B3F.2010308@redhat.com> <20160620080714.GA275278@mother.pipebreaker.pl> <57697B8B.3020600@redhat.com> <20160622082812.GA1285792@mother.pipebreaker.pl> Message-ID: <576AA008.9040100@redhat.com> Tomasz Torcz wrote: > On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote: >>>>> [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) >>>>> [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083] >>>>> [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: [jsonserver_session] admin at PIPEBREAKER.PL: cert_find(version=u'2.164'): CertificateOperationError >>>>> >>>>> How to fix those? >>>> >>>> You'll need to look at the dogtag debug log for the reason it threw a 500, >>>> it's in /var/log/pki-tomcat/ca or something close to that. >>> >>> >>> I've looked into the logs but I'm not wiser. Is there a setting to get >>> rid of java traceback from logs and get more useful messages? There seem >>> to be a problem with SSL connection to port 636, maybe because it seems to use >>> expired certificate? >> >> Not that I know of. The debug log is sure a firehose but you've identified >> the problem. >> >>> $ echo | openssl s_client -connect okda.pipebreaker.pl:636 | openssl x509 -noout >>> depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority >>> verify return:1 >>> depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl >>> verify error:num=10:certificate has expired >>> notAfter=Nov 17 12:19:28 2015 GMT >>> verify return:1 >>> depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl >>> notAfter=Nov 17 12:19:28 2015 GMT >>> verify return:1 >>> DONE >> >> Run getcert list and look at the expiration dates. What you want to do is >> kill ntpd, set the date back to say a week before the oldest date, restart >> the dirsrv, restart the pki-tomcat/pki-cad service then restart certmonger. >> This should force a renewal attempt. > > Expiration date look fine: > > root at okda ~$ getcert list > Number of certificates and requests being tracked: 1. > Request ID '20131116123125': > status: CA_UNREACHABLE > ca-error: Server at https://okda.pipebreaker.pl/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (503)). > stuck: no > key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=PIPEBREAKER.PL > subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL > expires: 2017-12-10 19:44:31 UTC > principal name: HTTP/okda.pipebreaker.pl at PIPEBREAKER.PL > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > > It's in 2017. The output seem quite short, on the other replica "getcert list" returns 9 certificates. The 503 suggests that the CA didn't come up (service not available). This may be due to expired certs. What you need to do is setup certmonger to track all the certificates properly and get things renewed. I'm away from my desk so can't provide any instructions on how to do this and they depend on whether or not this machine is the renewal master. > P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing already expired CA certificate) didn't > make into FreeIPA 4.4.0 alpha. :-( This is unrelated. I seriously doubt your CA is near expiration (my guess is it expires in 2033). rob From sbose at redhat.com Wed Jun 22 15:01:24 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 22 Jun 2016 17:01:24 +0200 Subject: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys' In-Reply-To: References: <1466455573.2729.22.camel@stefany.eu> <20160621074344.GU17733@p.Speedport_W_724V_Typ_A_05011603_00_009> <27f744df-9747-8998-2bb1-b0b4b21cd0db@stefany.eu> <20160621111618.GY17733@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160622150124.GC17733@p.Speedport_W_724V_Typ_A_05011603_00_009> On Tue, Jun 21, 2016 at 01:23:11PM +0200, Martin ?tefany wrote: > On 6/21/2016 1:16 PM, Sumit Bose wrote: > > On Tue, Jun 21, 2016 at 12:43:23PM +0200, Martin ?tefany wrote: > > > Hello Sumit, > > > > > > putting SELinux to permissive mode and/or enabling nis_enabled seboolean > > > seemed not help at all. And you are right, my user has userCertificate > > > (needed for secure libvirtd connection). > > > > > > > > > [martin at desk2 ~]$ sss_ssh_authorizedkeys martin > > > Error looking up public keys > > > [martin at desk2 ~]$ sudo setenforce 0 > > > [sudo] password for martin: > > > [martin at desk2 ~]$ sss_ssh_authorizedkeys martin > > > Error looking up public keys > > > [martin at desk2 ~]$ sudo setsebool nis_enabled on > > > [martin at desk2 ~]$ sss_ssh_authorizedkeys martin > > > Error looking up public keys > > > [martin at desk2 ~]$ sudo sss_cache -E > > > [martin at desk2 ~]$ sss_ssh_authorizedkeys martin > > > Error looking up public keys > > > > > > [have a coffee... really] > > > > > > [martin at desk2 ~]$ sss_ssh_authorizedkeys martin > > > ssh-rsa AAA... > > > ssh-rsa AAA... > > > ssh-ed25519 AAA... > > > ssh-rsa AAA... > > > ssh-rsa AAA... > > > > If I understand it correctly you get the same result as on CentOS, > > including the unexpected key derived from the certificate, after waiting > > for some time? Can you send the sssd_ssh.log with the sequence from > > above (if you prefer directly to me) so that I can check why it failed > > in the first attempt and later succeeds. > > > > bye, > > Sumit > > > > Hi, > > yes, now the results are the same, including the originally unexpected key > from certificate, and actual SSH pubkey auth finally works. > > I would send you sssd_ssh.log, but it's empty - I have turned off > debug_level sooner, sorry. :( > > Isn't it the case that sss_cache -E takes few seconds to actually expire the > cache entries? sss_cache -E itself should be fast, but the next requests like sss_ssh_authorizedkeys would need a bit longer because SSSD must now read fresh data from the server. Nevertheless it should take some seconds, maybe 10-20 with lots of group-memberships, but note as much as a coffee break. bye, Sumit > > Thank you. > Martin > > > > > > > > > > RH bug for selinux-policy: > > > https://bugzilla.redhat.com/show_bug.cgi?id=1348447 > > > > > > Thank you! > > > Martin > > > > > > > > > On 6/21/2016 9:43 AM, Sumit Bose wrote: > > > > On Mon, Jun 20, 2016 at 10:46:13PM +0200, Martin ?tefany wrote: > > > > > Hello all, > > > > > > > > > > I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I > > > > > figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) systems > > > > > while I can to CentOS 7.2 (ipa-client and ipa-server) systems within same IPA > > > > > domain. I will appreciate any help whatsoever. > > > > > IPA servers (and most of the clients) are IPA 4.2.0 on CentOS 7.2 with latest > > > > > updates, affected clients are IPA clients 4.2.4 on Fedora 23 with latest > > > > > updates. > > > > > > > > > > I started by looking to the journal: > > > > > j?n 20 13:02:50 desk2.stefany.eu sshd[25162]: Connection > > > > > from 144.xxx.xxx.xxx port 22543 on 172.17.100.191 port 22 > > > > > ... > > > > > j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc: denied { name_connect > > > > > } for pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 > > > > > tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 > > > > > j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 > > > > > success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe2a50 items=0 > > > > > ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > > sgid=0 > > > > > > > > Does the user by chance have a certificate added to his entry including > > > > a link to an OCSP responder? > > > > > > > > Recent version of SSSD have the ability to generate public ssh-keys from > > > > valid certificates added to the user entry to support the ssh Smartcard > > > > feature (see e.g. the -I option in the ssh man page for details or > > > > https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1#RunningsshclientwithSmartcardsupport) > > > > > > > > While trying to validate thecertificate via OCSP sssd_ssh must connect > > > > to a http server. To allow this setting the 'nis_enabled' SELinux > > > > boolean to true should help. > > > > > > > > Nevertheless, since this should work by default, it would be nice if you > > > > can open a bugzilla ticket for the SELinux policy on F23 to allow this > > > > by default. > > > > > > > > HTH > > > > > > > > bye, > > > > Sumit > > > > > > > > > ... > > > > > j?n 20 13:02:56 desk2.stefany.eu audit[23328]: AVC avc: denied { name_connect > > > > > } for pid=23328 comm="sssd_ssh" dest=80 scontext=system_u:system_r:sssd_t:s0 > > > > > tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0 > > > > > j?n 20 13:02:56 desk2.stefany.eu audit[23328]: SYSCALL arch=c000003e syscall=42 > > > > > success=no exit=-13 a0=15 a1=7fff145c35b0 a2=10 a3=5614dbbe42d0 items=0 > > > > > ppid=23316 pid=23328 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > > sgid=0 > > > > > ... > > > > > j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: AuthorizedKeysCommand > > > > > /usr/bin/sss_ssh_authorizedkeys martin failed, status 1 > > > > > ... > > > > > j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Failed publickey for martin > > > > > from 144.xxx.xxx.xxx port 22543 ssh2: RSA SHA256:uyzB4[stripped] > > > > > ... > > > > > j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: error: Received disconnect > > > > > from 144.xxx.xxx.xxx port 22543:14: No supported authentication methods > > > > > available [preauth] > > > > > j?n 20 13:02:56 desk2.stefany.eu sshd[25162]: Disconnected from 144.xxx.xxx.xxx > > > > > port 22543 [preauth] > > > > > > > > > > which was weird, because the same key would nicely work elsewhere (on any other > > > > > CentOS 7.2 system, while no Fedora 23 system would work as I have figured out) > > > > > > > > > > I have tried putting SELinux into permissive mode, or generating custom module > > > > > with custom policy allowing this, but it doesn't help, and even tcpdump capture > > > > > doesn't capture anything when such connection to 'somewhere' port 80 is opened. > > > > > > > > > > I moved on to testing the '/usr/bin/sss_ssh_authorizedkeys martin' command. > > > > > Fedora 23: > > > > > # sss_ssh_authorizedkeys martin > > > > > Error looking up public keys > > > > > > > > > > CentOS 7.2: > > > > > # sss_ssh_authorizedkeys martin > > > > > ssh-rsa AAA... > > > > > ssh-rsa AAA... > > > > > ssh-ed25519 AAA... > > > > > ssh-rsa AAA... > > > > > ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsox... (???) -->> this is one is not in > > > > > LDAP (checked with ldapsearch & ipa user-show martin --all --raw), not present > > > > > in dc=stefany,dc=eu tree or in compat tree > > > > > > > > > > So, I have turned on debug_level = 0x0250 in sssd.conf in both Fedora 23 and > > > > > CentOS 7.2 and checked the logs. CentOS 7.2 is just fine, Fedora 23 gives these > > > > > failures: > > > > > ==> /var/log/sssd/sssd_ssh.log <== > > > > > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received > > > > > client version [0]. > > > > > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered > > > > > version [0]. > > > > > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): > > > > > name 'martin' matched without domain, user is martin > > > > > > > > > > ==> /var/log/sssd/sssd_stefany.eu.log <== > > > > > (Mon Jun 20 21:58:14 2016) [sssd[be[stefany.eu]]] [be_get_account_info] > > > > > (0x0200): Got request for [0x1][BE_REQ_USER][1][name=martin] > > > > > > > > > > ==> /var/log/sssd/sssd_ssh.log <== > > > > > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040): > > > > > cert_to_ssh_key failed. > > > > > (Mon Jun 20 21:58:14 2016) [sssd[ssh]] [ssh_cmd_build_reply] (0x0040): > > > > > decode_and_add_base64_data failed. > > > > > > > > > > And that's right, the last - ghost - "sshpubkey" is invalid base64 string. So > > > > > Fedora 23 fails because of some extra validation in SSSD... > > > > > > > > > > I can't tell where this invalid base64 stuff is coming from, and yes, I have > > > > > stopped both IPA servers, run sss_cache -E on both of them and on clients, and > > > > > started IPA servers serially one by one, the invalid key is still there. > > > > > > > > > > I have a plan B to delete the account, put it back and see if it cleans up, but > > > > > I would prefer to figure out what is actually wrong here and what's introducing > > > > > the wrong sshpubkey. And why is sssd_ssh connecting to some port 80 somewhere > > > > > > > > > > Thank you in advance! > > > > > > > > > > Kind regards, > > > > > Martin > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Manage your subscription for the Freeipa-users mailing list: > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > -- > > > -- > > > Martin > > -- > -- > Martin From piolet.y at gmail.com Wed Jun 22 15:01:55 2016 From: piolet.y at gmail.com (Youenn PIOLET) Date: Wed, 22 Jun 2016 17:01:55 +0200 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 In-Reply-To: <576AA008.9040100@redhat.com> References: <20160527122848.GA333519@mother.pipebreaker.pl> <5763C3A6.3050802@redhat.com> <20160618171354.GA439585@mother.pipebreaker.pl> <57660B3F.2010308@redhat.com> <20160620080714.GA275278@mother.pipebreaker.pl> <57697B8B.3020600@redhat.com> <20160622082812.GA1285792@mother.pipebreaker.pl> <576AA008.9040100@redhat.com> Message-ID: Hi, Can you provide the output of : certutil -L -d /etc/dirsrv/slapd-/ on replicas that can't start the PKI? Your CA Cert attributes should be CT,C,C I experience the same issue as you every two replica I install. The fix is : certutil -d /etc/dirsrv/slapd-/ -A -t "CT,C,C" -n " IPA CA" -i /etc/ipa/ca.crt and restart ipa server. https://www.redhat.com/archives/freeipa-users/2013-August/msg00088.html Can you also provide the following line of the file generated by following commands: $ ipa certprofile-show --out /tmp/caIPAserviceCert.cfg caIPAserviceCert $ grep policyset.serverCertSet.1.default.params.name /tmp/caIPAserviceCert.cfg Regards, -- Youenn Piolet piolet.y at gmail.com 2016-06-22 16:26 GMT+02:00 Rob Crittenden : > Tomasz Torcz wrote: > >> On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote: >> >>> [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] >>>>>> CertificateOperationError: Certificate operation cannot be completed: >>>>>> Unable to communicate with CMS (Internal Server Error) >>>>>> [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083] >>>>>> [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: >>>>>> INFO: [jsonserver_session] admin at PIPEBREAKER.PL: >>>>>> cert_find(version=u'2.164'): CertificateOperationError >>>>>> >>>>>> How to fix those? >>>>>> >>>>> >>>>> You'll need to look at the dogtag debug log for the reason it threw a >>>>> 500, >>>>> it's in /var/log/pki-tomcat/ca or something close to that. >>>>> >>>> >>>> >>>> I've looked into the logs but I'm not wiser. Is there a setting to >>>> get >>>> rid of java traceback from logs and get more useful messages? There >>>> seem >>>> to be a problem with SSL connection to port 636, maybe because it seems >>>> to use >>>> expired certificate? >>>> >>> >>> Not that I know of. The debug log is sure a firehose but you've >>> identified >>> the problem. >>> >>> $ echo | openssl s_client -connect okda.pipebreaker.pl:636 | openssl >>>> x509 -noout >>>> depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority >>>> verify return:1 >>>> depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl >>>> verify error:num=10:certificate has expired >>>> notAfter=Nov 17 12:19:28 2015 GMT >>>> verify return:1 >>>> depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl >>>> notAfter=Nov 17 12:19:28 2015 GMT >>>> verify return:1 >>>> DONE >>>> >>> >>> Run getcert list and look at the expiration dates. What you want to do is >>> kill ntpd, set the date back to say a week before the oldest date, >>> restart >>> the dirsrv, restart the pki-tomcat/pki-cad service then restart >>> certmonger. >>> This should force a renewal attempt. >>> >> >> Expiration date look fine: >> >> root at okda ~$ getcert list >> Number of certificates and requests being tracked: 1. >> Request ID '20131116123125': >> status: CA_UNREACHABLE >> ca-error: Server at https://okda.pipebreaker.pl/ipa/xml failed >> request, will retry: 4301 (RPC failed at server. Certificate operation >> cannot be completed: Unable to communicate with CMS (503)). >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=PIPEBREAKER.PL >> subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL >> expires: 2017-12-10 19:44:31 UTC >> principal name: HTTP/okda.pipebreaker.pl at PIPEBREAKER.PL >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> >> >> It's in 2017. The output seem quite short, on the other replica >> "getcert list" returns 9 certificates. >> > > The 503 suggests that the CA didn't come up (service not available). This > may be due to expired certs. > > What you need to do is setup certmonger to track all the certificates > properly and get things renewed. I'm away from my desk so can't provide any > instructions on how to do this and they depend on whether or not this > machine is the renewal master. > > P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing >> already expired CA certificate) didn't >> make into FreeIPA 4.4.0 alpha. :-( >> > > This is unrelated. I seriously doubt your CA is near expiration (my guess > is it expires in 2033). > > rob > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From piolet.y at gmail.com Wed Jun 22 15:24:11 2016 From: piolet.y at gmail.com (Youenn PIOLET) Date: Wed, 22 Jun 2016 17:24:11 +0200 Subject: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias In-Reply-To: <57697C44.6010206@redhat.com> References: <27123231.2vVFdNkPoa@techz> <4468326.xlZGrDGMFj@techz> <574EE932.1040501@redhat.com> <43130555.CD4bVCgrSr@techz> <57697C44.6010206@redhat.com> Message-ID: Hi G?nther, I wrote this wrapper last year, maybe this will help. https://github.com/uZer/rootools/blob/master/pki/freeipa/gencerts.sh If you use cnames: ================================================================== $ ipa host-add cname.domain --force $ ipa service-add service/fqdn $ ipa service-add service/cname.domain --force $ ipa service-add-host service/cname.domain --host fqdn In nss.conf ================================================================== #NSSPassPhraseDialog builtin NSSPassPhraseDialog file:/etc/apache2/password.conf In your virtual host: ================================================================== NSSEngine on NSSNickname certifnickname NSSCertificateDatabase /path/to/db NSSProtocol TLSv1.1,TLSv1.2 NSSVerifyClient none # Update this with current recommended ciphersuites NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha ... Hope this is still correct, feel free to push request ;) Regards, -- Youenn Piolet piolet.y at gmail.com 2016-06-21 19:41 GMT+02:00 Rob Crittenden : > G?nther J. Niederwimmer wrote: > >> Hello Rob, >> >> Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden: >> >>> G?nther J. Niederwimmer wrote: >>> >>>> Hello, >>>> >>>> Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: >>>> >>>>> G?nther J. Niederwimmer wrote: >>>>> >>>>>> Hello >>>>>> I found any Help for the IPA Certificate but I found no way to import >>>>>> the >>>>>> IPA CA ? >>>>>> I like to create a webserver with a owncloud virtualhost and other.. >>>>>> >>>>>> But it is for me not possible to create the /etc/httpd/alias correct ? >>>>>> >>>>>> I found this in IPA DOCS >>>>>> >>>>>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt >>>>>> >>>>>> but with this command line I have a Error /etc/ipa/ca.crt have wrong >>>>>> format ? >>>>>> >>>>>> Have any a link with a working example >>>>>> >>>>> >>>>> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled >>>>> clients so the documentation is written from that perspective. >>>>> >>>> >>>> Yes. >>>> >>>> You can grab a copy from any enrolled system, including an IPA Master. >>>>> Otherwise the command looks ok assuming you were sitting in >>>>> /etc/httpd/alias when the command was executed (-d .). >>>>> >>>> >>>> Yes ;-). >>>> but certutil mean it is a wrong format from the Certificate >>>> >>> >>> $ mkdir /tmp/testdb && cd /tmp/testdb >>> $ certutil -N -d . >>> $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt >>> >> >> On my system I have this message after install ca.crt >> >> p11-kit: objects of this type cannot be created ? >> is this correct ? >> > > I'm not sure. > > A other question, have I to change the Attribute (?), IPA-server create / >> IMPORT this ca.crt with -t "CT,C,C" >> > > It isn't super important. The order of those fields is SSL, S/MIME, > code-signing. Chances are S/MIME will never be used and code-signing is > used in some older releases but only once at install, so not having those > set isn't a big deal. > > If you want things to be consistent you can use certutil -M -d . -t CT,C,C > -n 'EXAMPLE.COM IPA CA' > > rob > > > >> $ certutil -L -d . >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> EXAMPLE.COM IPA CA CT,, >>> >>> I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You >>> can use openssl for that: >>> >>> $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt >>> >>> Something is wrong on my system !! >>>> >>>> for me it is not possible to have on a enrolled ipa-client a working >>>> webserver (apache) with mod_NSS >>>> >>>> The last Tests apache mean it is the wrong "passwd" for the DB and don't >>>> start? >>>> >>>> So now I start again with a new clean /etc/httpd/alias >>>> >>> >>> Not knowing how you created the database or what your nss.conf looks >>> like it's hard to say what is going on. If you set a NSS database >>> password then you need to tell mod_nss about it. >>> >>> Typically you'd set this in nss.conf: >>> >>> NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf" >>> >>> and create /etc/httpd/conf/password.conf with contents like: >>> >>> internal:SecretPassword123 >>> >>> Ensure that the file is owned by apache:apache and mode 0400. >>> >> >> This is the best INFO for this file ;-) >> >> Thanks >> >> > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Wed Jun 22 15:25:34 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Wed, 22 Jun 2016 08:25:34 -0700 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: <79454fce-7e51-eebf-44eb-c7a472cef1fd@redhat.com> References: <79454fce-7e51-eebf-44eb-c7a472cef1fd@redhat.com> Message-ID: Hi Peter... Yes..... this has me doing loops in my head to /dev/null You are correct I could not complete the BIND steps... I did them yesterday but did not post results as I wanted to stop bugging you all :) The initial credential section of that I could not complete nor can I get an keytab without it and I don't think I have an issue with cert versions (used the SASL section). The upgrade log from 3.47 to 3.50 on this one server did show an error with named though. I had the box powered down again last night after testing the BIND procedures... and its been up since then. Which makes we really not sure what is going on(DNS DOS from internal maybe? I get a lot of outside requests showing network unreachable and I don't forward to a outside DNS). If it was a password/cert/cipher/file perm issue then I don't see how it can work at all after a reboot. I am thinking it needs a rebuild.. I have not done this on a First Master IPA is there anything I need to be take into consider with it being first master? Right now I have 8 IPAs all DNS, NTP and CAs on differ vlans but the first master is the fail back IPA(on the only vlan that can talk to the others) in case there local vlan IPA dies. First Master is also the master CA in the realm where everything is enrolled to originally. We then mod everything to point to the vlan IPA with the Firstmaster as secondary with our vlan-specific scripts we run after ipa client install. With the box rebooted last night I am now getting normal functionality but it prob wont last long as indicated from the past... Working [bob at FirstMaster ~]# kinit admin Password for admin at DOMAIN.LOCAL: Warning: Your password will expire in 6 days on Tue Jun 28 14:55:52 2016 [bob at FirstMaster ~]# I did post ldap logs in my first email though... will readd them to this and when it dies off again I will add more. > [20/Jun/2016:13:59:00 -0400] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [20/Jun/2016:13:59:01 -0400] schema-compat-plugin - warning: no entries set > up under cn=computers, cn=compat,dc=domain,dc=local > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV > [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 > 5688d8e6001000070000] which is present in RUV [changelog max RUV] > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: for replica dc=domain,dc=local > there were some differences between the changelog max RUV and the database > RUV. If there are obsolete elements in the database RUV, you should remove > them using the CLEANALLRUV task. If they are not obsolete, you should check > their status to see why there are no changes from those servers in the > changelog. > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meTobldvxl0011.domain.local" (1server:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [20/Jun/2016:13:59:48 -0400] - Listening on All Interfaces port 636 for > LDAPS requests > [20/Jun/2016:13:59:48 -0400] - Listening > on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 0 (Success) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth resumed > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > [20/Jun/2016:13:59:57 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth resumed Sean Hogan From: Petr Spacek To: freeipa-users at redhat.com Date: 06/21/2016 10:20 PM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Sent by: freeipa-users-bounces at redhat.com On 22.6.2016 02:56, Sean Hogan wrote: > More info > > > Krb5 log is showing: > Jun 21 20:42:47 Firstmaster.domain.local krb5kdc[2141](info): AS_REQ (4 > etypes {18 17 16 23}) 10.x.x.x: LOOKING_UP_CLIENT: admin at domain.LOCAL for > krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL, Server error Hello, this is really fishy. I would bet that there is a problem with LDAP server and DNS errors are just consequence of it. I suspect that you will not be able to finish steps mentioned in https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a3.FailedtoinitcredentialsorFailedtogetinitialcredentialsDecryptintegritycheckfailedorClientscredentialshavebeenrevoked If it is the case I would turn your attention to krb5kdc.log and LDAP server logs in /var/log/dirsrv/* There must be something wrong with the LDAP server. Petr^2 Spacek > > [bob at Firstmaster etc]# kinit -v admin > kinit: Credentials cache file '/tmp/krb5cc_0' not found while validating > credentials > > > > > > > Sean Hogan > > > > > > > From: Sean Hogan/Durham/IBM > To: freeipa-users > Date: 06/21/2016 12:02 PM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > > > Has anyone seen these before? > > > > First Master IPA DNS logs show: Looks like the host names are getting the > domain twice domain.local.domain.local > > > client 10.x.x.x#58094: query failed (SERVFAIL) for > server1.domain.local.domain.local/IN/AAAA at query.c:6569 > timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; > potential deadlock? > client 10.x.x.x#44147: query failed (SERVFAIL) for > x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 > timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; > potential deadlock? > client 10.x.x.x#56466: query failed (SERVFAIL) for > x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 > timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; > potential deadlock? > client 10.x.x.x53367: query failed (SERVFAIL) for > server2.domain.local.domain.local/IN/A at query.c:6569 > timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; > potential deadlock? > client 10.x.x.x#53367: query failed (SERVFAIL) for > server2.domain.local.domain.local/IN/AAAA at query.c:6569 > > > > So enrolls are failing at this point when tyring to enroll to a replica: > > [bob at server1 log]# ipa-client-install ?enable-dns-updates > Discovery was successful! > Hostname: server1.watson.local > Realm: DOMAIN.LOCAL > DNS Domain: domain.local > IPA Server: ipareplica.domain.local > BaseDN: dc=domain,dc=local > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: bob > Synchronizing time with KDC... > Password for bob at DOMAIN.LOCAL: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=DOMAIN.LOCAL > Issuer: CN=Certificate Authority,O=DOMAIN.LOCAL > Valid From: Tue Jan 06 19:37:09 2015 UTC > Valid Until: Sat Jan 06 19:37:09 2035 UTC > > Enrolled in IPA realm DOMAIN.LOCAL > Attempting to get host TGT... > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm DOMAIN.LOCAL > trying https://ipareplica.domain.local/ipa/xml > Cannot connect to the server due to Kerberos error: Kerberos error: > Kerberos error: ('Unspecified GSS failure. Minor code may provide more > information', 851968)/('KDC returned error string: PROCESS_TGS', > -1765328324)/. Trying with delegate=True > trying https://ipareplica.domain.local/ipa/xml > Second connect with delegate=True also failed: Kerberos error: Kerberos > error: ('Unspecified GSS failure. Minor code may provide more > information', 851968)/('KDC returned error string: PROCESS_TGS', > -1765328324)/ > Cannot connect to the IPA server XML-RPC interface: Kerberos error: > Kerberos error: ('Unspecified GSS failure. Minor code may provide more > information', 851968)/('KDC returned error string: PROCESS_TGS', > -1765328324)/ > Installation failed. Rolling back changes. > Unenrolling client from IPA server > Unenrolling host failed: Error obtaining initial credentials: Generic error > (see e-text). > > Removing Kerberos service principals from /etc/krb5.keytab > Disabling client Kerberos and LDAP configurations > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved > to /etc/sssd/sssd.conf.deleted > Restoring client configuration files > nscd daemon is not installed, skip configuration > nslcd daemon is not installed, skip configuration > Client uninstall complete. > > > Sean Hogan > > > > > > > > > From: Sean Hogan/Durham/IBM > To: Sean Hogan/Durham/IBM at IBMUS > Cc: freeipa-users > Date: 06/20/2016 12:49 PM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > > > Also seeing this in the upgrade log on the first master but not on the 7 > ipas. > > ERROR Failed to restart named: Command '/sbin/service named restart ' > returned non-zero exit status 7 > > > which led me to > > https://bugzilla.redhat.com/show_bug.cgi?id=895298 > > > > > > Sean Hogan > > > > > > > > From: Sean Hogan/Durham/IBM at IBMUS > To: freeipa-users > Date: 06/20/2016 11:46 AM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > Sent by: freeipa-users-bounces at redhat.com > > > > Hi All.. > > I thought we fixed this issue by rebooting the KVM host but it is showing > again. Our First Master IPA is being rebooted 2 -5 times a day now just to > keep it alive. > > What we are seeing: > > God at FirstMaster log]# kinit admin > kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting > initial credentials > > DNS is not working as nslookup is failing to a replica.... think once we > lose DNS it all goes down hill which makes sense. > > [god at FirstMaster log]# ipactl stop -----> Just hangs forever.. no replies.. > no error.. nothing > > I try service named stop and nothing happens > > I have the box hard shutdown from KVM console. Reboot it and it works for a > little while but eventually back to same behavior. > > At this point I can service named stop and it responds... ipactl status and > it responds.. but when if I try service named restart I get > > [god at FirstMaster log]# service named stop > Stopping named: ...... > > [god at Firstmaster log]# service named start > Starting named: [FAILED] > > [god at FirstMaster log]# service named status > rndc: connect failed: 127.0.0.1#953: connection refused > named dead but pid file exists > > Rebooted box and it is hung on shutting down domain-local and never fully > shuts down.. have to get it hard shutdown again. > During an attempt to gracefully shut down we see this > > Shutting Down dirsrv: > PKI-IPA OK > DOMAIN-LOCAL FAILED > *** Error: 1 instance(s) unsuccessfully stopped FAILED > > Then it moves on to shut other things down and returns to dirsrv > Shutting Down dirsrv: > PKI-IPA....server already stopped FAILED {Makes sense.. it died earlier} > DOMAIN-LOCAL... {this sits here til we hard shutdown} > > > > bind-libs-9.8.2-0.47.rc1.el6.x86_64 > bind-9.8.2-0.47.rc1.el6.x86_64 > bind-utils-9.8.2-0.47.rc1.el6.x86_64 > > > ipa-client-3.0.0-50.el6.1.x86_64 > ipa-server-selinux-3.0.0-50.el6.1.x86_64 > ipa-server-3.0.0-50.el6.1.x86_64 > sssd-ipa-1.13.3-22.el6.x86_64 > > > /var/log/dirsrv/slapd-DOMAIN-LOCAL > [20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 > starting up > [20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries set > up under cn=computers, cn=compat,dc=domain,dc=local > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV > [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 > 5688d8e6001000070000] which is present in RUV [changelog max RUV] > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: for replica dc=domain,dc=local > there were some differences between the changelog max RUV and the database > RUV. If there are obsolete elements in the database RUV, you should remove > them using the CLEANALLRUV task. If they are not obsolete, you should check > their status to see why there are no changes from those servers in the > changelog. > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [20/Jun/2016:13:29:07 -0400] - Listening on All Interfaces port 636 for > LDAPS requests > [20/Jun/2016:13:29:07 -0400] - Listening > on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meTo1server.domain.local" (1server:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 0 (Success) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with > GSSAPI auth resumed > [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context) > [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth resumed > [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth resumed > [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:10 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:10 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:16 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > [20/Jun/2016:13:29:16 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [20/Jun/2016:13:59:00 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 > starting up > [20/Jun/2016:13:59:00 -0400] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [20/Jun/2016:13:59:01 -0400] schema-compat-plugin - warning: no entries set > up under cn=computers, cn=compat,dc=domain,dc=local > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV > [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 > 5688d8e6001000070000] which is present in RUV [changelog max RUV] > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: for replica dc=domain,dc=local > there were some differences between the changelog max RUV and the database > RUV. If there are obsolete elements in the database RUV, you should remove > them using the CLEANALLRUV task. If they are not obsolete, you should check > their status to see why there are no changes from those servers in the > changelog. > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meTobldvxl0011.domain.local" (1server:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [20/Jun/2016:13:59:48 -0400] - Listening on All Interfaces port 636 for > LDAPS requests > [20/Jun/2016:13:59:48 -0400] - Listening > on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 0 (Success) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth resumed > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > [20/Jun/2016:13:59:57 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth resumed > > > > > > Sean Hogan > > > > > Inactive hide details for Sean Hogan---06/02/2016 09:24:39 AM---Hello All, > Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.Sean Hogan---06/02/2016 > 09:24:39 AM---Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA > 3.0.50. I also think (not sure on this > > From: Sean Hogan/Durham/IBM > To: freeipa-users > Date: 06/02/2016 09:24 AM > Subject: IPA 3.0.47 to 3.0.50 Upgrade problem > > > Hello All, > > Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not > sure on this yet) that they changed ntp.. ntp used to point at my ipas.. > but they look like they are now pointing elsewhere. Everything was stable > at 6.7 3.0.47 pointing to IPA for NTP. However.. they all seem to have the > same date. > > > My master first IPA is acting up. Replication is off, kerberos seems to be > off, DNS is off and I think IPA in general on it is toast. > We do have 8 IPAs.. only FirstMaster is acting up it seems right now and > all either running on KVM or ESXI. > > > [God at FirstMasterIPA slapd-DOMAIN-LOCAL]# kinit admin > kinit: Generic error (see e-text) while getting initial credential > > > slapd-DOMAIN-LOCAL > [01/Jun/2016:18:25:43 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Cannot contact any KDC > for realm 'DOMAIN.LOCAL')) errno 115 (Operation now in progress) > [01/Jun/2016:18:25:43 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv2.domain.local" (ipaserv2:389): Replication bind with > GSSAPI auth resumed > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv3.domain.local" (ipaserv3:389): Replication bind with > GSSAPI auth resumed > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToipaserv4.domain.local" (ipaserv4:389): Replication bind with > GSSAPI auth resumed > [01/Jun/2016:18:25:48 -0400] NSMMReplicationPlugin - > > > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From geordie.grindle at gmail.com Wed Jun 22 15:54:10 2016 From: geordie.grindle at gmail.com (Geordie Grindle) Date: Wed, 22 Jun 2016 11:54:10 -0400 Subject: [Freeipa-users] Kinit with 2-Factor not working Message-ID: <470E6139-6B9E-430A-BEB2-271244FF0536@gmail.com> Hello, On our current IPA realm where we have not used 2-factor, we?ve been able to kinit to our FreeIPA realm from our laptops. All a Mac user needed to do, for example was to configure a ?krb5.conf? file and then ?kinit user1 at OUR.IPA.REALM.COM '. This would allow us to work on our infrastructure without having to re-authenticate for the lifetime of our ticket-granting-ticket, usually the length of a work day. We are building a new realm using 'ipa-server-4.2.0-15? and will be requiring 2-factor for authentication. So far it works well, meaning we can ssh to a jump host enrolled in our realm and from there move to other hosts in the realm without having to re-authenticate. However, we can no longer ?kinit?. I?ve dug around in the webs and have concluded that either this is a known issue that is not yet fixed, or perhaps someone has fixed it but not yet shared how they got this to work. How is this impacting anyone else? Does anyone have any helpful information they can share? thanks, Geordie Grindle -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed Jun 22 16:29:20 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 22 Jun 2016 18:29:20 +0200 Subject: [Freeipa-users] Kinit with 2-Factor not working In-Reply-To: <470E6139-6B9E-430A-BEB2-271244FF0536@gmail.com> References: <470E6139-6B9E-430A-BEB2-271244FF0536@gmail.com> Message-ID: <20160622162920.GE17733@p.Speedport_W_724V_Typ_A_05011603_00_009> On Wed, Jun 22, 2016 at 11:54:10AM -0400, Geordie Grindle wrote: > > Hello, > > On our current IPA realm where we have not used 2-factor, we?ve been able to kinit to our FreeIPA realm from our laptops. All a Mac user needed to do, for example was to configure a ?krb5.conf? file and then ?kinit user1 at OUR.IPA.REALM.COM '. This would allow us to work on our infrastructure without having to re-authenticate for the lifetime of our ticket-granting-ticket, usually the length of a work day. > > We are building a new realm using 'ipa-server-4.2.0-15? and will be requiring 2-factor for authentication. So far it works well, meaning we can ssh to a jump host enrolled in our realm and from there move to other hosts in the realm without having to re-authenticate. > > However, we can no longer ?kinit?. I?ve dug around in the webs and have concluded that either this is a known issue that is not yet fixed, or perhaps someone has fixed it but not yet shared how they got this to work. This is expected behaviour. See http://www.freeipa.org/page/V4/OTP for details especially http://www.freeipa.org/page/V4/OTP#kinit_Method. Unfortunately in general you do not have a second ccache which can be used to get the needed armor ticket for FAST. There is ongoing work on SPAKE http://k5wiki.kerberos.org/wiki/Projects/SPAKE_preauth_prereqs and also anonymous pkinit on the IPA side to lift the requirement but currently FAST and a second ccache are needed for OTP. HTH bye, Sumit > > How is this impacting anyone else? Does anyone have any helpful information they can share? > > thanks, > Geordie Grindle > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From schogan at us.ibm.com Wed Jun 22 21:09:19 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Wed, 22 Jun 2016 14:09:19 -0700 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: References: <79454fce-7e51-eebf-44eb-c7a472cef1fd@redhat.com> Message-ID: SLAPD showing 22/Jun/2016:17:01:59 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [22/Jun/2016:17:06:59 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) where would these creds be and what ID? I am using SASL so I assume it to be sasl_user DNS/FirstMaster.watson.local or something like that? Sean Hogan From: Sean Hogan/Durham/IBM at IBMUS To: Petr Spacek Cc: freeipa-users at redhat.com Date: 06/22/2016 08:36 AM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Sent by: freeipa-users-bounces at redhat.com Hi Peter... Yes..... this has me doing loops in my head to /dev/null You are correct I could not complete the BIND steps... I did them yesterday but did not post results as I wanted to stop bugging you all :) The initial credential section of that I could not complete nor can I get an keytab without it and I don't think I have an issue with cert versions (used the SASL section). The upgrade log from 3.47 to 3.50 on this one server did show an error with named though. I had the box powered down again last night after testing the BIND procedures... and its been up since then. Which makes we really not sure what is going on(DNS DOS from internal maybe? I get a lot of outside requests showing network unreachable and I don't forward to a outside DNS). If it was a password/cert/cipher/file perm issue then I don't see how it can work at all after a reboot. I am thinking it needs a rebuild.. I have not done this on a First Master IPA is there anything I need to be take into consider with it being first master? Right now I have 8 IPAs all DNS, NTP and CAs on differ vlans but the first master is the fail back IPA(on the only vlan that can talk to the others) in case there local vlan IPA dies. First Master is also the master CA in the realm where everything is enrolled to originally. We then mod everything to point to the vlan IPA with the Firstmaster as secondary with our vlan-specific scripts we run after ipa client install. With the box rebooted last night I am now getting normal functionality but it prob wont last long as indicated from the past... Working [bob at FirstMaster ~]# kinit admin Password for admin at DOMAIN.LOCAL: Warning: Your password will expire in 6 days on Tue Jun 28 14:55:52 2016 [bob at FirstMaster ~]# I did post ldap logs in my first email though... will readd them to this and when it dies off again I will add more. > [20/Jun/2016:13:59:00 -0400] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [20/Jun/2016:13:59:01 -0400] schema-compat-plugin - warning: no entries set > up under cn=computers, cn=compat,dc=domain,dc=local > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV > [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 > 5688d8e6001000070000] which is present in RUV [changelog max RUV] > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: for replica dc=domain,dc=local > there were some differences between the changelog max RUV and the database > RUV. If there are obsolete elements in the database RUV, you should remove > them using the CLEANALLRUV task. If they are not obsolete, you should check > their status to see why there are no changes from those servers in the > changelog. > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meTobldvxl0011.domain.local" (1server:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [20/Jun/2016:13:59:48 -0400] - Listening on All Interfaces port 636 for > LDAPS requests > [20/Jun/2016:13:59:48 -0400] - Listening > on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 0 (Success) > [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth resumed > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (No credentials cache > found)) errno 2 (No such file or directory) > [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > [20/Jun/2016:13:59:57 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth resumed Sean Hogan Inactive hide details for Petr Spacek ---06/21/2016 10:20:43 PM---On 22.6.2016 02:56, Sean Hogan wrote: > More infoPetr Spacek ---06/21/2016 10:20:43 PM---On 22.6.2016 02:56, Sean Hogan wrote: > More info From: Petr Spacek To: freeipa-users at redhat.com Date: 06/21/2016 10:20 PM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem Sent by: freeipa-users-bounces at redhat.com On 22.6.2016 02:56, Sean Hogan wrote: > More info > > > Krb5 log is showing: > Jun 21 20:42:47 Firstmaster.domain.local krb5kdc[2141](info): AS_REQ (4 > etypes {18 17 16 23}) 10.x.x.x: LOOKING_UP_CLIENT: admin at domain.LOCAL for > krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL, Server error Hello, this is really fishy. I would bet that there is a problem with LDAP server and DNS errors are just consequence of it. I suspect that you will not be able to finish steps mentioned in https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a3.FailedtoinitcredentialsorFailedtogetinitialcredentialsDecryptintegritycheckfailedorClientscredentialshavebeenrevoked If it is the case I would turn your attention to krb5kdc.log and LDAP server logs in /var/log/dirsrv/* There must be something wrong with the LDAP server. Petr^2 Spacek > > [bob at Firstmaster etc]# kinit -v admin > kinit: Credentials cache file '/tmp/krb5cc_0' not found while validating > credentials > > > > > > > Sean Hogan > > > > > > > From: Sean Hogan/Durham/IBM > To: freeipa-users > Date: 06/21/2016 12:02 PM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > > > Has anyone seen these before? > > > > First Master IPA DNS logs show: Looks like the host names are getting the > domain twice domain.local.domain.local > > > client 10.x.x.x#58094: query failed (SERVFAIL) for > server1.domain.local.domain.local/IN/AAAA at query.c:6569 > timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; > potential deadlock? > client 10.x.x.x#44147: query failed (SERVFAIL) for > x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 > timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; > potential deadlock? > client 10.x.x.x#56466: query failed (SERVFAIL) for > x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 > timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; > potential deadlock? > client 10.x.x.x53367: query failed (SERVFAIL) for > server2.domain.local.domain.local/IN/A at query.c:6569 > timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; > potential deadlock? > client 10.x.x.x#53367: query failed (SERVFAIL) for > server2.domain.local.domain.local/IN/AAAA at query.c:6569 > > > > So enrolls are failing at this point when tyring to enroll to a replica: > > [bob at server1 log]# ipa-client-install ?enable-dns-updates > Discovery was successful! > Hostname: server1.watson.local > Realm: DOMAIN.LOCAL > DNS Domain: domain.local > IPA Server: ipareplica.domain.local > BaseDN: dc=domain,dc=local > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: bob > Synchronizing time with KDC... > Password for bob at DOMAIN.LOCAL: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=DOMAIN.LOCAL > Issuer: CN=Certificate Authority,O=DOMAIN.LOCAL > Valid From: Tue Jan 06 19:37:09 2015 UTC > Valid Until: Sat Jan 06 19:37:09 2035 UTC > > Enrolled in IPA realm DOMAIN.LOCAL > Attempting to get host TGT... > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm DOMAIN.LOCAL > trying https://ipareplica.domain.local/ipa/xml > Cannot connect to the server due to Kerberos error: Kerberos error: > Kerberos error: ('Unspecified GSS failure. Minor code may provide more > information', 851968)/('KDC returned error string: PROCESS_TGS', > -1765328324)/. Trying with delegate=True > trying https://ipareplica.domain.local/ipa/xml > Second connect with delegate=True also failed: Kerberos error: Kerberos > error: ('Unspecified GSS failure. Minor code may provide more > information', 851968)/('KDC returned error string: PROCESS_TGS', > -1765328324)/ > Cannot connect to the IPA server XML-RPC interface: Kerberos error: > Kerberos error: ('Unspecified GSS failure. Minor code may provide more > information', 851968)/('KDC returned error string: PROCESS_TGS', > -1765328324)/ > Installation failed. Rolling back changes. > Unenrolling client from IPA server > Unenrolling host failed: Error obtaining initial credentials: Generic error > (see e-text). > > Removing Kerberos service principals from /etc/krb5.keytab > Disabling client Kerberos and LDAP configurations > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved > to /etc/sssd/sssd.conf.deleted > Restoring client configuration files > nscd daemon is not installed, skip configuration > nslcd daemon is not installed, skip configuration > Client uninstall complete. > > > Sean Hogan > > > > > > > > > From: Sean Hogan/Durham/IBM > To: Sean Hogan/Durham/IBM at IBMUS > Cc: freeipa-users > Date: 06/20/2016 12:49 PM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > > > Also seeing this in the upgrade log on the first master but not on the 7 > ipas. > > ERROR Failed to restart named: Command '/sbin/service named restart ' > returned non-zero exit status 7 > > > which led me to > > https://bugzilla.redhat.com/show_bug.cgi?id=895298 > > > > > > Sean Hogan > > > > > > > > From: Sean Hogan/Durham/IBM at IBMUS > To: freeipa-users > Date: 06/20/2016 11:46 AM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > Sent by: freeipa-users-bounces at redhat.com > > > > Hi All.. > > I thought we fixed this issue by rebooting the KVM host but it is showing > again. Our First Master IPA is being rebooted 2 -5 times a day now just to > keep it alive. > > What we are seeing: > > God at FirstMaster log]# kinit admin > kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting > initial credentials > > DNS is not working as nslookup is failing to a replica.... think once we > lose DNS it all goes down hill which makes sense. > > [god at FirstMaster log]# ipactl stop -----> Just hangs forever.. no replies.. > no error.. nothing > > I try service named stop and nothing happens > > I have the box hard shutdown from KVM console. Reboot it and it works for a > little while but eventually back to same behavior. > > At this point I can service named stop and it responds... ipactl status and > it responds.. but when if I try service named restart I get > > [god at FirstMaster log]# service named stop > Stopping named: ...... > > [god at Firstmaster log]# service named start > Starting named: [FAILED] > > [god at FirstMaster log]# service named status > rndc: connect failed: 127.0.0.1#953: connection refused > named dead but pid file exists > > Rebooted box and it is hung on shutting down domain-local and never fully > shuts down.. have to get it hard shutdown again. > During an attempt to gracefully shut down we see this > > Shutting Down dirsrv: > PKI-IPA OK > DOMAIN-LOCAL FAILED > *** Error: 1 instance(s) unsuccessfully stopped FAILED > > Then it moves on to shut other things down and returns to dirsrv > Shutting Down dirsrv: > PKI-IPA....server already stopped FAILED {Makes sense.. it died earlier} > DOMAIN-LOCAL... {this sits here til we hard shutdown} > > > > bind-libs-9.8.2-0.47.rc1.el6.x86_64 > bind-9.8.2-0.47.rc1.el6.x86_64 > bind-utils-9.8.2-0.47.rc1.el6.x86_64 > > > ipa-client-3.0.0-50.el6.1.x86_64 > ipa-server-selinux-3.0.0-50.el6.1.x86_64 > ipa-server-3.0.0-50.el6.1.x86_64 > sssd-ipa-1.13.3-22.el6.x86_64 > > > /var/log/dirsrv/slapd-DOMAIN-LOCAL > [20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 > starting up > [20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries set > up under cn=computers, cn=compat,dc=domain,dc=local > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV > [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 > 5688d8e6001000070000] which is present in RUV [changelog max RUV] > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > replica_check_for_data_reload: Warning: for replica dc=domain,dc=local > there were some differences between the changelog max RUV and the database > RUV. If there are obsolete elements in the database RUV, you should remove > them using the CLEANALLRUV task. If they are not obsolete, you should check > their status to see why there are no changes from those servers in the > changelog. > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [20/Jun/2016:13:29:07 -0400] - Listening on All Interfaces port 636 for > LDAPS requests > [20/Jun/2016:13:29:07 -0400] - Listening > on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests > [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial > credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC > for requested realm) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meTo1server.domain.local" (1server:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 > (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Credentials cache file > '/tmp/krb5cc_495' not found)) errno 0 (Success) > [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error -2 (Local error) > [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - > agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with > GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Credentials cache file '/tmp/krb5cc_495' not found)) > [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From barrykfl at gmail.com Thu Jun 23 02:54:18 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Thu, 23 Jun 2016 10:54:18 +0800 Subject: [Freeipa-users] Where should the CA Location Message-ID: Hi : I renew External CA cert below ...seem server-cert ok. But ca CERT FAIL.. I ALREADY PASTE ON /etc/httpd/alias /etc/dirsrv/slapd-PKI-IPA /etc/dirsv/slapd-ABX-com /var/lib/pki-ca/alias 's CA conf any idea? ABX-COM...[23/Jun/2016:10:42:32 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Thu Jun 23 08:32:11 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 23 Jun 2016 10:32:11 +0200 Subject: [Freeipa-users] new Webserver with Virtualhost (Certificates) Message-ID: <1637217.2RFcqYVOSt@techz> Hello, I search now a long time for the correct installation a Webserver with FreeIPa. I like to create a webserver for three "DOMAINS" with Virtualhost like www.aaaaaaaa.bbb www.bbbbbbbb.ccc www.cccccccccc.ddd is there a way to include the domains in krb5 on the FreeIPA Server The second problem, I mean I have read, it is possible to add a 'subject alternate Name' to a certificate like HTTP/www.aaaaaaa.bbb but I can't found this again. :-) Can any help, Thanks. -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From jan.karasek at elostech.cz Thu Jun 23 11:31:09 2016 From: jan.karasek at elostech.cz (Jan =?utf-8?Q?Kar=C3=A1sek?=) Date: Thu, 23 Jun 2016 13:31:09 +0200 (CEST) Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: References: Message-ID: <673165300.926715.1466681469837.JavaMail.zimbra@elostech.cz> Hi, thank you for the answers. May be I am doing something wrong. 1. AD attributes - I am using the standard set of user's attributes in AD - I did not extend the AD schema (2012 R2) I am using set of attributes defined in RFS2307: uidNumber gidNumber gecos homeDirectory loginShell I am having troubles to find in documentation the names of attributes which IPA is able to read from AD . Could you please clarify if this is OK ? Could you please point me to some doc ...? I have read the Windows integration guide, but there was not enough details ... 2. Do I need to fill in user's attributes values before the trust is set up ? 3. If using Idviews in this case I would have to somehow copy information stored in AD into id views a keep them updated, which is huge overhead when you have hundreds or thousands users. That is why I need to read them directly from AD. 4. Is it possible to change the already established trust -without --range-type=ipa-ad-trust-posix to trust with POSIX range ? I mean without breaking the trust and reestablishing new one ? Thanks a lot, Jan On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: > Hi all, > > I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD. > > I have set up trust with this parameters: > > ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix --admin=administrator Did you add the POSIX attributes to AD after creating the trust maybe? > > [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range > Range name: EXAMPLE.TT_id_range > First Posix ID of the range: 1392000000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 > Range type: Active Directory trust range with POSIX attributes > > > I have set attributes in AD for user at EXAMPLE.TT > - uidNumber -10000 > - homeDirectory -/home/user > - loginShell - /bin/bash > > Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can run id and getent passwd user at example.tt and I can use user at example.tt for ssh. > > Problem is, that I am not getting uid from AD but from idrange: > > uid=1392001107(user at example.tt) > > Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = true in sssd.conf but no luck. This has no effect, in IPA-AD trust scenario, the id mapping properties are managed on the server. > > I know, that it is probably better to use ID views for this, but in our case we need to set centrally managed environment, where all users information are externally inserted to AD from HR system - included POSIX attributes and we need IPA to read them from AD. I think idviews are better for overriding POSIX attributes for a specific set of hosts, but in your environment, it sounds like you want to use the POSIX attributes across the board. > > So my questions are: > > Is it possible to read user's POSIX attributes directly from AD - namely uid ? Yes > Which atributes can be stored in AD ? Homedir is a bit special, for backwards compatibility the subdomains_homedir takes precedence. The others should be read from AD. I don't have the environment set at the moment, though, so I'm operating purely from memory. > Am I doing something wrong ? > > my sssd.conf: > [domain/a.example.tt] > debug_level = 5 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = a.example.tt > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ipa1.a.example.tt > chpass_provider = ipa > ipa_server = ipa1.a.example.tt > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > #ldap_id_mapping = true > #subdomain_inherit = ldap_user_principal > #ldap_user_principal = nosuchattribute > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = a.example.tt > [nss] > debug_level = 5 > homedir_substring = /home > enum_cache_timeout = 2 > entry_negative_timeout = 2 > > > [pam] > debug_level = 5 > [sudo] > > [autofs] > > [ssh] > debug_level = 4 > [pac] > > debug_level = 4 > [ifp] > > Thanks, > Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From BJB at jndata.dk Thu Jun 23 11:39:49 2016 From: BJB at jndata.dk (Bjarne Blichfeldt) Date: Thu, 23 Jun 2016 11:39:49 +0000 Subject: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again) Message-ID: <89213DDB84447F44A8E8950A5C2185E048251A2C@SJN01013.jnmain00.corp.jndata.net> Following this thread from January: https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html I am trying to accomplish the same, but seems to be stuck. My environment is: # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) # ipa ping ------------------------------------------- IPA server version 4.2.0. API version 2.156 ------------------------------------------- # rpm -qa | grep ipa-server ipa-server-4.2.0-15.el7_2.15.x86_64 As the OP I have both a RootCA and a subCA. But I can't figure out how to install them. ipa-cacert-manage does not work, known bug. I am testing by changing the server certificate for ldaps on an ipa replica and then run "ldapwhoami" and "ipa-replica-manage -v list" from the master ipa against the replica, but the replica server certificate is never accepted due to missing root certificate. The problem is how to install the root certificates. I have tried: Copy the root certificates to /etc/pki/ca-trust/source/anchors and run update-ca-trust - no go. Installed the root Ca's in all the nssdb I could think of: DIR="/etc/httpd/alias /etc/dirsrv/slapd-DNREST-DCBSYS-NET /etc/ipa/nssdb /etc/pki/nssdb" for dir in $DIR ; do certutil -d $dir -A -n ECBsubCA -i subCA-sha256.pem -t CT,T,T certutil -d $dir -A -n ECBrootCA -i rootCA-sha256.pem -t CT,T,T done Also no go. I am out of ideas now. -- Regards, Bjarne -------------- next part -------------- An HTML attachment was scrubbed... URL: From bruno-barbosa at prodesan.com.br Thu Jun 23 12:44:26 2016 From: bruno-barbosa at prodesan.com.br (Bruno Henrique Barbosa) Date: Thu, 23 Jun 2016 09:44:26 -0300 (BRT) Subject: [Freeipa-users] Upgrade advice In-Reply-To: <935920094.694113.1466685406280.JavaMail.root@prodesan.com.br> Message-ID: <689699928.694453.1466685866363.JavaMail.root@prodesan.com.br> Hi everyone, I have setup a FreeIPA environment back in 2014, using at that moment, CentOS 6.5 and all ipa packages of version 3.0. We're studying a possible use of Fedora in some of our new demands and we thought about upgrading FreeIPA to the latest version. Since we have many many CentOS 6 boxes, we need to know if they will work with newer FreeIPA servers (4.3 specially) and if so, how hard is this upgrade process. Thank you! -------------- next part -------------- An HTML attachment was scrubbed... URL: From striker at terranforge.com Thu Jun 23 13:18:05 2016 From: striker at terranforge.com (Striker Leggette) Date: Thu, 23 Jun 2016 09:18:05 -0400 Subject: [Freeipa-users] Upgrade advice In-Reply-To: <689699928.694453.1466685866363.JavaMail.root@prodesan.com.br> References: <689699928.694453.1466685866363.JavaMail.root@prodesan.com.br> Message-ID: <32057e64-b08a-37fb-6d20-98092403ca83@terranforge.com> On 06/23/2016 08:44 AM, Bruno Henrique Barbosa wrote: > Hi everyone, > > I have setup a FreeIPA environment back in 2014, using at that moment, > CentOS 6.5 and all ipa packages of version 3.0. We're studying a > possible use of Fedora in some of our new demands and we thought about > upgrading FreeIPA to the latest version. Since we have many many > CentOS 6 boxes, we need to know if they will work with newer FreeIPA > servers (4.3 specially) and if so, how hard is this upgrade process. > > Thank you! Henrique, You can deploy a reproducer newer than the master. This would be the upgrade process before taking the old master offline. All custom schemas and data are carried over, so the effect should be transparent to the clients, as long as they are only using SRV record lookups for IPA. Striker -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Thu Jun 23 13:27:49 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Thu, 23 Jun 2016 15:27:49 +0200 Subject: [Freeipa-users] ipa-ods-exporter failed ? In-Reply-To: <3bd573a9-8a31-0031-7f65-19d4c1aa48f7@redhat.com> References: <3253760.hiacI6SPC6@techz> <4253691.QxeogKA5rI@techz> <3bd573a9-8a31-0031-7f65-19d4c1aa48f7@redhat.com> Message-ID: <2310076.IhaplX0rCg@techz> Hello Martin, Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti: > On 20.06.2016 18:48, G?nther J. Niederwimmer wrote: > > Hello, > > > > Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek: > >> On 18.6.2016 15:03, G?nther J. Niederwimmer wrote: > >>> hello, > >>> > >>> Am Freitag, 17. Juni 2016, 23:05:32 CEST schrieb Martin Basti: > >>>> On 17.06.2016 18:29, G?nther J. Niederwimmer wrote: > >>>>> Hello, > >>>>> > >>>>> Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: > >>>>>> On 17.06.2016 12:54, G?nther J. Niederwimmer wrote: > >>>>>>> Hello List, > >>>>>>> > >>>>>>> Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: > >>>>>>>> On 16.6.2016 21:51, Lukas Slebodnik wrote: > >>>>>>>>> On (16/06/16 11:54), G?nther J. Niederwimmer wrote: > >>>>>>>>>> Hello > >>>>>>>>>> > >>>>>>>>>> on my system the ods-exporter i mean have a problem. > >>>>>>>>>> > >>>>>>>>>> I have this in the logs > >>>>>>>>>> CentOS 7.(2) ipa 4.3.1 > >>>>>>>>>> > >>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: raise > >>>>>>>>>> errors.ACIError(info=info) > >>>>>>>>>> Jun 16 11:38:28 ipa ipa-ods-exporter: ipalib.errors.ACIError: > >>>>>>>>>> Insufficient > >>>>>>>>>> access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > >>>>>>>>>> failure. > >>>>>>>>>> Minor code may provide more information (Ticket expired) > >>>>>>>>>> > >>>>>>>>> ^^^^^^^^^^^^^^ > >>>>>>>>> > >>>>>>>>> Here seems to be a reason why it failed. > >>>>>>>>> But I can't help you more. > >>>>>>>> > >>>>>>>> Lukas is right. Interesting, this should never happen :-) > >>>>>>> > >>>>>>> this have I also found ;-) > >>>>>>> > >>>>>>>> Please enable debugging using procedure > >>>>>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_ > >>>>>>>> re > >>>>>>>> tu > >>>>>>>> rn > >>>>>>>> s_n o_data and check logs after next ipa-ods-exporter restart. > >>>>>>>> Thank you! > >>>>>>> > >>>>>>> OK, > >>>>>>> > >>>>>>> I attache the messages log? > >>>>>>> > >>>>>>> I mean this is a problem with my DNS ? > >>>>>> > >>>>>> Hello, > >>>>>> can you check kerberos status of ipa-ods-exporter service in webUI? > >>>>>> > >>>>>> identity/services/ipa-ods-exported/ > >>>>>> There should be kerberos status in right top corner in details view > >>>>> > >>>>> I have a > >>>>> identity/services/ipa-ods-exporter/.. > >>>>> > >>>>> with a "Kerberos Key Present, Service Provisioned" > >>>>> > >>>>> but no Certificate ? > >>>> > >>>> Can you try, > >>>> > >>>> # kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab > >>>> ipa-ods-exporter/$(hostname) > >>> > >>> OK > >>> I can do a "kinit -kt /etc/ipa/dnssec/ipa-ods-exporter.keytab ipa-ods- > >>> exporter/$(hostname)" > >>> > >>> written on one line!! is this OK. > >>> > >>>> and do ldapsearch > >>>> # ldapsearch -Y GSSAPI > >>> > >>> and also ldapsearch is OK > >>> > >>>> It should show us if keytab is okay > >>> > >>> But the Error is present :-(. > >> > >> We need to see precise error. Please copy&paste it into the e-mail. > > > > that is it. > > > > Jun 20 18:44:36 ipa systemd: ipa-ods-exporter.service failed. > > > >> It would be awesome if you could follow general rules for bug reporting: > >> http://www.chiark.greenend.org.uk/~sgtatham/bugs-de.html > >> > >> Besides other things it would allow us to help you in shorter time. > >> > >> Have a nice day! > > This is weird, It looks like your kerberos keytab is valid, but I have > no idea why you are getting ticket expired messages. It should just > kinit again. > > Can you please remove this ccache file? > /var/opendnssec/tmp/ipa-ods-exporter.ccache OK now i make a ipactl stop remove the ccache file and start ipa again. to start the ods-exporte I have to wait a long time 1-2 min. ;-) I send you the log without debug when you like this with debug tell me. Jun 23 14:57:56 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 14:57:56 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 14:57:56 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 14:57:56 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 14:57:56 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 14:57:56 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 14:57:56 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 14:57:56 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 14:57:56 ipa systemd: ipa-ods-exporter.service failed. Jun 23 14:58:01 ipa systemd: Created slice user-991.slice. Jun 23 14:58:01 ipa systemd: Starting user-991.slice. Jun 23 14:58:01 ipa systemd: Started Session 1580 of user pcp. Jun 23 14:58:01 ipa systemd: Starting Session 1580 of user pcp. Jun 23 14:58:01 ipa systemd: Removed slice user-991.slice. Jun 23 14:58:01 ipa systemd: Stopping user-991.slice. Jun 23 14:58:55 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da: 52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=59302 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 23 14:58:56 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 14:58:56 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 14:58:56 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 14:58:57 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 14:58:57 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 14:58:57 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 14:58:57 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 14:58:57 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 14:58:57 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 14:58:57 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 14:58:57 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 14:58:57 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 14:58:57 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 14:58:57 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 14:58:57 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 14:58:58 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 14:58:58 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 14:58:58 ipa systemd: ipa-ods-exporter.service failed. Jun 23 14:59:58 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 14:59:58 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 14:59:58 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 14:59:58 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 14:59:59 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 14:59:59 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 14:59:59 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 14:59:59 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 14:59:59 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 14:59:59 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 14:59:59 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 14:59:59 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 14:59:59 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 14:59:59 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 14:59:59 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 14:59:59 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 14:59:59 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 14:59:59 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:00:01 ipa systemd: Started Session 1581 of user root. Jun 23 15:00:01 ipa systemd: Starting Session 1581 of user root. Jun 23 15:00:59 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:00:59 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:00:59 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:01:00 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:01:00 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:01:00 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:01:00 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:01:00 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:01:00 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:01:00 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:01:00 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:01:00 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:01:00 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:01:00 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:01:00 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:01:01 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:01:01 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:01:01 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:01:01 ipa systemd: Started Session 1582 of user root. Jun 23 15:01:01 ipa systemd: Starting Session 1582 of user root. Jun 23 15:02:01 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:02:01 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:02:01 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:02:01 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:02:02 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:02:02 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:02:02 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:02:02 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:02:02 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:02:02 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:02:02 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:02:02 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:02:02 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:02:02 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:02:02 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:02:02 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:02:02 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:02:02 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:03:02 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:03:02 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:03:02 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:03:03 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:03:03 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:03:03 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:03:03 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:03:03 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:03:03 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:03:03 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:03:03 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:03:03 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:03:03 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:03:03 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:03:03 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:03:04 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:03:04 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:03:04 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:03:57 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da: 52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=59303 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 23 15:04:04 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:04:04 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:04:04 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:04:04 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:04:05 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:04:05 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:04:05 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:04:05 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:04:05 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:04:05 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:04:05 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:04:05 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:04:05 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:04:05 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:04:05 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:04:05 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:04:05 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:04:05 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:05:05 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:05:05 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:05:05 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:05:06 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:05:06 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:05:06 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:05:06 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:05:06 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:05:06 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:05:06 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:05:06 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:05:06 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:05:06 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:05:06 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:05:06 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:05:07 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:05:07 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:05:07 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:05:33 ipa named-pkcs11[7543]: error (connection refused) resolving 'centos.chi.host-engine.com/A/IN': 190.0.163.18#53 Jun 23 15:06:07 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:06:07 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:06:07 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:06:07 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:06:08 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:06:08 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:06:08 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:06:08 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:06:08 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:06:08 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:06:08 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:06:08 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:06:08 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:06:08 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:06:08 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:06:08 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:06:08 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:06:08 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:07:08 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:07:08 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:07:08 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:07:09 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:07:09 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:07:09 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:07:09 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:07:09 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:07:09 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:07:09 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:07:09 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:07:09 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:07:09 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:07:09 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:07:09 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:07:10 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:07:10 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:07:10 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:08:10 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:08:10 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:08:10 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:08:10 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:08:11 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:08:11 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:08:11 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:08:11 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:08:11 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:08:11 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:08:11 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:08:11 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:08:11 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:08:11 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:08:11 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:08:11 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:08:11 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:08:11 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:09:01 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da: 52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=59328 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 23 15:09:11 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:09:11 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:09:11 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:09:12 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:09:12 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:09:12 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:09:12 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:09:12 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:09:12 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:09:12 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:09:12 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:09:12 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:09:12 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:09:12 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:09:12 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:09:13 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:09:13 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:09:13 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:10:01 ipa systemd: Started Session 1583 of user root. Jun 23 15:10:01 ipa systemd: Starting Session 1583 of user root. Jun 23 15:10:13 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:10:13 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:10:13 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:10:13 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:10:14 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:10:14 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:10:14 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:10:14 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:10:14 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:10:14 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:10:14 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:10:14 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:10:14 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:10:14 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:10:14 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:10:14 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:10:14 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:10:14 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:11:09 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:02:25:02:08:00 SRC=89.26.108.4 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54309 DF PROTO=TCP SPT=37400 DPT=389 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 23 15:11:09 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:02:25:02:08:00 SRC=89.26.108.4 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4218 DF PROTO=TCP SPT=41544 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 23 15:11:09 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:02:25:02:08:00 SRC=89.26.108.4 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4218 DF PROTO=TCP SPT=41544 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 23 15:11:09 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:02:25:02:08:00 SRC=89.26.108.4 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62257 DF PROTO=TCP SPT=41545 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 23 15:11:09 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:02:25:02:08:00 SRC=89.26.108.4 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62257 DF PROTO=TCP SPT=41545 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 23 15:11:09 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:02:25:02:08:00 SRC=89.26.108.4 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43717 DF PROTO=TCP SPT=41546 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 23 15:11:09 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:0c:c4:7a:02:25:02:08:00 SRC=89.26.108.4 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43717 DF PROTO=TCP SPT=41546 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 23 15:11:12 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da: 52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=59329 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 23 15:11:14 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:11:14 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:11:14 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:11:15 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:11:15 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:11:15 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:11:15 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:11:15 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:11:15 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:11:15 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:11:15 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:11:15 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:11:15 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:11:15 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:11:15 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:11:16 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:11:16 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:11:16 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:11:54 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15401 DF PROTO=TCP SPT=35252 DPT=389 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 23 15:11:54 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18772 DF PROTO=TCP SPT=59206 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 23 15:11:54 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18772 DF PROTO=TCP SPT=59206 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 23 15:11:54 ipa kernel: freeipa-ldapsIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61685 DF PROTO=TCP SPT=59207 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 23 15:11:54 ipa kernel: freeipa-ldapIN=ens10 OUT= MAC=52:54:00:90:fc:c3:52:54:00:47:17:d2:08:00 SRC=89.26.108.9 DST=89.26.108.6 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61685 DF PROTO=TCP SPT=59207 DPT=88 WINDOW=29200 RES=0x00 SYN URGP=0 Jun 23 15:12:16 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:12:16 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:12:16 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:12:16 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:12:17 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:12:17 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:12:17 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:12:17 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:12:17 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:12:17 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:12:17 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:12:17 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:12:17 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:12:17 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:12:17 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:12:17 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:12:17 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:12:17 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:12:18 ipa systemd-logind: New session 1584 of user root. Jun 23 15:12:18 ipa systemd: Started Session 1584 of user root. Jun 23 15:12:18 ipa systemd: Starting Session 1584 of user root. Jun 23 15:12:18 ipa dbus[534]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Jun 23 15:12:18 ipa dbus-daemon: dbus[534]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Jun 23 15:12:18 ipa dbus[534]: [system] Successfully activated service 'org.freedesktop.problems' Jun 23 15:12:18 ipa dbus-daemon: dbus[534]: [system] Successfully activated service 'org.freedesktop.problems' Jun 23 15:12:30 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da: 52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=59330 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 23 15:12:30 ipa systemd: Stopping IPA key daemon... Jun 23 15:12:30 ipa ipa-dnskeysyncd: ipa : INFO Signal 15 received: Shutting down! Jun 23 15:12:30 ipa systemd: Stopped IPA key daemon. Jun 23 15:12:30 ipa systemd: Stopping OpenDNSSEC Enforcer daemon... Jun 23 15:12:30 ipa ods-enforcerd: Received SIGTERM, exiting... Jun 23 15:12:30 ipa ods-enforcerd: all done! hsm_close result: 0 Jun 23 15:12:30 ipa systemd: Stopped OpenDNSSEC Enforcer daemon. Jun 23 15:12:30 ipa systemd: Stopped IPA OpenDNSSEC Signer replacement. Jun 23 15:12:30 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:12:30 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:12:30 ipa systemd: Stopping ipa-otpd socket. Jun 23 15:12:30 ipa systemd: Closed ipa-otpd socket. Jun 23 15:12:30 ipa systemd: Stopped target PKI Tomcat Server. Jun 23 15:12:30 ipa systemd: Stopping PKI Tomcat Server. Jun 23 15:12:30 ipa systemd: Stopping PKI Tomcat Server pki-tomcat... Jun 23 15:12:30 ipa systemd: Stopping IPA Custodia Service... Jun 23 15:12:30 ipa systemd: Stopped IPA Custodia Service. Jun 23 15:12:30 ipa server: Java virtual machine used: /usr/lib/jvm/jre/bin/ java Jun 23 15:12:30 ipa server: classpath used: /usr/share/tomcat/bin/ bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons- daemon.jar Jun 23 15:12:30 ipa server: main class used: org.apache.catalina.startup.Bootstrap Jun 23 15:12:30 ipa server: flags used: -DRESTEASY_LIB=/usr/share/java/ resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jun 23 15:12:30 ipa server: options used: -Dcatalina.base=/var/lib/pki/pki- tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= - Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/ var/lib/pki/pki-tomcat/conf/logging.properties - Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager Jun 23 15:12:30 ipa server: arguments used: stop Jun 23 15:12:30 ipa systemd: Stopping The Apache HTTP Server... Jun 23 15:12:31 ipa server: Jun 23, 2016 3:12:31 PM org.apache.catalina.core.StandardServer await Jun 23 15:12:31 ipa server: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance. Jun 23 15:12:31 ipa server: PKIListener: org.apache.catalina.core.StandardServer[before_stop] Jun 23 15:12:31 ipa server: PKIListener: org.apache.catalina.core.StandardServer[stop] Jun 23 15:12:31 ipa server: PKIListener: org.apache.catalina.core.StandardServer[configure_stop] Jun 23 15:12:31 ipa server: Jun 23, 2016 3:12:31 PM org.apache.coyote.AbstractProtocol pause Jun 23 15:12:31 ipa server: INFO: Pausing ProtocolHandler ["http-bio-8080"] Jun 23 15:12:31 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:12:31 ipa systemd: Stopped PKI Tomcat Server pki-tomcat. Jun 23 15:12:32 ipa systemd: Stopped The Apache HTTP Server. Jun 23 15:12:32 ipa systemd: Stopping IPA memcached daemon, increases IPA server performance... Jun 23 15:12:32 ipa systemd: Stopped IPA memcached daemon, increases IPA server performance. Jun 23 15:12:32 ipa systemd: Stopping Berkeley Internet Name Domain (DNS) with native PKCS#11... Jun 23 15:12:32 ipa named-pkcs11[7543]: received control channel command 'stop' Jun 23 15:12:32 ipa named-pkcs11[7543]: shutting down: flushing changes Jun 23 15:12:32 ipa named-pkcs11[7543]: stopping command channel on 127.0.0.1#953 Jun 23 15:12:32 ipa named-pkcs11[7543]: stopping command channel on ::1#953 Jun 23 15:12:32 ipa named-pkcs11[7543]: zone 1.f.8.0.f. 6.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN: shutting down Jun 23 15:12:32 ipa named-pkcs11[7543]: zone 4gjn.com/IN (signed): shutting down Jun 23 15:12:32 ipa named-pkcs11[7543]: zone 4gjn.com/IN (unsigned): shutting down Jun 23 15:12:32 ipa named-pkcs11[7543]: no longer listening on ::#53 Jun 23 15:12:32 ipa named-pkcs11[7543]: no longer listening on 127.0.0.1#53 Jun 23 15:12:32 ipa named-pkcs11[7543]: no longer listening on 89.26.108.6#53 Jun 23 15:12:32 ipa named-pkcs11[7543]: no longer listening on 192.168.55.204#53 Jun 23 15:12:32 ipa named-pkcs11[7543]: no longer listening on 192.168.100.204#53 Jun 23 15:12:32 ipa named-pkcs11[7543]: exiting Jun 23 15:12:32 ipa systemd: Stopped Berkeley Internet Name Domain (DNS) with native PKCS#11. Jun 23 15:12:32 ipa systemd: Stopping Kerberos 5 Password-changing and Administration... Jun 23 15:12:32 ipa systemd: kadmin.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jun 23 15:12:32 ipa systemd: Stopped Kerberos 5 Password-changing and Administration. Jun 23 15:12:32 ipa systemd: Unit kadmin.service entered failed state. Jun 23 15:12:32 ipa systemd: kadmin.service failed. Jun 23 15:12:32 ipa systemd: Stopping Kerberos 5 KDC... Jun 23 15:12:32 ipa systemd: Stopped Kerberos 5 KDC. Jun 23 15:12:32 ipa systemd: Stopping 389 Directory Server 4GJN-COM.... Jun 23 15:12:32 ipa python2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:12:32 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:12:32 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 656, in Jun 23 15:12:32 ipa ipa-ods-exporter: ldap.gssapi_bind() Jun 23 15:12:32 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 1085, in gssapi_bind Jun 23 15:12:32 ipa ipa-ods-exporter: '', auth_tokens, server_controls, client_controls) Jun 23 15:12:32 ipa ipa-ods-exporter: File "/usr/lib64/python2.7/ contextlib.py", line 35, in __exit__ Jun 23 15:12:32 ipa ipa-ods-exporter: self.gen.throw(type, value, traceback) Jun 23 15:12:32 ipa ipa-ods-exporter: File "/usr/lib/python2.7/site-packages/ ipapython/ipaldap.py", line 992, in error_handler Jun 23 15:12:32 ipa ipa-ods-exporter: raise errors.ACIError(info=info) Jun 23 15:12:32 ipa ipa-ods-exporter: ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 23 15:12:32 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:12:32 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:12:32 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:12:34 ipa systemd: Stopped 389 Directory Server 4GJN-COM.. Jun 23 15:13:30 ipa systemd: Starting 389 Directory Server 4GJN-COM.... Jun 23 15:13:30 ipa systemd: Started 389 Directory Server 4GJN-COM.. Jun 23 15:13:30 ipa ns-slapd: [23/Jun/2016:15:13:30 +0200] - SSL alert: Security Initialization: Enabling default cipher set. Jun 23 15:13:30 ipa ns-slapd: [23/Jun/2016:15:13:30 +0200] - SSL alert: Configured NSS Ciphers Jun 23 15:13:30 ipa ns-slapd: [23/Jun/2016:15:13:30 +0200] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jun 23 15:13:30 ipa ns-slapd: [23/Jun/2016:15:13:30 +0200] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jun 23 15:13:30 ipa ns-slapd: [23/Jun/2016:15:13:30 +0200] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jun 23 15:13:30 ipa ns-slapd: [23/Jun/2016:15:13:30 +0200] - SSL alert: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jun 23 15:13:30 ipa ns-slapd: [23/Jun/2016:15:13:30 +0200] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jun 23 15:13:30 ipa ns-slapd: [23/Jun/2016:15:13:30 +0200] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] - SSL alert: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jun 23 15:13:31 ipa ns-slapd: [23/Jun/2016:15:13:31 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 Jun 23 15:13:32 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:13:32 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:13:32 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:13:32 ipa [sssd[ldap_child[26829]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm '4GJN.COM'. Unable to create GSSAPI-encrypted LDAP connection. Jun 23 15:13:32 ipa [sssd[ldap_child[26829]]]: Cannot contact any KDC for realm '4GJN.COM' Jun 23 15:13:33 ipa systemd: Starting Kerberos 5 KDC... Jun 23 15:13:33 ipa systemd: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Jun 23 15:13:33 ipa systemd: Started Kerberos 5 KDC. Jun 23 15:13:33 ipa systemd: Starting Kerberos 5 Password-changing and Administration... Jun 23 15:13:33 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:13:33 ipa systemd: PID file /var/run/kadmind.pid not readable (yet?) after start. Jun 23 15:13:33 ipa systemd: Started Kerberos 5 Password-changing and Administration. Jun 23 15:13:33 ipa systemd: Starting Generate rndc key for BIND (DNS)... Jun 23 15:13:33 ipa systemd: Started Generate rndc key for BIND (DNS). Jun 23 15:13:33 ipa systemd: Starting Berkeley Internet Name Domain (DNS) with native PKCS#11... Jun 23 15:13:33 ipa bash: zone localhost.localdomain/IN: loaded serial 0 Jun 23 15:13:33 ipa bash: zone localhost/IN: loaded serial 0 Jun 23 15:13:33 ipa bash: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Jun 23 15:13:33 ipa bash: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Jun 23 15:13:33 ipa bash: zone 0.in-addr.arpa/IN: loaded serial 0 Jun 23 15:13:33 ipa named-pkcs11[26870]: starting BIND 9.9.4- RedHat-9.9.4-29.el7_2.3 -u named Jun 23 15:13:33 ipa named-pkcs11[26870]: built with '--build=x86_64-redhat- linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable- dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '-- includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '-- sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '-- enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' '--disable- openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '-- enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '-- with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz- mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/ sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,- D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer- size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' Jun 23 15:13:33 ipa named-pkcs11[26870]: ---------------------------------------------------- Jun 23 15:13:33 ipa named-pkcs11[26870]: BIND 9 is maintained by Internet Systems Consortium, Jun 23 15:13:33 ipa named-pkcs11[26870]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Jun 23 15:13:33 ipa named-pkcs11[26870]: corporation. Support and training for BIND 9 are Jun 23 15:13:33 ipa named-pkcs11[26870]: available at https://www.isc.org/ support Jun 23 15:13:33 ipa named-pkcs11[26870]: ---------------------------------------------------- Jun 23 15:13:33 ipa named-pkcs11[26870]: adjusted limit on open files from 4096 to 1048576 Jun 23 15:13:33 ipa named-pkcs11[26870]: found 2 CPUs, using 2 worker threads Jun 23 15:13:33 ipa named-pkcs11[26870]: using 2 UDP listeners per interface Jun 23 15:13:33 ipa named-pkcs11[26870]: using up to 4096 sockets Jun 23 15:13:33 ipa named-pkcs11[26870]: loading configuration from '/etc/ named.conf' Jun 23 15:13:33 ipa named-pkcs11[26870]: reading built-in trusted keys from file '/etc/named.iscdlv.key' Jun 23 15:13:33 ipa named-pkcs11[26870]: using default UDP/IPv4 port range: [1024, 65535] Jun 23 15:13:33 ipa named-pkcs11[26870]: using default UDP/IPv6 port range: [1024, 65535] Jun 23 15:13:33 ipa named-pkcs11[26870]: listening on IPv6 interfaces, port 53 Jun 23 15:13:33 ipa named-pkcs11[26870]: listening on IPv4 interface lo, 127.0.0.1#53 Jun 23 15:13:33 ipa named-pkcs11[26870]: listening on IPv4 interface ens10, 89.26.108.6#53 Jun 23 15:13:33 ipa named-pkcs11[26870]: listening on IPv4 interface eth0, 192.168.55.204#53 Jun 23 15:13:33 ipa named-pkcs11[26870]: listening on IPv4 interface eth1, 192.168.100.204#53 Jun 23 15:13:33 ipa named-pkcs11[26870]: generating session key for dynamic DNS Jun 23 15:13:33 ipa named-pkcs11[26870]: sizing zone task pool based on 6 zones Jun 23 15:13:33 ipa named-pkcs11[26870]: /etc/named.conf:16: no forwarders seen; disabling forwarding Jun 23 15:13:33 ipa named-pkcs11[26870]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Jun 23 15:13:33 ipa named-pkcs11[26870]: bind-dyndb-ldap version 8.0 compiled at 15:16:02 Nov 20 2015, compiler 4.8.5 20150623 (Red Hat 4.8.5-4) Jun 23 15:13:33 ipa named-pkcs11[26870]: option 'serial_autoincrement' is not supported, ignoring Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 10.IN-ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 16.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 17.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 18.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 19.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 20.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 21.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 22.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 23.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 24.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 25.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 26.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 27.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 28.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 29.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 30.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 31.172.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 168.192.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 64.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 65.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 66.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 67.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 68.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 69.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 70.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 71.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 72.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 73.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 74.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 75.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 76.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 77.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 78.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 79.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 80.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 81.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 82.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 83.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 84.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 85.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 86.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 87.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 88.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 89.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 90.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 91.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 92.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 93.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 94.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 95.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 96.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 97.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 98.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 99.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 100.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 101.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 102.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 103.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 104.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 105.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 106.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 107.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 108.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 109.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 110.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 111.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 112.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 113.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 114.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 115.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 116.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 117.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 118.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 119.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 120.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 121.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 122.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 123.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 124.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 125.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 126.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 127.100.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 127.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 254.169.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 2.0.192.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 100.51.198.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 113.0.203.IN- ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: D.F.IP6.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 8.E.F.IP6.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 9.E.F.IP6.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: A.E.F.IP6.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: B.E.F.IP6.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: automatic empty zone: 8.B.D. 0.1.0.0.2.IP6.ARPA Jun 23 15:13:33 ipa named-pkcs11[26870]: /etc/named.conf:16: no forwarders seen; disabling forwarding Jun 23 15:13:33 ipa named-pkcs11[26870]: command channel listening on 127.0.0.1#953 Jun 23 15:13:33 ipa named-pkcs11[26870]: command channel listening on ::1#953 Jun 23 15:13:33 ipa named-pkcs11[26870]: managed-keys-zone: journal file is out of date: removing journal file Jun 23 15:13:33 ipa named-pkcs11[26870]: managed-keys-zone: loaded serial 97 Jun 23 15:13:33 ipa named-pkcs11[26870]: zone 0.in-addr.arpa/IN: loaded serial 0 Jun 23 15:13:33 ipa named-pkcs11[26870]: zone localhost/IN: loaded serial 0 Jun 23 15:13:33 ipa named-pkcs11[26870]: zone localhost.localdomain/IN: loaded serial 0 Jun 23 15:13:33 ipa named-pkcs11[26870]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Jun 23 15:13:33 ipa named-pkcs11[26870]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Jun 23 15:13:33 ipa named-pkcs11[26870]: all zones loaded Jun 23 15:13:33 ipa named-pkcs11[26870]: running Jun 23 15:13:33 ipa named-pkcs11[26870]: LDAP instance 'ipa' is being synchronized, please ignore message 'all zones loaded' Jun 23 15:13:33 ipa systemd: Started Berkeley Internet Name Domain (DNS) with native PKCS#11. Jun 23 15:13:33 ipa systemd: Starting IPA memcached daemon, increases IPA server performance... Jun 23 15:13:33 ipa systemd: PID file /var/run/ipa_memcached/ipa_memcached.pid not readable (yet?) after start. Jun 23 15:13:33 ipa systemd: Started IPA memcached daemon, increases IPA server performance. Jun 23 15:13:33 ipa systemd: Starting The Apache HTTP Server... Jun 23 15:13:33 ipa ipa-httpd-kdcproxy: ipa : INFO KDC proxy enabled Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 4gjn.com/IN: reconfiguring NSEC3PARAM to '1 0 10 65ba2cbb5f87cba8' Jun 23 15:13:34 ipa systemd: Started The Apache HTTP Server. Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 1.f.8.0.f. 6.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN: loaded serial 1466687614 Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 4gjn.com/IN (unsigned): loaded serial 1466687614 Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): signing in progress Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): reconfiguring NSEC3PARAM to '1 0 10 65ba2cbb5f87cba8' Jun 23 15:13:34 ipa named-pkcs11[26870]: 2 master zones from LDAP instance 'ipa' loaded (2 zones defined, 0 inactive, 0 failed to load) Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): loaded serial 1466687614 Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): could not get zone keys for secure dynamic update Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): receive_secure_serial: unchanged Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 1.f.8.0.f. 6.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN: sending notifies (serial 1466687614) Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): sending notifies (serial 1466687615) Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): reconfiguring zone keys Jun 23 15:13:34 ipa systemd: Started IPA Custodia Service. Jun 23 15:13:34 ipa systemd: Starting IPA Custodia Service... Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): zone_addnsec3chain(1,INITIAL|CREATE,10,65BA2CBB5F87CBA8) Jun 23 15:13:34 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): next key event: 23-Jun-2016 16:13:34.510 Jun 23 15:13:34 ipa named-pkcs11[26870]: checkhints: unable to get root NS rrset from cache: not found Jun 23 15:13:34 ipa systemd: Configuration file /usr/lib/systemd/system/pki- tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Jun 23 15:13:34 ipa systemd: Configuration file /lib/systemd/system/pki- tomcatd at .service is marked executable. Please remove executable permission bits. Proceeding anyway. Jun 23 15:13:34 ipa systemd: Starting PKI Tomcat Server pki-tomcat... Jun 23 15:13:35 ipa ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Jun 23 15:13:35 ipa /usr/libexec/ipa/ipa-ods-exporter: new replica keys in LDAP: set([]) Jun 23 15:13:35 ipa /usr/libexec/ipa/ipa-ods-exporter: obsolete replica keys in local HSM: set([]) Jun 23 15:13:35 ipa /usr/libexec/ipa/ipa-ods-exporter: keys in local HSM & LDAP: set(['0xc223e02cb4ec2fb2abcb829a0548119e']) Jun 23 15:13:35 ipa /usr/libexec/ipa/ipa-ods-exporter: keys in local HSM & LDAP: set(['0x6145b3b71c448dfc1130d0f9d2caac79', '0xd7fe5c98d5f3f89aefb9e8dfb92ebcb1']) Jun 23 15:13:35 ipa /usr/libexec/ipa/ipa-ods-exporter: keys in local HSM & LDAP: set(['0x6145b3b71c448dfc1130d0f9d2caac79', '0xd7fe5c98d5f3f89aefb9e8dfb92ebcb1']) Jun 23 15:13:35 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:13:35 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 694, in Jun 23 15:13:35 ipa ipa-ods-exporter: send_systemd_reply(conn, msg) Jun 23 15:13:35 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 520, in send_systemd_reply Jun 23 15:13:35 ipa ipa-ods-exporter: conn.send(reply + '\n') Jun 23 15:13:35 ipa ipa-ods-exporter: socket.error: [Errno 32] Broken pipe Jun 23 15:13:35 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:13:35 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:13:35 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:13:36 ipa systemd: Started PKI Tomcat Server pki-tomcat. Jun 23 15:13:36 ipa systemd: Reached target PKI Tomcat Server. Jun 23 15:13:36 ipa systemd: Starting PKI Tomcat Server. Jun 23 15:13:36 ipa server: Java virtual machine used: /usr/lib/jvm/jre/bin/ java Jun 23 15:13:36 ipa server: classpath used: /usr/share/tomcat/bin/ bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons- daemon.jar Jun 23 15:13:36 ipa server: main class used: org.apache.catalina.startup.Bootstrap Jun 23 15:13:36 ipa server: flags used: -DRESTEASY_LIB=/usr/share/java/ resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jun 23 15:13:36 ipa server: options used: -Dcatalina.base=/var/lib/pki/pki- tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= - Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/ var/lib/pki/pki-tomcat/conf/logging.properties - Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager - Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/ conf/catalina.policy Jun 23 15:13:36 ipa server: arguments used: start Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ocspResponderURL' to 'http://ipa.4gjn.com:9080/ ca/ocsp' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,- SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,- SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,- SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'ssl3Ciphers' to '- SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA, +SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5, +SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,- SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,- SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,- SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'tlsCiphers' to '- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, +TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, +TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA, +TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA, +TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, +TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA, +TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA, +TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'sslRangeCiphers' to '- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA, +TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA, +TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA, +TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, +TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256, +TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256, +TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/ conf/serverCertNick.conf' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/ password.conf' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.SetAllPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetAllPropertiesRule]{Server/Service/ Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetPropertiesRule]{Server/Service/ Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.tomcat.util.digester.SetPropertiesRule begin Jun 23 15:13:37 ipa server: WARNING: [SetPropertiesRule]{Server/Service/ Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jun 23 15:13:37 ipa server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.coyote.AbstractProtocol init Jun 23 15:13:37 ipa server: INFO: Initializing ProtocolHandler ["http- bio-8080"] Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.coyote.AbstractProtocol init Jun 23 15:13:37 ipa server: INFO: Initializing ProtocolHandler ["http- bio-8443"] Jun 23 15:13:37 ipa server: Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Jun 23 15:13:37 ipa server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Jun 23 15:13:37 ipa server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Jun 23 15:13:37 ipa server: Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Jun 23 15:13:37 ipa server: Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Jun 23 15:13:37 ipa server: Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Jun 23 15:13:37 ipa server: Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Jun 23 15:13:37 ipa server: Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.coyote.AbstractProtocol init Jun 23 15:13:37 ipa server: INFO: Initializing ProtocolHandler ["ajp- bio-127.0.0.1-8009"] Jun 23 15:13:37 ipa server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.Catalina load Jun 23 15:13:37 ipa server: INFO: Initialization processed in 613 ms Jun 23 15:13:37 ipa server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jun 23 15:13:37 ipa server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jun 23 15:13:37 ipa server: PKIListener: org.apache.catalina.core.StandardServer[start] Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.core.StandardService startInternal Jun 23 15:13:37 ipa server: INFO: Starting service Catalina Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.core.StandardEngine startInternal Jun 23 15:13:37 ipa server: INFO: Starting Servlet Engine: Apache Tomcat/ 7.0.54 Jun 23 15:13:37 ipa server: Jun 23, 2016 3:13:37 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 23 15:13:37 ipa server: INFO: Deploying configuration descriptor /etc/pki/ pki-tomcat/Catalina/localhost/ROOT.xml Jun 23 15:13:38 ipa server: Jun 23, 2016 3:13:38 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 23 15:13:38 ipa server: INFO: Deployment of configuration descriptor /etc/ pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 1,135 ms Jun 23 15:13:38 ipa server: Jun 23, 2016 3:13:38 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 23 15:13:38 ipa server: INFO: Deploying configuration descriptor /etc/pki/ pki-tomcat/Catalina/localhost/pki#admin.xml Jun 23 15:13:39 ipa server: Jun 23, 2016 3:13:39 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 23 15:13:39 ipa server: INFO: Deployment of configuration descriptor /etc/ pki/pki-tomcat/Catalina/localhost/pki#admin.xml has finished in 734 ms Jun 23 15:13:39 ipa server: Jun 23, 2016 3:13:39 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 23 15:13:39 ipa server: INFO: Deploying configuration descriptor /etc/pki/ pki-tomcat/Catalina/localhost/pki#js.xml Jun 23 15:13:39 ipa named-pkcs11[26870]: zone 1.f.8.0.f. 6.0.0.0.7.4.0.1.0.0.2.ip6.arpa/IN: sending notifies (serial 1466687614) Jun 23 15:13:39 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): sending notifies (serial 1466687634) Jun 23 15:13:40 ipa server: Jun 23, 2016 3:13:40 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 23 15:13:40 ipa server: INFO: Deployment of configuration descriptor /etc/ pki/pki-tomcat/Catalina/localhost/pki#js.xml has finished in 815 ms Jun 23 15:13:40 ipa server: Jun 23, 2016 3:13:40 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 23 15:13:40 ipa server: INFO: Deploying configuration descriptor /etc/pki/ pki-tomcat/Catalina/localhost/ca.xml Jun 23 15:13:40 ipa server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jun 23 15:13:40 ipa server: SSLAuthenticatorWithFallback: Setting container Jun 23 15:13:41 ipa server: SSLAuthenticatorWithFallback: Initializing authenticators Jun 23 15:13:41 ipa server: SSLAuthenticatorWithFallback: Starting authenticators Jun 23 15:13:41 ipa server: CMSEngine.initializePasswordStore() begins Jun 23 15:13:41 ipa server: CMSEngine.initializePasswordStore(): tag=internaldb Jun 23 15:13:41 ipa server: CMSEngine.initializePasswordStore(): tag=replicationdb Jun 23 15:13:42 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da: 52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=59331 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 23 15:13:45 ipa server: CA is started. Jun 23 15:13:45 ipa server: Jun 23, 2016 3:13:45 PM org.apache.catalina.startup.HostConfig deployDescriptor Jun 23 15:13:45 ipa server: INFO: Deployment of configuration descriptor /etc/ pki/pki-tomcat/Catalina/localhost/ca.xml has finished in 5,160 ms Jun 23 15:13:45 ipa server: Jun 23, 2016 3:13:45 PM org.apache.coyote.AbstractProtocol start Jun 23 15:13:45 ipa server: INFO: Starting ProtocolHandler ["http-bio-8080"] Jun 23 15:13:45 ipa server: Jun 23, 2016 3:13:45 PM org.apache.coyote.AbstractProtocol start Jun 23 15:13:45 ipa server: INFO: Starting ProtocolHandler ["http-bio-8443"] Jun 23 15:13:45 ipa server: Jun 23, 2016 3:13:45 PM org.apache.coyote.AbstractProtocol start Jun 23 15:13:45 ipa server: INFO: Starting ProtocolHandler ["ajp- bio-127.0.0.1-8009"] Jun 23 15:13:45 ipa server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jun 23 15:13:45 ipa server: PKIListener: Subsystem CA is running. Jun 23 15:13:45 ipa server: Jun 23, 2016 3:13:45 PM org.apache.catalina.startup.Catalina start Jun 23 15:13:45 ipa server: INFO: Server startup in 7934 ms Jun 23 15:13:45 ipa systemd: Listening on ipa-otpd socket. Jun 23 15:13:45 ipa systemd: Starting ipa-otpd socket. Jun 23 15:13:47 ipa named-pkcs11[26870]: client 217.196.154.211#36560 (4gjn.com): transfer of '4gjn.com/IN': AXFR-style IXFR started Jun 23 15:13:47 ipa named-pkcs11[26870]: client 217.196.154.211#36560 (4gjn.com): transfer of '4gjn.com/IN': AXFR-style IXFR ended Jun 23 15:14:35 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:14:35 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:14:35 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:14:35 ipa systemd: Starting OpenDNSSEC Enforcer daemon... Jun 23 15:14:35 ipa ods-enforcerd: opendnssec starting... Jun 23 15:14:35 ipa ods-enforcerd: opendnssec Parent exiting... Jun 23 15:14:35 ipa ods-enforcerd: OpenDNSSEC ods-enforcerd started (version 1.4.7), pid 27232 Jun 23 15:14:35 ipa systemd: PID file /var/run/opendnssec/enforcerd.pid not readable (yet?) after start. Jun 23 15:14:35 ipa ods-enforcerd: opendnssec forked OK... Jun 23 15:14:35 ipa ods-enforcerd: group set to: ods (998) Jun 23 15:14:35 ipa ods-enforcerd: user set to: ods (999) Jun 23 15:14:35 ipa ods-enforcerd: opendnssec started (version 1.4.7), pid 27232 Jun 23 15:14:35 ipa ods-enforcerd: HSM opened successfully. Jun 23 15:14:35 ipa ods-enforcerd: Checking database connection... Jun 23 15:14:35 ipa ods-enforcerd: Database connection ok. Jun 23 15:14:35 ipa ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Jun 23 15:14:35 ipa ods-enforcerd: Reading config schema "/usr/share/ opendnssec/conf.rng" Jun 23 15:14:35 ipa ods-enforcerd: Communication Interval: 3600 Jun 23 15:14:35 ipa ods-enforcerd: No DS Submit command supplied Jun 23 15:14:35 ipa ods-enforcerd: SQLite database set to: /var/opendnssec/ kasp.db Jun 23 15:14:35 ipa systemd: Started OpenDNSSEC Enforcer daemon. Jun 23 15:14:35 ipa ods-enforcerd: Log User set to: local0 Jun 23 15:14:35 ipa ods-enforcerd: Switched log facility to: local0 Jun 23 15:14:35 ipa ods-enforcerd: Connecting to Database... Jun 23 15:14:35 ipa ods-enforcerd: Policy default found. Jun 23 15:14:35 ipa ods-enforcerd: Key sharing is Off. Jun 23 15:14:35 ipa ods-enforcerd: 1 zone(s) found on policy "default" Jun 23 15:14:35 ipa ods-enforcerd: No new KSKs need to be created. Jun 23 15:14:35 ipa ods-enforcerd: No new ZSKs need to be created. Jun 23 15:14:35 ipa ods-enforcerd: zonelist filename set to /etc/opendnssec/ zonelist.xml. Jun 23 15:14:35 ipa ods-enforcerd: Zone 4gjn.com found. Jun 23 15:14:35 ipa ods-enforcerd: Policy for 4gjn.com set to default. Jun 23 15:14:35 ipa ods-enforcerd: Config will be output to /var/opendnssec/ signconf/4gjn.com.xml. Jun 23 15:14:35 ipa systemd: Started IPA key daemon. Jun 23 15:14:35 ipa systemd: Starting IPA key daemon... Jun 23 15:14:36 ipa ods-enforcerd: No change to: /var/opendnssec/signconf/ 4gjn.com.xml Jun 23 15:14:36 ipa ods-enforcerd: Disconnecting from Database... Jun 23 15:14:36 ipa ods-enforcerd: Sleeping for 3600 seconds. Jun 23 15:14:36 ipa ipa-dnskeysyncd: ipa: WARNING: session memcached servers not running Jun 23 15:14:36 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:14:37 ipa ipa-dnskeysyncd: ipa : INFO LDAP bind... Jun 23 15:14:38 ipa ipa-dnskeysyncd: ipa : INFO Commencing sync process Jun 23 15:14:38 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO Key metadata cn=ZSK-20160513081559Z- d7fe5c98d5f3f89aefb9e8dfb92ebcb1,cn=keys,idnsname=4gjn.com.,cn=dns,dc=4gjn,dc=com added to zone 4gjn.com. Jun 23 15:14:38 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO Key metadata cn=KSK-20160513081559Z-6145b3b71c448dfc1130d0f9d2caac79,cn=keys,idnsname=4gjn.com.,cn=dns,dc=4gjn,dc=com added to zone 4gjn.com. Jun 23 15:14:38 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Jun 23 15:14:38 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO Zones removed from LDAP: [] Jun 23 15:14:38 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.odsmgr.ODSMgr: INFO Zones added to LDAP: [] Jun 23 15:14:38 ipa /usr/libexec/ipa/ipa-ods-exporter: new replica keys in LDAP: set([]) Jun 23 15:14:38 ipa /usr/libexec/ipa/ipa-ods-exporter: obsolete replica keys in local HSM: set([]) Jun 23 15:14:38 ipa /usr/libexec/ipa/ipa-ods-exporter: keys in local HSM & LDAP: set(['0xc223e02cb4ec2fb2abcb829a0548119e']) Jun 23 15:14:38 ipa /usr/libexec/ipa/ipa-ods-exporter: keys in local HSM & LDAP: set(['0x6145b3b71c448dfc1130d0f9d2caac79', '0xd7fe5c98d5f3f89aefb9e8dfb92ebcb1']) Jun 23 15:14:38 ipa /usr/libexec/ipa/ipa-ods-exporter: keys in local HSM & LDAP: set(['0x6145b3b71c448dfc1130d0f9d2caac79', '0xd7fe5c98d5f3f89aefb9e8dfb92ebcb1']) Jun 23 15:14:38 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:14:38 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 694, in Jun 23 15:14:38 ipa ipa-ods-exporter: send_systemd_reply(conn, msg) Jun 23 15:14:38 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 520, in send_systemd_reply Jun 23 15:14:38 ipa ipa-ods-exporter: conn.send(reply + '\n') Jun 23 15:14:38 ipa ipa-ods-exporter: socket.error: [Errno 32] Broken pipe Jun 23 15:14:38 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:14:38 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:14:38 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:15:18 ipa dbus-daemon: dbus[534]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Jun 23 15:15:18 ipa dbus[534]: [system] Activating service name='org.freedesktop.problems' (using servicehelper) Jun 23 15:15:18 ipa dbus[534]: [system] Successfully activated service 'org.freedesktop.problems' Jun 23 15:15:18 ipa dbus-daemon: dbus[534]: [system] Successfully activated service 'org.freedesktop.problems' Jun 23 15:15:39 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:15:39 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:15:39 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:15:39 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:15:40 ipa /usr/libexec/ipa/ipa-ods-exporter: new replica keys in LDAP: set([]) Jun 23 15:15:40 ipa /usr/libexec/ipa/ipa-ods-exporter: obsolete replica keys in local HSM: set([]) Jun 23 15:15:40 ipa /usr/libexec/ipa/ipa-ods-exporter: keys in local HSM & LDAP: set(['0xc223e02cb4ec2fb2abcb829a0548119e']) Jun 23 15:15:40 ipa /usr/libexec/ipa/ipa-ods-exporter: keys in local HSM & LDAP: set(['0x6145b3b71c448dfc1130d0f9d2caac79', '0xd7fe5c98d5f3f89aefb9e8dfb92ebcb1']) Jun 23 15:15:40 ipa /usr/libexec/ipa/ipa-ods-exporter: keys in local HSM & LDAP: set(['0x6145b3b71c448dfc1130d0f9d2caac79', '0xd7fe5c98d5f3f89aefb9e8dfb92ebcb1']) Jun 23 15:15:40 ipa ipa-ods-exporter: Traceback (most recent call last): Jun 23 15:15:40 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 694, in Jun 23 15:15:40 ipa ipa-ods-exporter: send_systemd_reply(conn, msg) Jun 23 15:15:40 ipa ipa-ods-exporter: File "/usr/libexec/ipa/ipa-ods- exporter", line 520, in send_systemd_reply Jun 23 15:15:40 ipa ipa-ods-exporter: conn.send(reply + '\n') Jun 23 15:15:40 ipa ipa-ods-exporter: socket.error: [Errno 32] Broken pipe Jun 23 15:15:40 ipa systemd: ipa-ods-exporter.service: main process exited, code=exited, status=1/FAILURE Jun 23 15:15:40 ipa systemd: Unit ipa-ods-exporter.service entered failed state. Jun 23 15:15:40 ipa systemd: ipa-ods-exporter.service failed. Jun 23 15:15:43 ipa kernel: freeipa-ldapIN=ens11 OUT= MAC=52:54:00:ce:9d:da: 52:54:00:b9:6d:73:86:dd SRC=2001:0470:006f:08f1:0000:0000:0000:0214 DST=2001:0470:006f:08f1:0000:0000:0000:0204 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=59332 DPT=389 WINDOW=28800 RES=0x00 SYN URGP=0 Jun 23 15:16:41 ipa systemd: ipa-ods-exporter.service holdoff time over, scheduling restart. Jun 23 15:16:41 ipa systemd: Started IPA OpenDNSSEC Signer replacement. Jun 23 15:16:41 ipa systemd: Starting IPA OpenDNSSEC Signer replacement... Jun 23 15:16:41 ipa ipa-ods-exporter: ipa: WARNING: session memcached servers not running Jun 23 15:16:42 ipa /usr/libexec/ipa/ipa-ods-exporter: new replica keys in LDAP: set([]) Jun 23 15:16:42 ipa /usr/libexec/ipa/ipa-ods-exporter: obsolete replica keys in local HSM: set([]) Jun 23 15:16:42 ipa /usr/libexec/ipa/ipa-ods-exporter: keys in local HSM & LDAP: set(['0xc223e02cb4ec2fb2abcb829a0548119e']) Jun 23 15:16:42 ipa /usr/libexec/ipa/ipa-ods-exporter: keys in local HSM & LDAP: set(['0x6145b3b71c448dfc1130d0f9d2caac79', '0xd7fe5c98d5f3f89aefb9e8dfb92ebcb1']) Jun 23 15:16:42 ipa /usr/libexec/ipa/ipa-ods-exporter: keys in local HSM & LDAP: set(['0x6145b3b71c448dfc1130d0f9d2caac79', '0xd7fe5c98d5f3f89aefb9e8dfb92ebcb1']) Jun 23 15:16:42 ipa /usr/libexec/ipa/ipa-ods-exporter: HSM synchronization finished, skipping zone synchronization. Jun 23 15:16:42 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO Synchronizing zone 4gjn.com. Jun 23 15:16:42 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO attrs: {'idnsseckeyref': ['pkcs11:object=d7fe5c98d5f3f89aefb9e8dfb92ebcb1'], 'dn': 'cn=ZSK-20160513081559Z- d7fe5c98d5f3f89aefb9e8dfb92ebcb1,cn=keys,idnsname=4gjn.com.,cn=dns,dc=4gjn,dc=com', 'cn': ['ZSK-20160513081559Z-d7fe5c98d5f3f89aefb9e8dfb92ebcb1'], 'idnsseckeypublish': ['20160513081600Z'], 'objectclass': ['idnsSecKey'], 'idnssecalgorithm': ['RSASHA256'], 'idnsseckeyzone': ['TRUE'], 'idnsseckeycreated': ['20160513081559Z'], 'idnsseckeyactivate': ['20160513081600Z']} Jun 23 15:16:42 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO attrs: {'idnsseckeyref': ['pkcs11:object=6145b3b71c448dfc1130d0f9d2caac79'], 'dn': 'cn=KSK-20160513081559Z-6145b3b71c448dfc1130d0f9d2caac79,cn=keys,idnsname=4gjn.com.,cn=dns,dc=4gjn,dc=com', 'cn': ['KSK-20160513081559Z-6145b3b71c448dfc1130d0f9d2caac79'], 'idnsseckeypublish': ['20160513081600Z'], 'objectclass': ['idnsSecKey'], 'idnsseckeysep': ['TRUE'], 'idnssecalgorithm': ['RSASHA256'], 'idnsseckeyzone': ['TRUE'], 'idnsseckeycreated': ['20160513081559Z'], 'idnsseckeyactivate': ['20160513081600Z']} Jun 23 15:16:42 ipa named-pkcs11[26870]: received control channel command 'sign 4gjn.com.' Jun 23 15:16:42 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): reconfiguring zone keys Jun 23 15:16:42 ipa ipa-dnskeysyncd: ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO Jun 23 15:16:43 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): next key event: 23-Jun-2016 16:16:42.953 Jun 23 15:16:43 ipa named-pkcs11[26870]: zone 4gjn.com/IN (signed): sending notifies (serial 1466687635) [root at ipa log]# > Martin -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From piolet.y at gmail.com Thu Jun 23 17:13:43 2016 From: piolet.y at gmail.com (Youenn PIOLET) Date: Thu, 23 Jun 2016 19:13:43 +0200 Subject: [Freeipa-users] Again and again... Replication issues Message-ID: Hi there, ## BACKGROUND ## Due to a huge mess and split brain issues on my 15 server ipa cluster, I had to manually reset all 14 replicas and clean old ruv on the last server. After everything seemed clean in LDAP, dse.ldif and other files, I rebuilt each replica and replication agreements. If I navigate through my LDAP, I can see in ou=csusers,cn=config the following things: Replication Manager *masterAgreement1-*-pki-tomcat on servers that have initialy built replicas Replication Manager *cloneAgreement1-*-pki-tomcat on servers that have initialy built replicas I've got a mesh of replicas (4 agreements per replica). Centos 7.2, fresh IPA 4.2.0 everywhere The agreement I generated with ipa-replica-manage connect and ipa-csreplica-manage connect don't appear in ou=csusers,cn=config. I supposed that this node is related to first generation of replica (ipa-replica-prepare, and initial clone process). ## PROBLEM ## Today everything seems to work except on the master. I got the following logs on my PKI master server: > slapi_ldap_bind - Error: could not bind id [cn=replication > manager,cn=config] authentication mechanism [SIMPLE]: error 32 (No such > object) errno 0 (Success). And a few of these in replicas: > Can't locate CSN 576ba112000004060000 in the changelog (DB rc=-30988). If > replication stops, the consumer may need to be reinitialized. ... this one may be unrelated and liked to network latency I guess. cn=replication manager,cn=config] doesn't exist on the master... I don't know why. The master is actually a promoted replica from my previous cluster. On the master I can see a : cn: Replication Manager *cloneAgreement1*--pki-tomcat - What should I do to stop the cn=replication manager,cn=config error message ? - Can I safely remove Replication Manager *cloneAgreement1*--pki-tomcat on my master that is not a clone anymore (his own previous master is destroyed) ? Thanks by advance, -- Youenn Piolet piolet.y at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Jun 23 17:54:52 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 23 Jun 2016 19:54:52 +0200 Subject: [Freeipa-users] AD trust with POSIX attributes In-Reply-To: <673165300.926715.1466681469837.JavaMail.zimbra@elostech.cz> References: <673165300.926715.1466681469837.JavaMail.zimbra@elostech.cz> Message-ID: <20160623175452.GV29512@hendrix> On Thu, Jun 23, 2016 at 01:31:09PM +0200, Jan Kar?sek wrote: > Hi, > > thank you for the answers. May be I am doing something wrong. > > 1. AD attributes - I am using the standard set of user's attributes in AD - I did not extend the AD schema (2012 R2) > I am using set of attributes defined in RFS2307: > uidNumber > gidNumber > gecos > homeDirectory > loginShell > I am having troubles to find in documentation the names of attributes which IPA is able to read from AD . Could you please clarify if this is OK ? > Could you please point me to some doc ...? I have read the Windows integration guide, but there was not enough details ... This is not well documented, but it's easy enough to read from the code: https://github.com/SSSD/sssd/blob/master/src/providers/ad/ad_opts.c > > 2. Do I need to fill in user's attributes values before the trust is set up ? If you do, then IPA would detect the POSIX attributes during trust/range creation. > > 3. If using Idviews in this case I would have to somehow copy information stored in AD into id views a keep them updated, which is huge overhead when you have hundreds or thousands users. That is why I need to read them directly from AD. I don't think you need to, idviews are really meant more for migration deployments. It seems like you want to use all POSIX attributes from AD, so it would be easiest to let IPA detect them and use by default on all hosts. > > 4. Is it possible to change the already established trust -without --range-type=ipa-ad-trust-posix to trust with POSIX range ? I mean without breaking the trust and reestablishing new one ? You can remove the existing range and create a new one, but because there is really no 'cost' to re-establishing the trust, I think it would be easiest to just remove the trust and the range and create them again, just to let the IPA tool do their work. btw in SSSD we don't handle renumbering users well, so you'll need to remove the caches on the clients as well. From prasun.gera at gmail.com Thu Jun 23 18:11:51 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 23 Jun 2016 14:11:51 -0400 Subject: [Freeipa-users] What causes the web ui to display a second login dialog ? Message-ID: Image attached. I don't use Windows much, but I noticed this on a windows machine with Chrome. Before the actual login page is displayed, this login dialog is displayed. Further, the credentials don't work in this dialog. Env: RHEL 7.2, idm 4.x -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: idm.png Type: image/png Size: 523568 bytes Desc: not available URL: From npmccallum at redhat.com Thu Jun 23 18:22:28 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Thu, 23 Jun 2016 14:22:28 -0400 Subject: [Freeipa-users] FreeOTP In-Reply-To: References: <68740fdb-859d-9cfe-4943-8b27a1ae5e49@dds.nl> <20160607164212.wh2idbbkniabdzdy@redhat.com> <1465319719.2595.7.camel@redhat.com> <1465394017.2599.3.camel@redhat.com> <1465406113.2599.25.camel@redhat.com> <6fc25458-745c-51a5-0d1a-c28d3e18331b@dds.nl> <20160609084645.GB15524@p.Speedport_W_724V_Typ_A_05011603_00_009> <1465476179.2969.8.camel@redhat.com> <20160609165109.GN3302@p.Speedport_W_724V_Typ_A_05011603_00_009> <1466540605.17252.4.camel@redhat.com> Message-ID: <1466706148.20951.2.camel@redhat.com> https://bodhi.fedoraproject.org/updates/FEDORA-2016-0b966047e1 Please?test and provide your feedback. On Wed, 2016-06-22 at 13:21 +0200, Winfried de Heiden wrote: > Hi all, > Great news, can't wait for it to be available in Fedora ARM en test. > Winny > > Op 21-06-16 om 22:23 schreef Nathaniel McCallum: > > I have found and fixed what I believe to be the issue. I have > > submitted > > a patch upstream for review:?https://github.com/krb5/krb5/pull/471 > > > > Once merged, we will backport the fix into all existing Fedora > > releases. So you should get an update via a simple: dnf update. > > > > On Thu, 2016-06-16 at 10:28 +0200, Winfried de Heiden wrote: > > > Hi all, > > > > > > "So it looks a bit like a libverto 32bit issue"; any news or > > > progress > > > on? > > > this? Bugzilla? > > > > > > Winny > > > > > > > > > Op 09-06-16 om 18:51 schreef Sumit Bose: > > > > On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum > > > > wrote: > > > > > On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote: > > > > > > On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de > > > > > > Heiden > > > > > > wrote: > > > > > > > Hi all, > > > > > > > > > > > > > > I can install libvert-libev but removing libverto-tevent > > > > > > > will > > > > > > > remove 123 > > > > > > > dependencies also. (wget, tomcat and much more...) > > > > > > > > > > > > > > Hence, I installed libverto-libev, but dit not remove > > > > > > > libverto- > > > > > > > tevent to give > > > > > > > it a try. After ipactl restart still the same problem: > > > > > > fyi, I think I can reproduce the issue on 32bit Fedora. I > > > > > > tried > > > > > > libverto-libev as well but I removed libverto-tevent after > > > > > > installing > > > > > > libverto-libev with 'rpm -e --nodeps ....' to make sure > > > > > > libverto has > > > > > > no > > > > > > other chance. > > > > > > > > > > > > So it looks a bit like a libverto 32bit issue. I used > > > > > > libverto-0.2.6-4.fc22. Since I knew that is was working > > > > > > before > > > > > > on > > > > > > 32bits > > > > > > I tried libverto-0.2.5 and libverto-0.2.4 as well with no > > > > > > lock. > > > > > > > > > > > > Nathaniel, do you have any suggestions what to check with > > > > > > gdb? > > > > > It may not be a libverto issue at all. Just to summarize, > > > > > krb5kdc > > > > > sends > > > > > the otp request to ipa-otpd using RADIUS-over-UNIX-socket. > > > > > > > > > > It appears that ipa-otpd receives the request and sends the > > > > > appropriate > > > > > response. However, krb5kdc never appears to receive the > > > > > request > > > > > and > > > > > times out. Once it times out, it closes the socket and ipa- > > > > > otpd > > > > > exits. > > > > > > > > > > The question is: why? > > > > > > > > > > This could be a bug in krb5kdc, libkrad or libverto. Does the > > > > > event > > > > > actually fire from libverto? Does libkrad process it > > > > > correctly? > > > > > Does > > > > > krb5kdc process it correctly? > > > > > > > > > > There are lots of places to attach gdb. I would probably > > > > > start > > > > > here: > > > > > https://github.com/krb5/krb5/blob/master/src/lib/krad/client. > > > > > c#L1 > > > > > 93 > > > > It looks like the 3rd argument of recv(), the buffer length, > > > > becomes > > > > negative aka very big in on_io_read() > > > > > > > > ?????i = recv(verto_get_fd(rr->io), rr->buffer.data + rr- > > > > > buffer.length, > > > > ??????????????pktlen - rr->buffer.length, 0); > > > > > > > > because pktlen is 4 and rr->buffer.length is 16 on my 32bit > > > > system. > > > > I > > > > wonder if pktlen isn't sufficient here because it already is > > > > the > > > > result > > > > of 'len - buffer->length' which is calculated in > > > > krad_packet_bytes_needed() ? > > > > > > > > bye, > > > > Sumit > > > > > ? From anthonyclarka2 at gmail.com Thu Jun 23 18:33:39 2016 From: anthonyclarka2 at gmail.com (Anthony Clark) Date: Thu, 23 Jun 2016 14:33:39 -0400 Subject: [Freeipa-users] What causes the web ui to display a second login dialog ? In-Reply-To: References: Message-ID: Chrome in Windows is trying to be helpful and present your windows-based Kerberos credentials to FreeIPA. To "fix" this, you either disable Kerberos in Chrome (not sure how to do that) or change your FreeIPA httpd config a bit: # /etc/httpd/conf.d/ipa.conf line 64 or thereabouts, the section: AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiUseS4U2Proxy on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html Hope this helps, if there's a better way, someone please let me know :) -Anthony On Thu, Jun 23, 2016 at 2:11 PM, Prasun Gera wrote: > Image attached. I don't use Windows much, but I noticed this on a windows > machine with Chrome. Before the actual login page is displayed, this login > dialog is displayed. Further, the credentials don't work in this dialog. > > Env: RHEL 7.2, idm 4.x > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Thu Jun 23 20:27:32 2016 From: simo at redhat.com (Simo Sorce) Date: Thu, 23 Jun 2016 16:27:32 -0400 Subject: [Freeipa-users] What causes the web ui to display a second login dialog ? In-Reply-To: References: Message-ID: <1466713652.9981.173.camel@redhat.com> On Thu, 2016-06-23 at 14:11 -0400, Prasun Gera wrote: > Image attached. I don't use Windows much, but I noticed this on a windows > machine with Chrome. Before the actual login page is displayed, this login > dialog is displayed. Further, the credentials don't work in this dialog. > > Env: RHEL 7.2, idm 4.x > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project We have some workarounds available in latest mod_auth_gssapi, they should land in RHEL7.3 and hopefully make it easier to deal with this problem. https://fedorahosted.org/freeipa/ticket/5614 Simo. -- Simo Sorce * Red Hat, Inc * New York From prasun.gera at gmail.com Thu Jun 23 20:35:30 2016 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 23 Jun 2016 16:35:30 -0400 Subject: [Freeipa-users] What causes the web ui to display a second login dialog ? In-Reply-To: <1466713652.9981.173.camel@redhat.com> References: <1466713652.9981.173.camel@redhat.com> Message-ID: Thanks. I'll wait for RHEL 7.3 then. On Thu, Jun 23, 2016 at 4:27 PM, Simo Sorce wrote: > On Thu, 2016-06-23 at 14:11 -0400, Prasun Gera wrote: > > Image attached. I don't use Windows much, but I noticed this on a windows > > machine with Chrome. Before the actual login page is displayed, this > login > > dialog is displayed. Further, the credentials don't work in this dialog. > > > > Env: RHEL 7.2, idm 4.x > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > We have some workarounds available in latest mod_auth_gssapi, they > should land in RHEL7.3 and hopefully make it easier to deal with this > problem. > https://fedorahosted.org/freeipa/ticket/5614 > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From frenaud at redhat.com Fri Jun 24 18:06:19 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Fri, 24 Jun 2016 20:06:19 +0200 Subject: [Freeipa-users] Where should the CA Location In-Reply-To: References: Message-ID: Hi Disclaimer: I'm new on this mailing list but willing to share experience :) Did you use "ipa-cacert-manage install -t C,," to install your external CA certificate? This command copies the certificate in cn=certificates,cn=ipa,cn=etc,dc=xxx After this, you can use ipa-certupdate which will put the CA cert in all the needed NSS databases and update the nickname where needed. Flo. On 06/23/2016 04:54 AM, barrykfl at gmail.com wrote: > Hi : > > I renew External CA cert below ...seem server-cert ok. > > But ca CERT FAIL.. > I ALREADY PASTE ON > /etc/httpd/alias > /etc/dirsrv/slapd-PKI-IPA > /etc/dirsv/slapd-ABX-com > /var/lib/pki-ca/alias 's CA conf > > any idea? > > ABX-COM...[23/Jun/2016:10:42:32 +0800] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable > Runtime error -8179 - Peer's Certificate issuer is not recognized.) > > > From ryan.clough at dsic.com Fri Jun 24 22:50:02 2016 From: ryan.clough at dsic.com (Clough, Ryan) Date: Fri, 24 Jun 2016 15:50:02 -0700 Subject: [Freeipa-users] 7.x replica install from 6.x master fails In-Reply-To: References: <56FA5C2F.3070200@redhat.com> <570674EC.1060204@redhat.com> <5710F563.1050507@redhat.com> <57110E97.7060802@redhat.com> Message-ID: I too ran into this issue of certificate serial mismatch. Just wanted to shoot a note thanking the two of you for helping. Your questions and answers were very well articulated and very detailed. I used the info in this thread to get my replica installed. Thank you! =) On Fri, Apr 15, 2016 at 11:55 AM, Ott, Dennis wrote: > This allowed the replica install to complete. Thank you. > > However, when I try to kinit admin on the replica I get: > > kinit: Invalid UID in persistent keyring name while getting default ccache > > After some research I found that by commenting out this line in > /etc/krb5.conf > > default_ccache_name = KEYRING:persistent:%{uid} > > and restarting IPA, I was able to use kinit. > > What is the correct way to fix this, or what are the implications of just > leaving it commented out? > > > Dennis > > > > -----Original Message----- > From: Petr Vobornik [mailto:pvoborni at redhat.com] > Sent: Friday, April 15, 2016 11:54 AM > To: Ott, Dennis; Freeipa-users at redhat.com > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > On 04/15/2016 05:13 PM, Ott, Dennis wrote: > > My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have > a cert database at: > > > > /etc/pki/pki-tomcat/alias > > > > At: > > > > /var/lib/pki-ca/alias > > right > > > > > subsystemCert cert-pki-ca has a serial number of 18 (0x12) > > > > At: > > > > uid=CA-$HOST-8443,ou=people,o=ipaca > > > > the certificate has a serial number of 4. > > > > > > What is the best way to fix this? > > > > If it matters, the master installation is old enough to have had its > certs auto-renewed. > > Yes, certs were renewed but the PKI user entry was not which causes the > issue. This has been seen on very old IPA installations. > > 1) Login into IPA Master (RHEL 6) - as root. > > 2) Redirect "subsystemCert cert-pki-ca" to a file. > > # certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca" > -a > /tmp/subsystemcert.pem > > 3) Drop the header/footer and combine this into a single line. > > # echo && cat /tmp/subsystemcert.pem | sed -rn '/^-----BEGIN > CERTIFICATE-----$/{:1;n;/^-----END > CERTIFICATE-----$/b2;H;b1};:2;${x;s/\s//g;p}' > > 4) String generated in step 3 needs to be added under attribute > "usercertificate;binary:" below. > > > =================================================================================== > # ldapmodify -x -h 127.0.0.1 -p 7389 -D 'cn=Directory Manager' -W << EOF > dn: uid=CA-ptipa1.example.com-9443,ou=people,o=ipaca > changetype: modify > add: usercertificate;binary > usercertificate;binary: MIIDyTCCAr..Y4EKCneFA== <-- ADD the full string > from step 3. > - > replace: description > description: 2;18;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA > Subsystem,O=EXAMPLE.COM EOF > =================================================================================== > > Note: the description field attribute has format: > ::: subjectdn> > > > 5) Once the above command is successful restart IPA service > > # service ipa restart > > 6) Check if the mapping is now correct. > > # pki-server ca-user-show CA-ptipa1.example.com-9443 | egrep "User > ID|Description" > > > > > Dennis > > > > > > -----Original Message----- > > From: Petr Vobornik [mailto:pvoborni at redhat.com] > > Sent: Friday, April 15, 2016 10:06 AM > > To: Ott, Dennis; Freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > > > On 04/15/2016 03:51 PM, Ott, Dennis wrote: > >> Looks like we're out of ideas. > >> > >> I'll proceed with Plan B. > >> > > > > A possibility is also to check if > > > > Serial number of > > > > certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca' > > > > matches serial number of the cert below (4) and if > > > > uid=CA-$HOST-8443,ou=people,o=ipaca > > > > has actually the same cert in userCertificate attribute > > > > Or maybe to do the same with other PKI users in ou=people,o=ipaca > > > >> -----Original Message----- > >> From: Ott, Dennis > >> Sent: Monday, April 11, 2016 12:27 PM > >> To: Ott, Dennis; Petr Vobornik; Freeipa-users at redhat.com > >> Subject: RE: [Freeipa-users] 7.x replica install from 6.x master > >> fails > >> > >> As a test, I attempted to do a replica install on a Fedora 23 machine. > It fails with the same error. > >> > >> Dennis > >> > >> > >> > >> -----Original Message----- > >> From: freeipa-users-bounces at redhat.com > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ott, Dennis > >> Sent: Thursday, April 07, 2016 5:39 PM > >> To: Petr Vobornik; Freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master > >> fails > >> > >> It doesn't look like that is my problem. The output of pki-server > ca-group-member-find "Subsystem Group" gives: > >> > >> > >> User ID: CA-ptipa1.example.com-9443 > >> Common Name: CA-ptipa1.example.com-9443 > >> Surname: CA-ptipa1.example.com-9443 > >> Type: agentType > >> Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA > Subsystem,O=EXAMPLE.COM > >> E-mail: > >> > >> All the certs seem valid: > >> > >> # getcert list | grep expires > >> expires: 2017-07-18 00:55:14 UTC > >> expires: 2017-07-18 00:54:14 UTC > >> expires: 2017-07-18 00:54:14 UTC > >> expires: 2017-07-18 00:54:14 UTC > >> expires: 2017-07-18 00:54:14 UTC > >> expires: 2017-08-09 00:54:19 UTC > >> expires: 2017-08-09 00:54:19 UTC > >> expires: 2017-08-09 00:54:21 UTC # > >> > >> I was wondering if I might be hitting this: > >> > >> http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPp > >> I > >> SHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJ > >> h > >> bctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoal > >> I > >> l-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdlj > >> h > >> 0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > >> http://cp.mcafee.com/d/5fHCNEg3zqb3BXKfI3D3pJ55d5VBdZZ4SyyCyYOCUOyrdC > >> P > >> qJyLQFm7bCNPFEV72GtD3hOaEXHbdQZ5hTS82H3W6yHOrJNlNRSRTD64XqOrdCPpIDeqR > >> 4 > >> INTQaNQDmA_gU03yNmmjBoHYYhod7bVIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl- > >> B > >> aMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0V > >> M > >> uq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > >> > >> It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora > (many months ago), but is not yet available for enterprise. > >> > >> Dennis > >> > >> > >> > >> > >> -----Original Message----- > >> From: Petr Vobornik [mailto:pvoborni at redhat.com] > >> Sent: Thursday, April 07, 2016 10:56 AM > >> To: Ott, Dennis; Freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master > >> fails > >> > >> Sorry for the late response. > >> > >> It looks like a bug > >> http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbPar > >> z > >> a9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdC > >> P > >> pesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub > >> 6 > >> qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDD > >> C y1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > >> But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure. > >> > >> Anyway, > >> java.io.IOException: 2 actually means authentication failure. > >> > >> The authentication problem might be caused by a missing subsystem > >> user (bug #1225589) and there's already a tool to restore it. > >> However, before running the script, please run this command on the > >> master to verify the > >> problem: > >> > >> $ pki-server ca-group-member-find "Subsystem Group" > >> > >> Ideally it should return a user ID "CA--9443" and the > description attribute should contain the subsystem certificate in this > format ";;;". > >> > >> If that's not the case, please run this tool to restore the subsystem > user: > >> > >> $ python /usr/share/pki/scripts/restore-subsystem-user.py > >> > >> Then run this command again to verify the fix: > >> > >> $ pki-server ca-group-member-find "Subsystem Group" > >> > >> If everything works well, please try installing the replica again. > >> > >> Also verify that all certificates in `getcert list` output are not > expired. > >> > >> > >> On 03/31/2016 09:07 PM, Ott, Dennis wrote: > >>> Petr, > >>> > >>> Original 6.x master installed at: > >>> > >>> ipa-server-2.1.3-9 > >>> > >>> pki-ca-9.0.3-20 > >>> > >>> > >>> At the time the migration was attempted, the 6.x master had been > updated to: > >>> > >>> ipa-server-3.0.0-47 > >>> > >>> pki-ca-9.0.3-45 > >>> > >>> > >>> The 7.x replica install has been attempted using a variety of > versions. The log excerpts at the beginning of this email were from an > installation attempt using: > >>> > >>> ipa-server-4.2.0-15.0.1 > >>> > >>> pki-ca-10.2.5-6 > >>> > >>> > >>> It's a standard CA installation. This line is from > /var/log/ipaserverinstall.log showing selfsign as False: > >>> > >>> 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked > >>> with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': > >>> None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, > >>> 'subject': None, 'no_forwarders': False, 'persistent_search': True, > >>> 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': > >>> True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': > >>> False, > >>> 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, > >>> 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, > >>> 'forwarders': None, 'idstart': 900000000, 'external_ca': False, > >>> 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, > >>> 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': > >>> False, 'external_cert_file': None, 'uninstall': False} > >>> 2013-09-04T18:41:20Z DEBUG missing options might be asked for > >>> interactively later > >>> > >>> > >>> -----Original Message----- > >>> From: Petr Vobornik [mailto:pvoborni at redhat.com] > >>> Sent: Tuesday, March 29, 2016 6:43 AM > >>> To: Ott, Dennis; Freeipa-users at redhat.com > >>> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master > >>> fails > >>> > >>> On 03/24/2016 04:29 PM, Ott, Dennis wrote: > >>>> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. > >>>> After working through and solving a few issues, my current efforts > >>>> fail when setting up the replica CA. > >>>> > >>>> If I set up a new, pristine master on OS 6.7, I am able to create > >>>> an OS 7.x replica without any problem. However, if I try to create > >>>> a replica from my two year old test lab instance (production will > >>>> be another matter for the future) it fails. The test lab master was > >>>> created a couple of years ago on OS 6.3 / IPA 2.x and has been > >>>> upgraded to the latest versions in the 6.x chain. It is old enough > >>>> to have had all the certificates renewed, but I believe I have worked > through all the issues related to that. > >>>> > >>>> Below is what I believe are the useful portions of the pertinent logs. > >>>> I?ve not been able to find anything online that speaks to the > >>>> errors I am seeing > >>>> > >>>> Thanks for your help. > >>> > >>> Hello Dennis, > >>> > >>> what are the exact versions of pki-ca and ipa-server on the 6.x master > and 7.x replica? > >>> > >>> What kind of CA installation does the old 6.x master install have? Is > standard installation with CA or does it also use external CA? > >>> > >>> I assume it is not self-sign (very old unsupported type, which could > be converted in 7.x as CA-less). > >>> > >>>> > >>>> /var/log/ipareplica-install.log > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG Configuring certificate server > (pki-tomcatd). > >>>> Estimated time: 3 minutes 30 seconds > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG group pkiuser exists > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG user pkiuser exists > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server > instance > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG Loading StateFile from > >>>> '/var/lib/ipa/sysrestore/sysrestore.state' > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG Saving StateFile to > >>>> '/var/lib/ipa/sysrestore/sysrestore.state' > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file > (/tmp/tmpGQ59ZC): > >>>> > >>>> [CA] > >>>> > >>>> pki_security_domain_name = IPA > >>>> > >>>> pki_enable_proxy = True > >>>> > >>>> pki_restart_configured_instance = False > >>>> > >>>> pki_backup_keys = True > >>>> > >>>> pki_backup_password = XXXXXXXX > >>>> > >>>> pki_profiles_in_ldap = True > >>>> > >>>> pki_client_database_dir = /tmp/tmp-g0CKZ3 > >>>> > >>>> pki_client_database_password = XXXXXXXX > >>>> > >>>> pki_client_database_purge = False > >>>> > >>>> pki_client_pkcs12_password = XXXXXXXX > >>>> > >>>> pki_admin_name = admin > >>>> > >>>> pki_admin_uid = admin > >>>> > >>>> pki_admin_email = root at localhost > >>>> > >>>> pki_admin_password = XXXXXXXX > >>>> > >>>> pki_admin_nickname = ipa-ca-agent > >>>> > >>>> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM > >>>> > >>>> pki_client_admin_cert_p12 = /root/ca-agent.p12 > >>>> > >>>> pki_ds_ldap_port = 389 > >>>> > >>>> pki_ds_password = XXXXXXXX > >>>> > >>>> pki_ds_base_dn = o=ipaca > >>>> > >>>> pki_ds_database = ipaca > >>>> > >>>> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM > >>>> > >>>> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM > >>>> > >>>> pki_ssl_server_subject_dn = > >>>> cn=pt-idm-vm01.example.com,O=EXAMPLE.COM > >>>> > >>>> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM > >>>> > >>>> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM > >>>> > >>>> pki_subsystem_nickname = subsystemCert cert-pki-ca > >>>> > >>>> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca > >>>> > >>>> pki_ssl_server_nickname = Server-Cert cert-pki-ca > >>>> > >>>> pki_audit_signing_nickname = auditSigningCert cert-pki-ca > >>>> > >>>> pki_ca_signing_nickname = caSigningCert cert-pki-ca > >>>> > >>>> pki_ca_signing_key_algorithm = SHA256withRSA > >>>> > >>>> pki_security_domain_hostname = ptipa1.example.com > >>>> > >>>> pki_security_domain_https_port = 443 > >>>> > >>>> pki_security_domain_user = admin > >>>> > >>>> pki_security_domain_password = XXXXXXXX > >>>> > >>>> pki_clone = True > >>>> > >>>> pki_clone_pkcs12_path = /tmp/ca.p12 > >>>> > >>>> pki_clone_pkcs12_password = XXXXXXXX > >>>> > >>>> pki_clone_replication_security = TLS > >>>> > >>>> pki_clone_replication_master_port = 7389 > >>>> > >>>> pki_clone_replication_clone_port = 389 > >>>> > >>>> pki_clone_replicate_schema = False > >>>> > >>>> pki_clone_uri = > >>>> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9IS > >>>> r > >>>> d > >>>> G > >>>> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhb > >>>> c > >>>> m > >>>> D > >>>> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iS > >>>> b > >>>> N > >>>> _ > >>>> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrN > >>>> K > >>>> V > >>>> J > >>>> USyrh > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG Starting external process > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpGQ59ZC' > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG stdout=Log file: > >>>> /var/log/pki/pki-ca-spawn.20160323175511.log > >>>> > >>>> Loading deployment configuration from /tmp/tmpGQ59ZC. > >>>> > >>>> Installing CA into /var/lib/pki/pki-tomcat. > >>>> > >>>> Storing deployment configuration into > >>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > >>>> > >>>> Installation failed. > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG > >>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: > >>>> InsecureRequestWarning: Unverified HTTPS request is being made. > >>>> Adding certificate verification is strongly advised. See: > >>>> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCU > >>>> O > >>>> y > >>>> r > >>>> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOs > >>>> V > >>>> H > >>>> k > >>>> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2 > >>>> g > >>>> a > >>>> z > >>>> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdl > >>>> j > >>>> h > >>>> 0 > >>>> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > >>>> > >>>> InsecureRequestWarning) > >>>> > >>>> pkispawn : WARNING ....... unable to validate security domain > user/password > >>>> through REST interface. Interface not available > >>>> > >>>> pkispawn : ERROR ....... Exception from Java Configuration > Servlet: 500 > >>>> Server Error: Internal Server Error > >>>> > >>>> pkispawn : ERROR ....... ParseError: not well-formed (invalid > token): line > >>>> 1, column 0: > >>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. > >>>> PKIException","Code":500,"Message":"Error > >>>> while updating security domain: java.io.IOException: 2"} > >>>> > >>>> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: > >>>> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' > >>>> returned non-zero exit status 1 > >>>> > >>>> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the > >>>> following files/directories for more information: > >>>> > >>>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log > >>>> > >>>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >>>> line 418, in start_creation > >>>> > >>>> run_step(full_msg, method) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >>>> line 408, in run_step > >>>> > >>>> method() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >>>> line 620, in __spawn_instance > >>>> > >>>> DogtagInstance.spawn_instance(self, cfg_file) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" > >>>> , > >>>> line 201, in spawn_instance > >>>> > >>>> self.handle_setup_error(e) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" > >>>> , > >>>> line 465, in handle_setup_error > >>>> > >>>> raise RuntimeError("%s configuration failed." % > >>>> self.subsystem) > >>>> > >>>> RuntimeError: CA configuration failed. > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration > failed. > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG File > >>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > >>>> 171, in execute > >>>> > >>>> return_value = self.run() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", > >>>> line 311, in run > >>>> > >>>> cfgr.run() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 281, in run > >>>> > >>>> self.execute() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 303, in execute > >>>> > >>>> for nothing in self._executor(): > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 343, in __runner > >>>> > >>>> self._handle_exception(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 365, in _handle_exception > >>>> > >>>> util.raise_exc_info(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 333, in __runner > >>>> > >>>> step() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > >>>> line 87, in run_generator_with_yield_from > >>>> > >>>> raise_exc_info(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > >>>> line 65, in run_generator_with_yield_from > >>>> > >>>> value = gen.send(prev_value) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 524, in _configure > >>>> > >>>> executor.next() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 343, in __runner > >>>> > >>>> self._handle_exception(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 421, in _handle_exception > >>>> > >>>> self.__parent._handle_exception(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 365, in _handle_exception > >>>> > >>>> util.raise_exc_info(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 418, in _handle_exception > >>>> > >>>> super(ComponentBase, self)._handle_exception(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 365, in _handle_exception > >>>> > >>>> util.raise_exc_info(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 333, in __runner > >>>> > >>>> step() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > >>>> line 87, in run_generator_with_yield_from > >>>> > >>>> raise_exc_info(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > >>>> line 65, in run_generator_with_yield_from > >>>> > >>>> value = gen.send(prev_value) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", > >>>> line 63, in _install > >>>> > >>>> for nothing in self._installer(self.parent): > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicai > >>>> n > >>>> s > >>>> t > >>>> all.py", > >>>> line 879, in main > >>>> > >>>> install(self) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicai > >>>> n > >>>> s > >>>> t > >>>> all.py", > >>>> line 295, in decorated > >>>> > >>>> func(installer) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicai > >>>> n > >>>> s > >>>> t > >>>> all.py", > >>>> line 584, in install > >>>> > >>>> ca.install(False, config, options) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", > >>>> line 106, in install > >>>> > >>>> install_step_0(standalone, replica_config, options) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", > >>>> line 130, in > >>>> install_step_0 > >>>> > >>>> ra_p12=getattr(options, 'ra_p12', None)) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >>>> line 1543, in install_replica_ca > >>>> > >>>> subject_base=config.subject_base) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >>>> line 486, in configure_instance > >>>> > >>>> self.start_creation(runtime=210) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >>>> line 418, in start_creation > >>>> > >>>> run_step(full_msg, method) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >>>> line 408, in run_step > >>>> > >>>> method() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >>>> line 620, in __spawn_instance > >>>> > >>>> DogtagInstance.spawn_instance(self, cfg_file) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" > >>>> , > >>>> line 201, in spawn_instance > >>>> > >>>> self.handle_setup_error(e) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" > >>>> , > >>>> line 465, in handle_setup_error > >>>> > >>>> raise RuntimeError("%s configuration failed." % > >>>> self.subsystem) > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, > exception: > >>>> RuntimeError: CA configuration failed. > >>>> > >>>> 2016-03-23T21:56:51Z ERROR CA configuration failed. > >>>> > >>>> /var/log/pki/pki-ca-spawn..log > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f > >>>> /etc/pki/pki-tomcat/ca/noise > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f > /etc/pki/pki-tomcat/pfile > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s > >>>> /lib/systemd/system/pki-tomcatd at .service > >>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat. > >>>> s > >>>> e > >>>> rvice > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 > >>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat. > >>>> s > >>>> e > >>>> rvice > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ... configuring > >>>> 'pki.server.deployment.scriptlets.configuration' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p > >>>> /root/.dogtag/pki-tomcat/ca > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 > >>>> /root/.dogtag/pki-tomcat/ca > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 > >>>> /root/.dogtag/pki-tomcat/ca > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating > >>>> '/root/.dogtag/pki-tomcat/ca/password.conf' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying > >>>> '/root/.dogtag/pki-tomcat/ca/password.conf' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 > >>>> /root/.dogtag/pki-tomcat/ca/password.conf > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 > >>>> /root/.dogtag/pki-tomcat/ca/password.conf > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating > >>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying > >>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 > >>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 > >>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing > 'certutil -N -d > >>>> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing > 'systemctl > >>>> daemon-reload' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing > 'systemctl start > >>>> pki-tomcatd at pki-tomcat.service' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection > - server > >>>> may still be down > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection > - exception > >>>> thrown: ('Connection aborted.', error(111, 'Connection refused')) > >>>> > >>>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection > - server > >>>> may still be down > >>>> > >>>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection > - exception > >>>> thrown: ('Connection aborted.', error(111, 'Connection refused')) > >>>> > >>>> 2016-03-23 17:55:24 pkispawn : DEBUG ........... version="1.0" > >>>> encoding="UTF-8" > >>>> standalone="no"?>0CA >>>> s > >>>>> r unning10.2.5-6.el7 > >>>> > >>>> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI > >>>> configuration data. > >>>> > >>>> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI > configuration > >>>> data. > >>>> > >>>> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java > >>>> Configuration Servlet: 500 Server Error: Internal Server Error > >>>> > >>>> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not > well-formed > >>>> (invalid token): line 1, column 0: > >>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. > >>>> PKIException","Code":500,"Message":"Error > >>>> while updating security domain: java.io.IOException: 2"} > >>>> > >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: > ParseError > >>>> > >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not > >>>> well-formed (invalid token): line 1, column 0 > >>>> > >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File > "/usr/sbin/pkispawn", > >>>> line 597, in main > >>>> > >>>> rv = instance.spawn(deployer) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/ > >>>> c > >>>> o > >>>> n > >>>> figuration.py", > >>>> line 116, in spawn > >>>> > >>>> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" > >>>> , > >>>> line 3906, in configure_pki_data > >>>> > >>>> root = ET.fromstring(e.response.text) > >>>> > >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line > >>>> 1300, in XML > >>>> > >>>> parser.feed(text) > >>>> > >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line > >>>> 1642, in feed > >>>> > >>>> self._raiseerror(v) > >>>> > >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line > >>>> 1506, in _raiseerror > >>>> > >>>> raise err > >>>> > >>>> /var/log/pki/pki-tomcat/ca/debug > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: > >>>> password > >>>> ok: store in memory cache > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init > >>>> ends > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before > >>>> makeConnection errorIfDown is false > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: > >>>> errorIfDown false > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP > >>>> connection using basic authentication to host > >>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with > >>>> mininum 3 and maximum 15 connections to host > >>>> pt-idm-vm01.example.com port 389, secure connection, false, > >>>> authentication type 1 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum > >>>> connections by 3 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available > >>>> connections 3 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of > >>>> connections 3 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In > >>>> LdapBoundConnFactory::getConn() > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: > >>>> true > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is > >>>> connected true > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns > >>>> now > >>>> 2 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: > >>>> param=preop.internaldb.manager_ldif > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif > >>>> file = /usr/share/pki/server/conf/manager.ldif > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif > >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP > >>>> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: > >>>> exception in adding entry > >>>> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: > >>>> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: > >>>> error result (20) > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): > >>>> start > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating > >>>> LdapBoundConnFactor(ConfigurationUtils) > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: > >>>> init > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: > >>>> LdapBoundConnFactory:doCloning true > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init > >>>> begins > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: > >>>> prompt is internaldb > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: > >>>> try getting from memory cache > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: > >>>> got password from memory > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: > >>>> password found for prompt. > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: > >>>> password > >>>> ok: store in memory cache > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init > >>>> ends > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before > >>>> makeConnection errorIfDown is false > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: > >>>> errorIfDown false > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP > >>>> connection using basic authentication to host > >>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with > >>>> mininum 3 and maximum 15 connections to host > >>>> pt-idm-vm01.example.com port 389, secure connection, false, > >>>> authentication type 1 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum > >>>> connections by 3 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available > >>>> connections 3 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of > >>>> connections 3 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In > >>>> LdapBoundConnFactory::getConn() > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: > >>>> true > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is > >>>> connected true > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns > >>>> now > >>>> 2 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: > >>>> param=preop.internaldb.post_ldif > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif > >>>> file = /usr/share/pki/ca/conf/vlv.ldif > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif > >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif > >>>> > >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif > >>>> file = /usr/share/pki/ca/conf/vlvtasks.ldif > >>>> > >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif > >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif > >>>> > >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn > >>>> cn=index1160589769, cn=index, cn=tasks, cn=config > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for > 'sslserver' > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: > >>>> SystemConfigService:processCerts(): san_server_cert not found for > >>>> tag sslserver > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is > >>>> local > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is > >>>> remote (revised) > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: > >>>> updateConfig() for certTag sslserver > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got > >>>> public key > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got > >>>> private key > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this > >>>> Cloned CA, always use its Master CA to generate the 'sslserver' > >>>> certificate to avoid any changes which may have been made to the > X500Name directory string encoding order. > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: > >>>> injectSAN=false > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil > >>>> createRemoteCert: content > >>>> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternal > >>>> A > >>>> u > >>>> t > >>>> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxx > >>>> x > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=tru > >>>> e > >>>> & > >>>> s > >>>> essionID=-4495713718673639316 > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil > >>>> createRemoteCert: status=0 > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil > createRemoteCert: > >>>> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: > >>>> handleCertRequest() begins > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: > >>>> tag=sslserver > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: > >>>> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: > >>>> created cert request > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' > certificate: > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for > >>>> cert tag 'sslserver' using cert type 'remote' > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): > >>>> process remote...import cert > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: > >>>> nickname=Server-Cert cert-pki-ca > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert > >>>> deleted successfully > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): > >>>> certchains length=2 > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import > >>>> certificate successfully, certTag=sslserver > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' > certificate. > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert > >>>> Panel/SavePKCS12 Panel === > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing > >>>> security domain > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): > >>>> Getting domain.xml from CA... > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: > >>>> status=0 > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: > >>>> domainInfo= >>>> standalone="no"?>IPAptipa1. > >>>> example.com443443< > >>>> / > >>>> S > >>>> e > >>>> cureAgentPort>443 >>>> cureAgentPort>A > >>>> cureAgentPort>u > >>>> cureAgentPort>t > >>>> hPort>44380 >>>> hPort>l > >>>> hPort>o > >>>> hPort>n > >>>> e>FALSEpki-cad >>>> e>> > >>>> e>T > >>>> e>R > >>>> UE1< > >>>> O > >>>> C > >>>> S > >>>> PList>0 >>>> PList>t > >>>> PList>e > >>>> PList>m > >>>> Count>00 >>>> Count>t > >>>> Count>e > >>>> Count>m > >>>> Count>0 >>>> Count>> > >>>> Count>< > >>>> Count>T > >>>> PSList>0 > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain > >>>> master > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase > >>>> updateDomainXML start hostname=ptipa1.example.com port=443 > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: > >>>> failed to update security domain using admin port 443: > >>>> org.xml.sax.SAXParseException; > >>>> lineNumber: 1; columnNumber: 50; White spaces are required between > >>>> publicId and systemId. > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: > >>>> now trying agent port with client auth > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase > >>>> updateDomainXML start hostname=ptipa1.example.com port=443 > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() > >>>> nickname=subsystemCert cert-pki-ca > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase > updateDomainXML: > >>>> status=1 > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating > >>>> security > >>>> domain: java.io.IOException: 2 > >>>> > >>>> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, > >>>> authorization for servlet: caProfileList is LDAP based, not XML {1}, > use default authz mgr: {2}. > >>>> > >>>> /var/log/pki/pki-tomcat/ca/system > >>>> > >>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot > >>>> build CA chain. Error java.security.cert.CertificateException: > >>>> Certificate is not a PKCS > >>>> #11 certificate > >>>> > >>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz > >>>> instance DirAclAuthz initialization failed and skipped, > >>>> error=Property internaldb.ldapconn.port missing value > >>>> > >>>> *Dennis M Ott* > >>>> Infrastructure Administrator > >>>> Infrastructure and Security Operations > >>>> > >>>> *McKesson Corporation > >>>> McKesson Pharmacy Systems and Automation* www.mckesson.com > >>>> > >>>>> -- > >>> Petr Vobornik > >>> > >> -- > >> Petr Vobornik > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> http://cp.mcafee.com/d/5fHCMUe6gUSyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECP > >> p > >> ISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PC > >> J > >> hbcat7Q2uPVv1dnoovaAVgtHzIv-iSBSWv6xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeo > >> a > >> lIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sd > >> l > >> jh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > >> Go to > >> http://cp.mcafee.com/d/FZsSd3gArhosLtNZwsUrdEEFELcFLLECQkkQnCkT6kjpIS > >> r > >> lIl-BaMVsSetd78UljIUqehl7tppKDEGe-N0lovgQlujtKaKeKSKYUMDrmjpISrdw0To_ > >> Y > >> BJU03xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSb > >> N > >> _VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNK > >> VJUSyrh for more info on the project > >> > > > > > > -- > > Petr Vobornik > > > > > -- > Petr Vobornik > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please report the error to the sender by return email and delete this communication from your records. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomek at pipebreaker.pl Sat Jun 25 19:21:24 2016 From: tomek at pipebreaker.pl (Tomasz Torcz) Date: Sat, 25 Jun 2016 21:21:24 +0200 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 In-Reply-To: References: <20160527122848.GA333519@mother.pipebreaker.pl> <5763C3A6.3050802@redhat.com> <20160618171354.GA439585@mother.pipebreaker.pl> <57660B3F.2010308@redhat.com> <20160620080714.GA275278@mother.pipebreaker.pl> <57697B8B.3020600@redhat.com> <20160622082812.GA1285792@mother.pipebreaker.pl> <576AA008.9040100@redhat.com> Message-ID: <20160625192124.GA738661@mother.pipebreaker.pl> On Wed, Jun 22, 2016 at 05:01:55PM +0200, Youenn PIOLET wrote: > Hi, Hello Youen, > > Can you provide the output of : > certutil -L -d /etc/dirsrv/slapd-/ on replicas that can't > start the PKI? > Your CA Cert attributes should be CT,C,C --- $ certutil -L -d /etc/dirsrv/slapd-PIPEBREAKER-PL/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u PIPEBREAKER.PL IPA CA CT,C, --- Last 'C' is missing; according to certutil manpage, this is for ?object signing?. > > I experience the same issue as you every two replica I install. The fix is : > certutil -d /etc/dirsrv/slapd-/ -A -t "CT,C,C" -n " DOMAIN> IPA CA" -i /etc/ipa/ca.crt After this command, the output is now: PIPEBREAKER.PL IPA CA CT,C,C > and restart ipa server. It seems error message changed, now it's ?Subsystem unavailable?: --- Jun 25 20:29:35 okda.pipebreaker.pl server[846021]: Jun 25, 2016 8:29:35 PM org.apache.catalina.core.ContainerBase backgroundProcess Jun 25 20:29:36 okda.pipebreaker.pl server[846021]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm at 3e8fa209 background process Jun 25 20:29:36 okda.pipebreaker.pl server[846021]: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Jun 25 20:29:36 okda.pipebreaker.pl server[846021]: at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:130) Jun 25 20:29:36 okda.pipebreaker.pl server[846021]: at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1127) Jun 25 20:29:36 okda.pipebreaker.pl server[846021]: at org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5642) Jun 25 20:29:36 okda.pipebreaker.pl server[846021]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377) Jun 25 20:29:36 okda.pipebreaker.pl server[846021]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381) Jun 25 20:29:36 okda.pipebreaker.pl server[846021]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381) Jun 25 20:29:36 okda.pipebreaker.pl server[846021]: at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1349) Jun 25 20:29:36 okda.pipebreaker.pl server[846021]: at java.lang.Thread.run(Thread.java:745) --- > https://www.redhat.com/archives/freeipa-users/2013-August/msg00088.html > > Can you also provide the following line of the file generated by following > commands: > > $ ipa certprofile-show --out /tmp/caIPAserviceCert.cfg caIPAserviceCert This command creates 0-length file. I've kinited to admin before invoking the command: --- ? ipa: INFO: trying https://okda.pipebreaker.pl/ipa/json ipa: DEBUG: NSSConnection init okda.pipebreaker.pl ipa: DEBUG: Connecting: 2a00:d880:5:a14::8b0d:aed ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for "CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL" ipa: DEBUG: handshake complete, peer = 2a00:d880:5:a14::8b0d:aed ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ipa: DEBUG: received Set-Cookie 'ipa_session=2906766f27c485b00049c51a0ca7d86a; Domain=okda.pipebreaker.pl; Path=/ipa; Expires=Sat, 25 Jun 2016 19:39:54 GMT; Secure; HttpOnly' ipa: DEBUG: storing cookie 'ipa_session=2906766f27c485b00049c51a0ca7d86a; Domain=okda.pipebreaker.pl; Path=/ipa; Expires=Sat, 25 Jun 2016 19:39:54 GMT; Secure; HttpOnly' for principal admin at PIPEBREAKER.PL ipa: DEBUG: Created connection context.rpcclient_140035796262032 ipa: DEBUG: raw: certprofile_show(u'caIPAserviceCert', rights=False, out=u'/tmp/caIPAserviceCert.cfg', all=False, raw=False, version=u'2.164') ipa: DEBUG: certprofile_show(u'caIPAserviceCert', rights=False, out=u'/tmp/caIPAserviceCert.cfg', all=False, raw=False, version=u'2.164') ipa: INFO: Forwarding 'certprofile_show' to json server 'https://okda.pipebreaker.pl/ipa/json' ipa: DEBUG: NSSConnection init okda.pipebreaker.pl ipa: DEBUG: Connecting: 2a00:d880:5:a14::8b0d:aed ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for "CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL" ipa: DEBUG: handshake complete, peer = 2a00:d880:5:a14::8b0d:aed ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ipa: DEBUG: received Set-Cookie 'ipa_session=c6b47d5eb7a504b7ab629a2111dec4f3; Domain=okda.pipebreaker.pl; Path=/ipa; Expires=Sat, 25 Jun 2016 19:39:56 GMT; Secure; HttpOnly' ipa: DEBUG: storing cookie 'ipa_session=c6b47d5eb7a504b7ab629a2111dec4f3; Domain=okda.pipebreaker.pl; Path=/ipa; Expires=Sat, 25 Jun 2016 19:39:56 GMT; Secure; HttpOnly' for principal admin at PIPEBREAKER.PL ipa: DEBUG: Destroyed connection context.rpcclient_140035796262032 ipa: ERROR: Failed to authenticate to CA REST API --- > $ grep policyset.serverCertSet.1.default.params.name /tmp/caIPAserviceCert.cfg -- Tomasz Torcz "Funeral in the morning, IDE hacking xmpp: zdzichubg at chrome.pl in the afternoon and evening." - Alan Cox From rstory at tislabs.com Sun Jun 26 06:17:01 2016 From: rstory at tislabs.com (Robert Story) Date: Sun, 26 Jun 2016 02:17:01 -0400 Subject: [Freeipa-users] disaster recovery Message-ID: <20160626021701.1ff9d03d@ispx.vb.futz.org> Hello, I was running a single ipa instance on Centos 7 for a small lab (ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64), and the disk was corrupted. I have a (mostly) full backup (/var/log/ and /var/run/ excluded), which I restored. ipa server didn't start, and wanted me to run ipa-server-upgrade. This failed, and I see this in the log: 2016-06-25T23:16:37Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' 2016-06-25T23:16:37Z DEBUG session_auth_duration: 0:20:00 2016-06-25T23:16:37Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2016-06-25T23:16:37Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 47, in run server.upgrade_check(self.options) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1573, in upgrade_check sys.exit(1) 2016-06-25T23:16:37Z DEBUG The ipa-server-upgrade command failed, exception: SystemExit: 1 I tried starting dirsrv at DOMAIN manually, and I get thisin the dirsrv log: [26/Jun/2016:01:46:54 -0400] - 389-Directory/1.3.4.0 B2016.175.1716 starting up [26/Jun/2016:01:46:54 -0400] - WARNING: changelog: entry cache size 2097152B is less than db size 143196160B; We recommend to increase the entry cache size nsslapd-cachememsize. [26/Jun/2016:01:46:54 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [26/Jun/2016:01:46:55 -0400] - libdb: BDB2506 file userRoot/id2entry.db has LSN 4336/2969724, past end of log at 1/176 [26/Jun/2016:01:46:56 -0400] - libdb: BDB2507 Commonly caused by moving a database from one database environment [26/Jun/2016:01:46:56 -0400] - libdb: BDB2508 to another without clearing the database LSNs, or by removing all of [26/Jun/2016:01:46:56 -0400] - libdb: BDB2509 the log files from a database environment [26/Jun/2016:01:46:57 -0400] - dbp->open("userRoot/id2entry.db") failed: Invalid argument (22) [26/Jun/2016:01:46:57 -0400] - dblayer_instance_start fail: Invalid argument (22) [26/Jun/2016:01:46:57 -0400] - libdb: BDB2506 file ipaca/id2entry.db has LSN 4336/2990140, past end of log at 1/288 [26/Jun/2016:01:46:57 -0400] - libdb: BDB2507 Commonly caused by moving a database from one database environment [26/Jun/2016:01:46:57 -0400] - libdb: BDB2508 to another without clearing the database LSNs, or by removing all of [26/Jun/2016:01:46:57 -0400] - libdb: BDB2509 the log files from a database environment [26/Jun/2016:01:46:57 -0400] - dbp->open("ipaca/id2entry.db") failed: Invalid argument (22) [26/Jun/2016:01:46:58 -0400] - dblayer_instance_start fail: Invalid argument (22) [26/Jun/2016:01:46:58 -0400] - libdb: BDB2506 file changelog/id2entry.db has LSN 4336/2921967, past end of log at 1/288 [26/Jun/2016:01:46:58 -0400] - libdb: BDB2507 Commonly caused by moving a database from one database environment [26/Jun/2016:01:46:58 -0400] - libdb: BDB2508 to another without clearing the database LSNs, or by removing all of [26/Jun/2016:01:46:58 -0400] - libdb: BDB2509 the log files from a database environment [26/Jun/2016:01:46:58 -0400] - dbp->open("changelog/id2entry.db") failed: Invalid argument (22) [26/Jun/2016:01:46:58 -0400] - dblayer_instance_start fail: Invalid argument (22) [26/Jun/2016:01:46:58 -0400] - start: Failed to start databases, err=22 Invalid argument So I'm trying to figure out if I can salvage this restored VM, or if I need to reinstall from scratch; and if I do reinstall, am I going to be able to restore my old data somehow. I have a funny feeling that there are important files in /var/log and/or /var/run and I'm up the creek without a paddle. And yes, once I have a working system again I'm going to set up a replica to help avoid this mess in the future. Robert -- Senior Software Engineer @ Parsons -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From supratiksekhar at gmail.com Sun Jun 26 16:57:51 2016 From: supratiksekhar at gmail.com (Supratik Goswami) Date: Sun, 26 Jun 2016 22:27:51 +0530 Subject: [Freeipa-users] How to automatically group new users under Stage Users when users are synced from AD Message-ID: Hi I am using ipa-server-4.2.0 in my environment, it is having winsync agreement with the AD server. I want to move all new users to "Stage Users" state automatically when they are synced from the AD, can anyone please guide me on how to achieve it? Any help is highly appreciated. -- Warm Regards Supratik -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.obaterspok at gmail.com Sun Jun 26 18:37:34 2016 From: john.obaterspok at gmail.com (John Obaterspok) Date: Sun, 26 Jun 2016 20:37:34 +0200 Subject: [Freeipa-users] nss unrecognized name alert with SAN name In-Reply-To: References: <56B673CD.1080507@redhat.com> <20160211003408.GL12524@dhcp-40-8.bne.redhat.com> <571E2E06.6070400@redhat.com> Message-ID: Hi, I've been running F23 + mod_nss 1.0.14-1 for months to get SubjectAltName to work. F24 update brings back mod_nss to 1.0.12-4 and now SubjectAltName doesn't work any more. Is there any chance 1.0.14 will make it in as an F24 update? (I can add karma if needed) -- john 2016-04-25 19:26 GMT+02:00 John Obaterspok : > Thanks Rob! > > I rebuilt the mod_nss-1.0.14-1 version from rawhide for my F23 IPA server > and it works like a charm. > > Thanks, > > john > > 2016-04-25 16:47 GMT+02:00 Rob Crittenden : > >> John Obaterspok wrote: >> >>> >>> 2016-02-11 1:34 GMT+01:00 Fraser Tweedale >> >: >>> >>> On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote: >>> > 2016-02-06 23:29 GMT+01:00 Rob Crittenden >> >: >>> >>> > >>> > > John Obaterspok wrote: >>> > > >>> > >> Hi, >>> > >> >>> > >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to >>> ipa.my.lan >>> > >> >>> > >> I recently started to get nss error "SSL peer has no >>> certificate for the >>> > >> requested DNS name." when I'm accesing my >>> https://gitserver.my.lan >>> > >> >>> > >> Previously this worked fine if I had set "git config --global >>> > >> http.sslVerify false" according to >>> > >> >>> >>> https://www.redhat.com/archives/freeipa-users/2015-November/msg00213.html >>> > >> >>> > >> Now I tried to solve this by adding a SubjectAltName to the >>> > >> HTTP/ipa.my.lan certitficate like this: >>> > >> >>> > >> status: MONITORING >>> > >> stuck: no >>> > >> key pair storage: >>> > >> >>> >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > >> certificate: >>> > >> >>> >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > >> Certificate DB' >>> > >> CA: IPA >>> > >> issuer: CN=Certificate Authority,O=MY.LAN >>> > >> subject: CN=ipa.my.lan,O=MY.LAN >>> > >> expires: 2018-02-06 19:24:52 UTC >>> > >> dns: gitserver.my.lan,ipa.my.lan >>> > >> principal name: http/ipa.my.lan at MY.LAN >>> > >> key usage: >>> > >> >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> > >> eku: id-kp-serverAuth,id-kp-clientAuth >>> > >> pre-save command: >>> > >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>> > >> track: yes >>> > >> auto-renew: yes >>> > >> >>> > >> But I still get the below error: >>> > >> >>> > >> * NSS error -12182 (SSL_ERROR_UNRECOGNIZED_NAME_ALERT) >>> > >> * SSL peer has no certificate for the requested DNS name >>> > >> >>> > > >>> > > What version of mod_nss? It recently added support for SNI. You >>> can try >>> > > turning it off by adding NSSSNI off to >>> /etc/httpd/conf.d/nss.conf but I'd >>> > > imagine you were already relying on it. >>> > > >>> > > >>> > Hi, >>> > >>> > Turning it off didn't help >>> > >>> > I'm on F23 with latest updates so I have mod_nss-1.0.12-1 >>> > I noticed it worked if I set "ServerName gitserver.my.lan" in >>> > gitserver.conf, but then I got the NAME ALERT when accessing >>> ipa.my.lan. >>> > >>> > I then tried to put ipa.conf in but then I >>> got error >>> > about SSL_ERROR_RX_RECORD_TOO_LONG >>> > >>> > gitserver.conf has this: >>> > >>> > >>> > DocumentRoot /opt/wwwgit >>> > SetEnv GIT_PROJECT_ROOT /opt/wwwgit >>> > SetEnv GIT_HTTP_EXPORT_ALL >>> > SetEnv REMOTE_USER $REDIRECT_REMOTE_USER >>> > ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/ >>> > >>> > ServerName gitserver.my.lan >>> > >>> > >>> > Options Indexes >>> > AllowOverride None >>> > Require all granted >>> > >>> > >>> > >>> > Options Indexes >>> > AllowOverride None >>> > Require all granted >>> > >>> > >>> > >>> > #SSLRequireSSL >>> > AuthType Kerberos >>> > AuthName "Kerberos Login" >>> > KrbAuthRealm MY.LAN >>> > Krb5KeyTab /etc/httpd/conf/ipa.keytab >>> > KrbMethodNegotiate on >>> > KrbMethodK5Passwd off # Set to on to query for pwd if >>> negotiation >>> > failed due to no ticket available >>> > KrbSaveCredentials on >>> > KrbVerifyKDC on >>> > KrbServiceName HTTP/ipa.my.lan at MY.LAN >>> > >>> > AuthLDAPUrl >>> ldaps://ipa.my.lan/dc=my,dc=lan?krbPrincipalName >>> > AuthLDAPBindDN >>> "uid=httpbind,cn=sysaccounts,cn=etc,dc=my,dc=lan" >>> > AuthLDAPBindPassword "secret123abc" >>> > Require ldap-group >>> cn=ipausers,cn=groups,cn=accounts,dc=my,dc=lan >>> > >>> > >>> > >>> > >>> > >>> > Any more ideas what I do wrong? >>> >>> It was suggested that this may be due to the certificate not being >>> compliant with RFC 2818. This is likely true, but I think it is not >>> likely to be the problem. You can use `openssl s_client` to confirm >>> what certificate the server is sending: >>> >>> openssl s_client -showcerts \ >>> -servername gitserver.my.lan -connect gitserver.my.lan:443 >>> >>> This will dump the certificates (in PEM format), which you can copy >>> to a file examine with `opeenssl x509 -text < cert.pem`. >>> >>> Feel free to reply with the output; I am happy to have a closer >>> look. >>> >>> Hi Fraser, >>> >>> *cough*, I didn't see this until now :) >>> >>> Anyway, >>> >>> [admin at ipa ~]$ openssl s_client -showcerts -servername gitserver.my.lan >>> -connect gitserver.my.lan:443 >>> CONNECTED(00000003) >>> 140404557162360:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 >>> unrecognized name:s23_clnt.c:769: >>> --- >>> no peer certificate available >>> --- >>> No client certificate CA names sent >>> --- >>> SSL handshake has read 7 bytes and written 227 bytes >>> --- >>> New, (NONE), Cipher is (NONE) >>> Secure Renegotiation IS NOT supported >>> Compression: NONE >>> Expansion: NONE >>> No ALPN negotiated >>> SSL-Session: >>> Protocol : TLSv1.2 >>> Cipher : 0000 >>> Session-ID: >>> Session-ID-ctx: >>> Master-Key: >>> Key-Arg : None >>> Krb5 Principal: None >>> PSK identity: None >>> PSK identity hint: None >>> Start Time: 1461568003 >>> Timeout : 300 (sec) >>> Verify return code: 0 (ok) >>> --- >>> >>> >>> [root at ipa ~]# ipa-getcert list >>> Number of certificates and requests being tracked: 8. >>> Request ID '20160206184156': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-MY-LAN',nickname='Server-Cert',token='NSS >>> Certificate DB',pinfile='/etc/dirsrv/slapd-MY-LAN/pwdfile.txt' >>> certificate: >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-MY-LAN',nickname='Server-Cert',token='NSS >>> Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=my.lan >>> subject: CN=ipa.my.lan,O=my.lan >>> expires: 2017-12-23 22:50:30 UTC >>> principal name: ldap/ipa.my.lan at my.lan >>> key usage: >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >>> MY-LAN >>> track: yes >>> auto-renew: yes >>> Request ID '20160206192447': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=my.lan >>> subject: CN=ipa.my.lan,O=my.lan >>> expires: 2018-02-06 19:24:52 UTC >>> *dns: gitserver.my.lan,ipa.my.lan* >>> principal name: http/ipa.my.lan at my.lan >>> key usage: >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>> track: yes >>> auto-renew: yes >>> >>> >>> Any ideas? >>> >> >> It's a bug in mod_nss 1.0.12. It shouldn't return a hard failure, it >> should use the default VH instead (this was fixed in 1.0.13). I filed >> https://bugzilla.redhat.com/show_bug.cgi?id=133018 >> >> rob >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 27 06:09:59 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 08:09:59 +0200 Subject: [Freeipa-users] disaster recovery In-Reply-To: <20160626021701.1ff9d03d@ispx.vb.futz.org> References: <20160626021701.1ff9d03d@ispx.vb.futz.org> Message-ID: On 26.06.2016 08:17, Robert Story wrote: > Hello, > > I was running a single ipa instance on Centos 7 for a small lab > (ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64), and the disk was corrupted. > I have a (mostly) full backup (/var/log/ and /var/run/ excluded), which I > restored. ipa server didn't start, and wanted me to run > ipa-server-upgrade. This failed, and I see this in the log: > > 2016-06-25T23:16:37Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' > 2016-06-25T23:16:37Z DEBUG session_auth_duration: 0:20:00 > 2016-06-25T23:16:37Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' > 2016-06-25T23:16:37Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 47, in run > server.upgrade_check(self.options) > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1573, in upgrade_check > sys.exit(1) > > 2016-06-25T23:16:37Z DEBUG The ipa-server-upgrade command failed, exception: SystemExit: 1 > > > I tried starting dirsrv at DOMAIN manually, and I get thisin the dirsrv log: > > > [26/Jun/2016:01:46:54 -0400] - 389-Directory/1.3.4.0 B2016.175.1716 starting up > [26/Jun/2016:01:46:54 -0400] - WARNING: changelog: entry cache size 2097152B is less than db size 143196160B; We recommend to increase the entry cache size nsslapd-cachememsize. > [26/Jun/2016:01:46:54 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. > [26/Jun/2016:01:46:55 -0400] - libdb: BDB2506 file userRoot/id2entry.db has LSN 4336/2969724, past end of log at 1/176 > [26/Jun/2016:01:46:56 -0400] - libdb: BDB2507 Commonly caused by moving a database from one database environment > [26/Jun/2016:01:46:56 -0400] - libdb: BDB2508 to another without clearing the database LSNs, or by removing all of > [26/Jun/2016:01:46:56 -0400] - libdb: BDB2509 the log files from a database environment > [26/Jun/2016:01:46:57 -0400] - dbp->open("userRoot/id2entry.db") failed: Invalid argument (22) > [26/Jun/2016:01:46:57 -0400] - dblayer_instance_start fail: Invalid argument (22) > [26/Jun/2016:01:46:57 -0400] - libdb: BDB2506 file ipaca/id2entry.db has LSN 4336/2990140, past end of log at 1/288 > [26/Jun/2016:01:46:57 -0400] - libdb: BDB2507 Commonly caused by moving a database from one database environment > [26/Jun/2016:01:46:57 -0400] - libdb: BDB2508 to another without clearing the database LSNs, or by removing all of > [26/Jun/2016:01:46:57 -0400] - libdb: BDB2509 the log files from a database environment > [26/Jun/2016:01:46:57 -0400] - dbp->open("ipaca/id2entry.db") failed: Invalid argument (22) > [26/Jun/2016:01:46:58 -0400] - dblayer_instance_start fail: Invalid argument (22) > [26/Jun/2016:01:46:58 -0400] - libdb: BDB2506 file changelog/id2entry.db has LSN 4336/2921967, past end of log at 1/288 > [26/Jun/2016:01:46:58 -0400] - libdb: BDB2507 Commonly caused by moving a database from one database environment > [26/Jun/2016:01:46:58 -0400] - libdb: BDB2508 to another without clearing the database LSNs, or by removing all of > [26/Jun/2016:01:46:58 -0400] - libdb: BDB2509 the log files from a database environment > [26/Jun/2016:01:46:58 -0400] - dbp->open("changelog/id2entry.db") failed: Invalid argument (22) > [26/Jun/2016:01:46:58 -0400] - dblayer_instance_start fail: Invalid argument (22) > [26/Jun/2016:01:46:58 -0400] - start: Failed to start databases, err=22 Invalid argument > > > So I'm trying to figure out if I can salvage this restored VM, or if I need > to reinstall from scratch; and if I do reinstall, am I going to be able to > restore my old data somehow. I have a funny feeling that there are > important files in /var/log and/or /var/run and I'm up the creek without a > paddle. > > And yes, once I have a working system again I'm going to set up a replica > to help avoid this mess in the future. > > Robert > > > Hello, upgrader refuses to upgrade because check which requires /var/lib/ipa failed. Upgrader thinks that IPA is not installed. So are you sure you have backup of /var/lib/ipa ? regards, Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Mon Jun 27 09:05:46 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 27 Jun 2016 11:05:46 +0200 Subject: [Freeipa-users] nss unrecognized name alert with SAN name In-Reply-To: References: <56B673CD.1080507@redhat.com> <20160211003408.GL12524@dhcp-40-8.bne.redhat.com> <571E2E06.6070400@redhat.com> Message-ID: <20160627090546.GB29194@10.4.128.1> On (26/06/16 20:37), John Obaterspok wrote: >Hi, > >I've been running F23 + mod_nss 1.0.14-1 for months to get SubjectAltName >to work. >F24 update brings back mod_nss to 1.0.12-4 and now SubjectAltName doesn't >work any more. Is there any chance 1.0.14 will make it in as an F24 update? >(I can add karma if needed) > mod_nss-1.0.14-1 is only in rawhide (fc25) I cannot see such package in fedora 23. http://koji.fedoraproject.org/koji/packageinfo?packageID=2554 LS From john.obaterspok at gmail.com Mon Jun 27 10:53:24 2016 From: john.obaterspok at gmail.com (John Obaterspok) Date: Mon, 27 Jun 2016 12:53:24 +0200 Subject: [Freeipa-users] nss unrecognized name alert with SAN name In-Reply-To: <20160627090546.GB29194@10.4.128.1> References: <56B673CD.1080507@redhat.com> <20160211003408.GL12524@dhcp-40-8.bne.redhat.com> <571E2E06.6070400@redhat.com> <20160627090546.GB29194@10.4.128.1> Message-ID: 2016-06-27 11:05 GMT+02:00 Lukas Slebodnik : > On (26/06/16 20:37), John Obaterspok wrote: > >Hi, > > > >I've been running F23 + mod_nss 1.0.14-1 for months to get SubjectAltName > >to work. > >F24 update brings back mod_nss to 1.0.12-4 and now SubjectAltName doesn't > >work any more. Is there any chance 1.0.14 will make it in as an F24 > update? > >(I can add karma if needed) > > > mod_nss-1.0.14-1 is only in rawhide (fc25) > I cannot see such package in fedora 23. > > http://koji.fedoraproject.org/koji/packageinfo?packageID=2554 > > Hi Lukas, When I ran F23 I installed mod_nss-1.0.14-1 from rawhide (fc25) in order to fix the problem with using SubjectAltName in certificate. I believe I manually installed 1.0.14 in april and this bug was fixed in 1.0.13 so that's why I was surprised F24 shipped with .12 -- john -------------- next part -------------- An HTML attachment was scrubbed... URL: From gjn at gjn.priv.at Mon Jun 27 11:00:13 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Mon, 27 Jun 2016 13:00:13 +0200 Subject: [Freeipa-users] 3th Party Certificate Message-ID: <2357851.X0UjeqP3hx@techz> Hello Professional, what is the minimum when I like to replace the private Certificates ? must I have a Class2 wild card Certificate? Have I to reinstall IPA, I mean no ? when I read all correct, this is working. Have any hints for this scenario Thanks for a answer, -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From andreas.ladanyi at kit.edu Mon Jun 27 11:49:05 2016 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Mon, 27 Jun 2016 13:49:05 +0200 Subject: [Freeipa-users] Replace with 3rd part certificates Message-ID: Hi, i try to replace the self signed certificate from the ipa installation with this description: http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP ipa-server-certinstall -w -d mysite.key mysite.crt The tool ask for the private key unlock passwort. The private key was generated without passwort. I tried out to press only the enter key, but it doesnt help. So iam confused. The certificate and keyfile are in PEM format. For testing I converted the private key with: openssl rsa -in -out because i want to know if openssl ask me for a password, but it doesnt. My version number is FreeIPA 4.1. regards, Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5326 bytes Desc: S/MIME Cryptographic Signature URL: From BJB at jndata.dk Mon Jun 27 12:43:13 2016 From: BJB at jndata.dk (Bjarne Blichfeldt) Date: Mon, 27 Jun 2016 12:43:13 +0000 Subject: [Freeipa-users] Replace with 3rd part certificates In-Reply-To: References: Message-ID: <89213DDB84447F44A8E8950A5C2185E048255F2D@SJN01013.jnmain00.corp.jndata.net> For the time being and as far as I can see until IPA 4.3.1, the procedure is messy and difficult. The following thread will be a big help: https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html I think I succeeded at last, but further tests remain. Regards, Bjarne -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Andreas Ladanyi Sent: 27. juni 2016 13:49 To: freeipa-users at redhat.com Subject: [Freeipa-users] Replace with 3rd part certificates Hi, i try to replace the self signed certificate from the ipa installation with this description: http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP ipa-server-certinstall -w -d mysite.key mysite.crt The tool ask for the private key unlock passwort. The private key was generated without passwort. I tried out to press only the enter key, but it doesnt help. So iam confused. The certificate and keyfile are in PEM format. For testing I converted the private key with: openssl rsa -in -out because i want to know if openssl ask me for a password, but it doesnt. My version number is FreeIPA 4.1. regards, Andreas From rstory at tislabs.com Mon Jun 27 12:59:14 2016 From: rstory at tislabs.com (Robert Story) Date: Mon, 27 Jun 2016 08:59:14 -0400 Subject: [Freeipa-users] disaster recovery In-Reply-To: References: <20160626021701.1ff9d03d@ispx.vb.futz.org> Message-ID: <20160627085914.26f766f8@ispx.vb.futz.org> On Mon, 27 Jun 2016 08:09:59 +0200 Martin wrote: MB> On 26.06.2016 08:17, Robert Story wrote: MB> > Hello, MB> > MB> > I was running a single ipa instance on Centos 7 for a small lab MB> > (ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64), and the disk was corrupted. MB> > I have a (mostly) full backup (/var/log/ and /var/run/ excluded), which I MB> > restored. ipa server didn't start, and wanted me to run MB> > ipa-server-upgrade. This failed, and I see this in the log: MB> > MB> > 2016-06-25T23:16:37Z DEBUG Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' MB> > 2016-06-25T23:16:37Z DEBUG session_auth_duration: 0:20:00 MB> > 2016-06-25T23:16:37Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' MB> > 2016-06-25T23:16:37Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute MB> > return_value = self.run() MB> > File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 47, in run MB> > server.upgrade_check(self.options) MB> > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1573, in upgrade_check MB> > sys.exit(1) MB> > MB> > 2016-06-25T23:16:37Z DEBUG The ipa-server-upgrade command failed, exception: SystemExit: 1 MB> > MB> > MB> > I tried starting dirsrv at DOMAIN manually, and I get thisin the dirsrv log: MB> > MB> > MB> > [26/Jun/2016:01:46:54 -0400] - 389-Directory/1.3.4.0 B2016.175.1716 starting up MB> > [26/Jun/2016:01:46:54 -0400] - WARNING: changelog: entry cache size 2097152B is less than db size 143196160B; We recommend to increase the entry cache size nsslapd-cachememsize. MB> > [26/Jun/2016:01:46:54 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. MB> > [26/Jun/2016:01:46:55 -0400] - libdb: BDB2506 file userRoot/id2entry.db has LSN 4336/2969724, past end of log at 1/176 MB> > [26/Jun/2016:01:46:56 -0400] - libdb: BDB2507 Commonly caused by moving a database from one database environment MB> > [26/Jun/2016:01:46:56 -0400] - libdb: BDB2508 to another without clearing the database LSNs, or by removing all of MB> > [26/Jun/2016:01:46:56 -0400] - libdb: BDB2509 the log files from a database environment MB> > [26/Jun/2016:01:46:57 -0400] - dbp->open("userRoot/id2entry.db") failed: Invalid argument (22) MB> > [26/Jun/2016:01:46:57 -0400] - dblayer_instance_start fail: Invalid argument (22) MB> > [26/Jun/2016:01:46:57 -0400] - libdb: BDB2506 file ipaca/id2entry.db has LSN 4336/2990140, past end of log at 1/288 MB> > [26/Jun/2016:01:46:57 -0400] - libdb: BDB2507 Commonly caused by moving a database from one database environment MB> > [26/Jun/2016:01:46:57 -0400] - libdb: BDB2508 to another without clearing the database LSNs, or by removing all of MB> > [26/Jun/2016:01:46:57 -0400] - libdb: BDB2509 the log files from a database environment MB> > [26/Jun/2016:01:46:57 -0400] - dbp->open("ipaca/id2entry.db") failed: Invalid argument (22) MB> > [26/Jun/2016:01:46:58 -0400] - dblayer_instance_start fail: Invalid argument (22) MB> > [26/Jun/2016:01:46:58 -0400] - libdb: BDB2506 file changelog/id2entry.db has LSN 4336/2921967, past end of log at 1/288 MB> > [26/Jun/2016:01:46:58 -0400] - libdb: BDB2507 Commonly caused by moving a database from one database environment MB> > [26/Jun/2016:01:46:58 -0400] - libdb: BDB2508 to another without clearing the database LSNs, or by removing all of MB> > [26/Jun/2016:01:46:58 -0400] - libdb: BDB2509 the log files from a database environment MB> > [26/Jun/2016:01:46:58 -0400] - dbp->open("changelog/id2entry.db") failed: Invalid argument (22) MB> > [26/Jun/2016:01:46:58 -0400] - dblayer_instance_start fail: Invalid argument (22) MB> > [26/Jun/2016:01:46:58 -0400] - start: Failed to start databases, err=22 Invalid argument MB> > MB> > MB> > So I'm trying to figure out if I can salvage this restored VM, or if I need MB> > to reinstall from scratch; and if I do reinstall, am I going to be able to MB> > restore my old data somehow. I have a funny feeling that there are MB> > important files in /var/log and/or /var/run and I'm up the creek without a MB> > paddle. MB> > MB> > And yes, once I have a working system again I'm going to set up a replica MB> > to help avoid this mess in the future. MB> > MB> > Robert MB> > MB> > MB> > MB> MB> Hello, upgrader refuses to upgrade because check which requires MB> /var/lib/ipa failed. Upgrader thinks that IPA is not installed. MB> MB> So are you sure you have backup of /var/lib/ipa ? Yep, /var/lib/ipa is there: ls -lR .: total 4 drwx------. 2 root root 6 Jun 24 08:10 backup drwxr-xr-x. 3 root root 20 Jun 24 08:10 pki-ca drwx------. 2 root root 4096 Jun 24 08:10 sysrestore drwx------. 2 root root 29 Jun 24 08:10 sysupgrade ./backup: total 0 ./pki-ca: total 0 drwxrwxr-x. 2 root pkiuser 26 Jun 25 19:38 publish ./pki-ca/publish: total 0 lrwxrwxrwx. 1 pkiuser pkiuser 57 Jun 24 21:00 MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL-20160624-210000.der ./sysrestore: total 68 -rw-r--r--. 1 root root 14 Sep 15 2015 07b33009095935b8-krb5kdc -rw-r--r--. 1 root root 495 Sep 15 2015 126a0615510e0df6-krb5.conf -rw-r--r--. 1 root root 2045 Aug 5 2015 1459a73f06d5e29c-dirsrv -rw-r--r--. 1 root root 45 Jun 23 2015 1bc4913116370139-ntpd -rw-r--r--. 1 root root 9534 Mar 5 2015 1d4cccdbe2db6338-nss.conf -rw-r--r--. 1 root root 158 Jun 7 2013 33ef02044e7e32c4-hosts -rw-r--r--. 1 root root 2045 Feb 17 08:37 3ab32f97ac1f896a-dirsrv -rw-r--r--. 1 root root 2045 Aug 5 2015 7d1b4474370581db-dirsrv -rw-r--r--. 1 root root 2045 Sep 21 2015 b3a9575e954a66ff-dirsrv -rw-r--r--. 1 root root 1984 Aug 19 2015 cdfa12db5eab40ef-ntp.conf -rw-------. 1 root root 451 Sep 15 2015 d3df0140545921df-kdc.conf -rw-r--r--. 1 root root 2045 Dec 15 2015 e41f8dd1839f3670-dirsrv -rw-r--r--. 1 root root 2045 Mar 14 09:17 f656872d26e358ed-dirsrv -rw-r--r--. 1 root root 757 Apr 14 07:30 sysrestore.index -rw-r--r--. 1 root root 556 Jun 26 01:59 sysrestore.state ./sysupgrade: total 4 -rw-r--r--. 1 root root 582 Apr 14 07:30 sysupgrade.state Looking through the backups, I see that there are no MasterCRL files from the 25th (the backup I restored), but a bunch from the 24th, so maybe I need to try another restore with files from then... Robert -- Senior Software Engineer @ Parsons -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From gjn at gjn.priv.at Mon Jun 27 14:43:19 2016 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Mon, 27 Jun 2016 16:43:19 +0200 Subject: [Freeipa-users] Replace with 3rd part certificates In-Reply-To: <89213DDB84447F44A8E8950A5C2185E048255F2D@SJN01013.jnmain00.corp.jndata.net> References: <89213DDB84447F44A8E8950A5C2185E048255F2D@SJN01013.jnmain00.corp.jndata.net> Message-ID: <1923283.0QcHnL1Skf@techz> Hello, Am Montag, 27. Juni 2016, 12:43:13 CEST schrieb Bjarne Blichfeldt: > For the time being and as far as I can see until IPA 4.3.1, the procedure is > messy and difficult. The following thread will be a big help: > https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html > > I think I succeeded at last, but further tests remain. > > > Regards, > Bjarne thank's for the info > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Andreas Ladanyi > Sent: 27. juni 2016 13:49 > To: freeipa-users at redhat.com > Subject: [Freeipa-users] Replace with 3rd part certificates > > Hi, > > i try to replace the self signed certificate from the ipa installation with > this description: > > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > ipa-server-certinstall -w -d mysite.key mysite.crt > > The tool ask for the private key unlock passwort. The private key was > generated without passwort. I tried out to press only the enter key, but it > doesnt help. So iam confused. The certificate and keyfile are in PEM > format. > > For testing I converted the private key with: > > openssl rsa -in -out > > because i want to know if openssl ask me for a password, but it doesnt. > > My version number is FreeIPA 4.1. My version 4.3.1 ;-) -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From Steven.Auerbach at flbog.edu Mon Jun 27 15:14:18 2016 From: Steven.Auerbach at flbog.edu (Auerbach, Steven) Date: Mon, 27 Jun 2016 15:14:18 +0000 Subject: [Freeipa-users] IPA active-active node failure Message-ID: We have an active-active dual-node IPA. The second node stopped accepting logins thru the Web GUI. I rebooted the server. Now it is really botched. Directory service will not restart: # service ipa restart Restarting Directory Service Shutting down dirsrv: domain-LOCAL... server already stopped [FAILED] *** Error: 1 instance(s) unsuccessfully stopped [FAILED] Starting dirsrv: domain-LOCAL... [FAILED] *** Error: 1 instance(s) failed to start Failed to restart Directory Service: Command '/sbin/service dirsrv restart ' returned non-zero exit status 1 Web service is running enough to load the "Identity Management" banner then pops up an "unknown error" dialog box. How do we reset the directory server (kill a pid file?) to get this working and re-synchronize with our other node? I really am concerned with a single point of failure for all our users.... Steven Auerbach Systems Administrator State University System of Florida Board of Governors 325 West Gaines Street, Suite 1625C Tallahassee, Florida 32399 (850) 245-9592 steven.auerbach at flbog.edu | www.flbog.edu [BOG-wordmark-wideFOR EMAIL-color] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 4102 bytes Desc: image003.jpg URL: From rcritten at redhat.com Mon Jun 27 15:32:51 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jun 2016 11:32:51 -0400 Subject: [Freeipa-users] nss unrecognized name alert with SAN name In-Reply-To: References: <56B673CD.1080507@redhat.com> <20160211003408.GL12524@dhcp-40-8.bne.redhat.com> <571E2E06.6070400@redhat.com> <20160627090546.GB29194@10.4.128.1> Message-ID: <57714723.7020408@redhat.com> John Obaterspok wrote: > > > 2016-06-27 11:05 GMT+02:00 Lukas Slebodnik >: > > On (26/06/16 20:37), John Obaterspok wrote: > >Hi, > > > >I've been running F23 + mod_nss 1.0.14-1 for months to get SubjectAltName > >to work. > >F24 update brings back mod_nss to 1.0.12-4 and now SubjectAltName doesn't > >work any more. Is there any chance 1.0.14 will make it in as an F24 update? > >(I can add karma if needed) > > > mod_nss-1.0.14-1 is only in rawhide (fc25) > I cannot see such package in fedora 23. > > http://koji.fedoraproject.org/koji/packageinfo?packageID=2554 > > > Hi Lukas, > > When I ran F23 I installed mod_nss-1.0.14-1 from rawhide (fc25) in order > to fix the problem with using SubjectAltName in certificate. > I believe I manually installed 1.0.14 in april and this bug was fixed in > 1.0.13 so that's why I was surprised F24 shipped with .12 I must have missed the fork and didn't notice. I'll update F24 with the latest release soon. Note that mod_nss has its own mailing list, it isn't part of IPA, just used there. rob From rcritten at redhat.com Mon Jun 27 15:37:15 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jun 2016 11:37:15 -0400 Subject: [Freeipa-users] IPA active-active node failure In-Reply-To: References: Message-ID: <5771482B.3040204@redhat.com> Auerbach, Steven wrote: > We have an active-active dual-node IPA. The second node stopped > accepting logins thru the Web GUI. I rebooted the server. Now it is > really botched. > > Directory service will not restart: > > # service ipa restart > > Restarting Directory Service > > Shutting down dirsrv: > > domain-LOCAL... server already stopped [FAILED] > > *** Error: 1 instance(s) unsuccessfully stopped [FAILED] > > Starting dirsrv: > > domain-LOCAL... [FAILED] > > *** Error: 1 instance(s) failed to start > > Failed to restart Directory Service: Command '/sbin/service dirsrv > restart ' returned non-zero exit status 1 > > Web service is running enough to load the ?Identity Management? banner > then pops up an ?unknown error? dialog box. You want to look at /var/log/dirsrv/slapd-domain-LOCAL/errors for details on why it failed to start. rob From jcnt at use.startmail.com Mon Jun 27 22:10:26 2016 From: jcnt at use.startmail.com (jcnt at use.startmail.com) Date: Mon, 27 Jun 2016 18:10:26 -0400 Subject: [Freeipa-users] updating certificates Message-ID: <961a039c237577e3b3a460ab3a33e6d5.startmail@www.startmail.com> Greetings, About a year ago I installed my freeipa server with certificates from startssl using command line options --dirsrv-cert-file --http-cert-file etc. The certificate is about to expire, what is the proper way to update it in all places? -- Josh. -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Tue Jun 28 06:12:29 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 28 Jun 2016 08:12:29 +0200 Subject: [Freeipa-users] multiple ds instances (maybe off-topic) Message-ID: hi, according to the RHDS documentation ( https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html) one can have multiple directory server instances on the same hosts Would it be interesting to offer this functionality in freeipa.org? The business case would be to allow different kinds of authentication per instance/port. So one could block standard ldap connections on port 389 to the internet, for instance, but allow them on another port only if using external/GSSAPI auth, so no passswords would be involved. This would be useful for external services not using saml, for instance. -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Jun 28 07:07:49 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Jun 2016 10:07:49 +0300 Subject: [Freeipa-users] multiple ds instances (maybe off-topic) In-Reply-To: References: Message-ID: <20160628070749.v6xf645whop3zgi2@redhat.com> On Tue, 28 Jun 2016, Natxo Asenjo wrote: >hi, > >according to the RHDS documentation ( >https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html) >one can have multiple directory server instances on the same hosts > >Would it be interesting to offer this functionality in freeipa.org? The >business case would be to allow different kinds of authentication per >instance/port. So one could block standard ldap connections on port 389 to >the internet, for instance, but allow them on another port only if using >external/GSSAPI auth, so no passswords would be involved. This is not how instances work in 389-ds. Each instance is fully independent of another one, including database content and structure. You cannot have instance that shares the same content with another one unless you enable database chaining (and then there are some limitations). We used to have CA instance separate from the main IPA instance, for example, but then merged them together in the same instance using two different backends. Standard IPA 389-ds instance already allows its access on the unix domain socket with EXTERNAL/GSSAPI authentication. It is visible only within the scope of the IPA master host, of course. I'm still not sure what exactly you would like to achieve. All ports that 389-ds listens to do support the same authentication methods except LDAPI protocol (unix domain sockets) which supports automapping between POSIX ID and a user object that it maps to. -- / Alexander Bokovoy From mitra.dehghan at gmail.com Tue Jun 28 07:08:46 2016 From: mitra.dehghan at gmail.com (Mitra Dehghan) Date: Tue, 28 Jun 2016 11:38:46 +0430 Subject: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users. Message-ID: Hello, I want to know how can I give directory permissions on a client to a domain user in FreeIPA. I'm using "runasuser" feature in sudo policy to give my domain users permission to run local services on client. Here is an example: I have a service on my client called "*abc*" located at "/home/abc/" and locally run by local user called "*abc*" I have used runasuser feature in sudo policy rules to let domain users (say: *usr at mydomain.dc*) run the service. *usr* can run scripts, read and edit files and stop/start services, using *abc*'s permissions and without any problem. But the problem I have faced is, when I want "*usr*" to traverse subdirectories under "*/home/abc/*" it doesn't work. I have defined sudocmd for cd command and added it as allow-command to appropriate sudorule. my sudocmd definitions are like this: *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/'* *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/'* *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'* While *usr* can run the *cd* command without error, it doesn't work and *pwd* still shows* /home/usr* as current directory. what *usr* runs is: *$ sudo -u abc cd /home/abc/m*/ -- respectfully m-dehghan -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Tue Jun 28 07:50:16 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 28 Jun 2016 09:50:16 +0200 Subject: [Freeipa-users] multiple ds instances (maybe off-topic) In-Reply-To: <20160628070749.v6xf645whop3zgi2@redhat.com> References: <20160628070749.v6xf645whop3zgi2@redhat.com> Message-ID: On Tue, Jun 28, 2016 at 9:07 AM, Alexander Bokovoy wrote: > On Tue, 28 Jun 2016, Natxo Asenjo wrote: > >> hi, >> >> according to the RHDS documentation ( >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html >> ) >> one can have multiple directory server instances on the same hosts >> >> Would it be interesting to offer this functionality in freeipa.org? The >> business case would be to allow different kinds of authentication per >> instance/port. So one could block standard ldap connections on port 389 to >> the internet, for instance, but allow them on another port only if using >> external/GSSAPI auth, so no passswords would be involved. >> > This is not how instances work in 389-ds. Each instance is fully > independent of another one, including database content and structure. > You cannot have instance that shares the same content with another one > unless you enable database chaining (and then there are some > limitations). > ok, thanks for the info. > We used to have CA instance separate from the main IPA instance, for > example, but then merged them together in the same instance using two > different backends. > > Standard IPA 389-ds instance already allows its access on the unix domain > socket with EXTERNAL/GSSAPI authentication. It is visible only within > the scope of the IPA master host, of course. > > I'm still not sure what exactly you would like to achieve. All ports > that 389-ds listens to do support the same authentication methods except > LDAPI protocol (unix domain sockets) which supports automapping between > POSIX ID and a user object that it maps to. > I'd like to have internally all sort of ldap access, but externally onlly certificate based, for example. If there is a way to do that know that I am not aware of I'd be very interested to know it as well ;-). Right now we solve this problems using vpn connections with third parties, but ideally one could just open the port to the internet if only that kind of access was allowed. Thanks for your time. -- regards, Natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Jun 28 07:52:54 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 28 Jun 2016 09:52:54 +0200 Subject: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users. In-Reply-To: References: Message-ID: <713d3ad0-85a7-7120-a827-6c7085d62cbb@redhat.com> On 28.6.2016 09:08, Mitra Dehghan wrote: > Hello, > > I want to know how can I give directory permissions on a client to a domain > user in FreeIPA. > > > I'm using "runasuser" feature in sudo policy to give my domain users > permission to run local services on client. > > Here is an example: > I have a service on my client called "*abc*" located at "/home/abc/" and > locally run by local user called "*abc*" > > I have used runasuser feature in sudo policy rules to let domain users > (say: *usr at mydomain.dc*) run the service. *usr* can run scripts, read and > edit files and stop/start services, using *abc*'s permissions and without > any problem. > > But the problem I have faced is, when I want "*usr*" to traverse > subdirectories under "*/home/abc/*" it doesn't work. > I have defined sudocmd for cd command and added it as allow-command to > appropriate sudorule. my sudocmd definitions are like this: > > > *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/'* > > *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/'* > *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'* > > While *usr* can run the *cd* command without error, it doesn't work and > *pwd* still shows* /home/usr* as current directory. > what *usr* runs is: > *$ sudo -u abc cd /home/abc/m*/ Most importantly you need to add appropriate permission for user abc to the /home/abc directory (and its contents if necessary). You can use either chown+chmod or setfacl commands, depending on the use-case. When this is one, add SUDO rule allowing user usr to run a program in question. You do not need to bother with SUDO rules for "cd" because this will be solved at filesystem level. -- Petr^2 Spacek From barrykfl at gmail.com Tue Jun 28 07:53:05 2016 From: barrykfl at gmail.com (barrykfl at gmail.com) Date: Tue, 28 Jun 2016 15:53:05 +0800 Subject: [Freeipa-users] where is the CA cert located ? Message-ID: Hi : I already follow the procedure to install new CA and add ca.crt to the library I known ...where still missed ? ABC-COM...[28/Jun/2016:15:45:53 +0800] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) What files it relate to this ca.cert? thks Bar -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue Jun 28 08:03:15 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 28 Jun 2016 10:03:15 +0200 Subject: [Freeipa-users] multiple ds instances (maybe off-topic) In-Reply-To: References: <20160628070749.v6xf645whop3zgi2@redhat.com> Message-ID: <57722F43.2040307@redhat.com> On 06/28/2016 09:50 AM, Natxo Asenjo wrote: > > > On Tue, Jun 28, 2016 at 9:07 AM, Alexander Bokovoy > > wrote: > > On Tue, 28 Jun 2016, Natxo Asenjo wrote: > > hi, > > according to the RHDS documentation ( > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html) > one can have multiple directory server instances on the same hosts > > Would it be interesting to offer this functionality in > freeipa.org ? The > business case would be to allow different kinds of > authentication per > instance/port. So one could block standard ldap connections on > port 389 to > the internet, for instance, but allow them on another port > only if using > external/GSSAPI auth, so no passswords would be involved. > > This is not how instances work in 389-ds. Each instance is fully > independent of another one, including database content and structure. > You cannot have instance that shares the same content with another one > unless you enable database chaining (and then there are some > limitations). > > > ok, thanks for the info. > > We used to have CA instance separate from the main IPA instance, for > example, but then merged them together in the same instance using two > different backends. > > Standard IPA 389-ds instance already allows its access on the unix > domain > socket with EXTERNAL/GSSAPI authentication. It is visible only within > the scope of the IPA master host, of course. > > I'm still not sure what exactly you would like to achieve. All ports > that 389-ds listens to do support the same authentication methods > except > LDAPI protocol (unix domain sockets) which supports automapping > between > POSIX ID and a user object that it maps to. > > > I'd like to have internally all sort of ldap access, but externally > onlly certificate based, for example. > > If there is a way to do that know that I am not aware of I'd be very > interested to know it as well ;-). Right now we solve this problems > using vpn connections with third parties, but ideally one could just > open the port to the internet if only that kind of access was allowed. maybe you can achieve this with access control, there are all kind of rules to allow access based on client's ip address, domain, security strength, authentication method - and combinations of them. > > > Thanks for your time. > > -- > regards, > Natxo > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Tue Jun 28 08:33:04 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 28 Jun 2016 10:33:04 +0200 Subject: [Freeipa-users] multiple ds instances (maybe off-topic) In-Reply-To: <57722F43.2040307@redhat.com> References: <20160628070749.v6xf645whop3zgi2@redhat.com> <57722F43.2040307@redhat.com> Message-ID: hi Ludwig, On Tue, Jun 28, 2016 at 10:03 AM, Ludwig Krispenz wrote: > > On 06/28/2016 09:50 AM, Natxo Asenjo wrote: > > > I'd like to have internally all sort of ldap access, but externally onlly > certificate based, for example. > > If there is a way to do that know that I am not aware of I'd be very > interested to know it as well ;-). Right now we solve this problems using > vpn connections with third parties, but ideally one could just open the > port to the internet if only that kind of access was allowed. > > maybe you can achieve this with access control, there are all kind of > rules to allow access based on client's ip address, domain, security > strength, authentication method - and combinations of them. > > Do you mean something like explained here: http://directory.fedoraproject.org/docs/389ds/design/rootdn-access-control.html ? Thanks! -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue Jun 28 08:51:35 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 28 Jun 2016 10:51:35 +0200 Subject: [Freeipa-users] multiple ds instances (maybe off-topic) In-Reply-To: References: <20160628070749.v6xf645whop3zgi2@redhat.com> <57722F43.2040307@redhat.com> Message-ID: <57723A97.2070705@redhat.com> On 06/28/2016 10:33 AM, Natxo Asenjo wrote: > > hi Ludwig, > > On Tue, Jun 28, 2016 at 10:03 AM, Ludwig Krispenz > wrote: > > > On 06/28/2016 09:50 AM, Natxo Asenjo wrote: >> >> I'd like to have internally all sort of ldap access, but >> externally onlly certificate based, for example. >> >> If there is a way to do that know that I am not aware of I'd be >> very interested to know it as well ;-). Right now we solve this >> problems using vpn connections with third parties, but ideally >> one could just open the port to the internet if only that kind of >> access was allowed. > maybe you can achieve this with access control, there are all kind > of rules to allow access based on client's ip address, domain, > security strength, authentication method - and combinations of them. > > > Do you mean something like explained here: > http://directory.fedoraproject.org/docs/389ds/design/rootdn-access-control.html > ? I was thinking of something like this (and the other bind rules): https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Bind_Rules.html#Bind_Rules-Defining_Access_Based_on_Authentication_Method the link you sent is about restraing access of directory manager, which is not subject to normal acis > > Thanks! > -- > Groeten, > natxo > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From mitra.dehghan at gmail.com Tue Jun 28 10:32:25 2016 From: mitra.dehghan at gmail.com (Mitra Dehghan) Date: Tue, 28 Jun 2016 15:02:25 +0430 Subject: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users. In-Reply-To: <713d3ad0-85a7-7120-a827-6c7085d62cbb@redhat.com> References: <713d3ad0-85a7-7120-a827-6c7085d62cbb@redhat.com> Message-ID: Thank you Petr for your answer. I'm trying to do the job with least changes in client which was a operating machine now joined to Free IPA domain. I just want to make sure if using chmod, chown or setfacl are the only available solutions or not? On Jun 28, 2016 12:30 PM, "Petr Spacek" wrote: > On 28.6.2016 09:08, Mitra Dehghan wrote: > > Hello, > > > > I want to know how can I give directory permissions on a client to a > domain > > user in FreeIPA. > > > > > > I'm using "runasuser" feature in sudo policy to give my domain users > > permission to run local services on client. > > > > Here is an example: > > I have a service on my client called "*abc*" located at "/home/abc/" and > > locally run by local user called "*abc*" > > > > I have used runasuser feature in sudo policy rules to let domain users > > (say: *usr at mydomain.dc*) run the service. *usr* can run scripts, read > and > > edit files and stop/start services, using *abc*'s permissions and without > > any problem. > > > > But the problem I have faced is, when I want "*usr*" to traverse > > subdirectories under "*/home/abc/*" it doesn't work. > > I have defined sudocmd for cd command and added it as allow-command to > > appropriate sudorule. my sudocmd definitions are like this: > > > > > > *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/'* > > > > *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/'* > > *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'* > > > > While *usr* can run the *cd* command without error, it doesn't work and > > *pwd* still shows* /home/usr* as current directory. > > what *usr* runs is: > > *$ sudo -u abc cd /home/abc/m*/ > > Most importantly you need to add appropriate permission for user abc to the > /home/abc directory (and its contents if necessary). > > You can use either chown+chmod or setfacl commands, depending on the > use-case. > > When this is one, add SUDO rule allowing user usr to run a program in > question. You do not need to bother with SUDO rules for "cd" because this > will > be solved at filesystem level. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Jun 28 11:26:35 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 28 Jun 2016 13:26:35 +0200 Subject: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users. In-Reply-To: References: <713d3ad0-85a7-7120-a827-6c7085d62cbb@redhat.com> Message-ID: <6d4949cc-e406-01e5-9ce5-dce759de84fa@redhat.com> On 28.6.2016 12:32, Mitra Dehghan wrote: > Thank you Petr for your answer. I'm trying to do the job with least > changes in client which was a operating machine now joined to Free IPA > domain. I just want to make sure if using chmod, chown or setfacl are the > only available solutions or not? I believe that it is the only viable option because these checks are enforced in filesystem layer in kernel. Petr^2 Spacek > On Jun 28, 2016 12:30 PM, "Petr Spacek" wrote: > >> On 28.6.2016 09:08, Mitra Dehghan wrote: >>> Hello, >>> >>> I want to know how can I give directory permissions on a client to a >> domain >>> user in FreeIPA. >>> >>> >>> I'm using "runasuser" feature in sudo policy to give my domain users >>> permission to run local services on client. >>> >>> Here is an example: >>> I have a service on my client called "*abc*" located at "/home/abc/" and >>> locally run by local user called "*abc*" >>> >>> I have used runasuser feature in sudo policy rules to let domain users >>> (say: *usr at mydomain.dc*) run the service. *usr* can run scripts, read >> and >>> edit files and stop/start services, using *abc*'s permissions and without >>> any problem. >>> >>> But the problem I have faced is, when I want "*usr*" to traverse >>> subdirectories under "*/home/abc/*" it doesn't work. >>> I have defined sudocmd for cd command and added it as allow-command to >>> appropriate sudorule. my sudocmd definitions are like this: >>> >>> >>> *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/'* >>> >>> *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/'* >>> *ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'* >>> >>> While *usr* can run the *cd* command without error, it doesn't work and >>> *pwd* still shows* /home/usr* as current directory. >>> what *usr* runs is: >>> *$ sudo -u abc cd /home/abc/m*/ >> >> Most importantly you need to add appropriate permission for user abc to the >> /home/abc directory (and its contents if necessary). >> >> You can use either chown+chmod or setfacl commands, depending on the >> use-case. >> >> When this is one, add SUDO rule allowing user usr to run a program in >> question. You do not need to bother with SUDO rules for "cd" because this >> will >> be solved at filesystem level. From cheimes at redhat.com Tue Jun 28 11:47:55 2016 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 28 Jun 2016 13:47:55 +0200 Subject: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users. In-Reply-To: References: Message-ID: On 2016-06-28 09:08, Mitra Dehghan wrote: > > Hello, > > I want to know how can I give directory permissions on a client to a > domain user in FreeIPA. > > > I'm using "runasuser" feature in sudo policy to give my domain users > permission to run local services on client. > > Here is an example: > I have a service on my client called "/abc/" located at "/home/abc/" and > locally run by local user called "/abc/" > > I have used runasuser feature in sudo policy rules to let domain users > (say: /usr at mydomain.dc/) run the service. /usr/ can run scripts, read > and edit files and stop/start services, using /abc/'s permissions and > without any problem. > > But the problem I have faced is, when I want "/usr/" to traverse > subdirectories under "//home/abc//" it doesn't work. > I have defined sudocmd for cd command and added it as allow-command to > appropriate sudorule. my sudocmd definitions are like this: > > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/' > / > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/' > / > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'/ cd is a builtin command of your shell. It has to be because it changes the current working directory the shell's process. sudo doesn't work for shell builtins. You have to find another way to accomplish your task. By the way are you familiar how r,w,x work for directories? 'r' is used for listing the content of a directory, 'w' for creating/removing files (except for +t directories) and 'x' is used to check if a user is allowed to enter a directory. You can allow users to enter a directory w/o actually seeing its content. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From rstory at tislabs.com Tue Jun 28 12:52:21 2016 From: rstory at tislabs.com (Robert Story) Date: Tue, 28 Jun 2016 08:52:21 -0400 Subject: [Freeipa-users] disaster recovery In-Reply-To: <20160627085914.26f766f8@ispx.vb.futz.org> References: <20160626021701.1ff9d03d@ispx.vb.futz.org> <20160627085914.26f766f8@ispx.vb.futz.org> Message-ID: <20160628085221.033a4215@ispx.vb.futz.org> On Mon, 27 Jun 2016 08:59:14 -0400 Robert wrote: RS> On Mon, 27 Jun 2016 08:09:59 +0200 Martin wrote: RS> MB> On 26.06.2016 08:17, Robert Story wrote: RS> MB> > Hello, RS> MB> > RS> MB> > I was running a single ipa instance on Centos 7 for a small lab RS> MB> > (ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64), and the disk was corrupted. RS> MB> > I have a (mostly) full backup (/var/log/ and /var/run/ excluded), which I RS> MB> > restored. ipa server didn't start, and wanted me to run RS> MB> > ipa-server-upgrade. This failed, and I see this in the log: RS> MB> > [...] RS> MB> Hello, upgrader refuses to upgrade because check which requires RS> MB> /var/lib/ipa failed. Upgrader thinks that IPA is not installed. RS> MB> RS> MB> So are you sure you have backup of /var/lib/ipa ? RS> RS> Yep, /var/lib/ipa is there: RS> RS> ls -lR RS> [...] RS> ./pki-ca/publish: RS> total 0 RS> lrwxrwxrwx. 1 pkiuser pkiuser 57 Jun 24 21:00 MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL-20160624-210000.der RS> RS> RS> Looking through the backups, I see that there are no MasterCRL files from RS> the 25th (the backup I restored), but a bunch from the 24th, so maybe I RS> need to try another restore with files from then... So restoring /var/lib/ipa didn't work, and restoring the whole VM is taking way to long. I have a new VM up with a new ipa-server install, and am wondering if there is a way to import the data from the old filesystem? Robert -- Senior Software Engineer @ Parsons -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From rcritten at redhat.com Tue Jun 28 14:50:32 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jun 2016 10:50:32 -0400 Subject: [Freeipa-users] updating certificates In-Reply-To: <961a039c237577e3b3a460ab3a33e6d5.startmail@www.startmail.com> References: <961a039c237577e3b3a460ab3a33e6d5.startmail@www.startmail.com> Message-ID: <57728EB8.2050805@redhat.com> jcnt at use.startmail.com wrote: > Greetings, > > About a year ago I installed my freeipa server with certificates from > startssl using command line options --dirsrv-cert-file --http-cert-file > etc. > The certificate is about to expire, what is the proper way to update it > in all places? It depends on whether you kept the original CSR or not. If you kept the original CSR and are just renewing the certificate(s) then when you get the new one, use certutil to add the updated cert to the appropriate NSS database like: # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i /path/to/new.crt If you need to generate a new CSR then you can use ipa-server-certinstall to install the updated key and crt files. In either case probably worth backing up /etc/httpd/alias/*.db and /etc/dirsrv/slapd-INSTANCE/*.db. rob From pspacek at redhat.com Tue Jun 28 17:23:42 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 28 Jun 2016 19:23:42 +0200 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: References: <79454fce-7e51-eebf-44eb-c7a472cef1fd@redhat.com> Message-ID: On 22.6.2016 23:09, Sean Hogan wrote: > SLAPD showing > > 22/Jun/2016:17:01:59 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [22/Jun/2016:17:06:59 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > > > where would these creds be and what ID? I am using SASL so I assume it to > be sasl_user DNS/FirstMaster.watson.local or something like that? These are in /etc/dirsrv/ds.keytab. I would start with # klist -kt /etc/dirsrv/ds.keytab and try to proceed with kinit etc. (very similarly to the bind-dyndb-ldap how-to). I hope it helps. Petr^2 Spacek > From: Sean Hogan/Durham/IBM at IBMUS > To: Petr Spacek > Cc: freeipa-users at redhat.com > Date: 06/22/2016 08:36 AM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > Sent by: freeipa-users-bounces at redhat.com > > > > Hi Peter... > > Yes..... this has me doing loops in my head to /dev/null > > You are correct I could not complete the BIND steps... I did them yesterday > but did not post results as I wanted to stop bugging you all :) > The initial credential section of that I could not complete nor can I get > an keytab without it and I don't think I have an issue with cert versions > (used the SASL section). The upgrade log from 3.47 to 3.50 on this one > server did show an error with named though. > > I had the box powered down again last night after testing the BIND > procedures... and its been up since then. Which makes we really not sure > what is going on(DNS DOS from internal maybe? I get a lot of outside > requests showing network unreachable and I don't forward to a outside DNS). > If it was a password/cert/cipher/file perm issue then I don't see how it > can work at all after a reboot. > > I am thinking it needs a rebuild.. I have not done this on a First Master > IPA is there anything I need to be take into consider with it being first > master? Right now I have 8 IPAs all DNS, NTP and CAs on differ vlans but > the first master is the fail back IPA(on the only vlan that can talk to the > others) in case there local vlan IPA dies. First Master is also the master > CA in the realm where everything is enrolled to originally. We then mod > everything to point to the vlan IPA with the Firstmaster as secondary with > our vlan-specific scripts we run after ipa client install. > > With the box rebooted last night I am now getting normal functionality but > it prob wont last long as indicated from the past... > > Working > [bob at FirstMaster ~]# kinit admin > Password for admin at DOMAIN.LOCAL: > Warning: Your password will expire in 6 days on Tue Jun 28 14:55:52 2016 > [bob at FirstMaster ~]# > > I did post ldap logs in my first email though... will readd them to this > and when it dies off again I will add more. > > >> [20/Jun/2016:13:59:00 -0400] - Detected Disorderly Shutdown last time >> Directory Server was running, recovering database. >> [20/Jun/2016:13:59:01 -0400] schema-compat-plugin - warning: no entries > set >> up under cn=computers, cn=compat,dc=domain,dc=local >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV >> [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 >> 5688d8e6001000070000] which is present in RUV [changelog max RUV] >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> replica_check_for_data_reload: Warning: for replica dc=domain,dc=local >> there were some differences between the changelog max RUV and the > database >> RUV. If there are obsolete elements in the database RUV, you should > remove >> them using the CLEANALLRUV task. If they are not obsolete, you should > check >> their status to see why there are no changes from those servers in the >> changelog. >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meTobldvxl0011.domain.local" (1server:389): Replication bind > with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:48 -0400] - slapd started. Listening on All Interfaces >> port 389 for LDAP requests >> [20/Jun/2016:13:59:48 -0400] - Listening on All Interfaces port 636 for >> LDAPS requests >> [20/Jun/2016:13:59:48 -0400] - Listening >> on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 0 (Success) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with >> GSSAPI auth resumed >> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 >> (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: >> gss_accept_sec_context) errno 0 (Success) >> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) >> [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with >> GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): >> authentication failure: GSSAPI Failure: gss_accept_sec_context) >> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (No credentials cache >> found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (No credentials cache >> found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (No credentials cache >> found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (No credentials cache >> found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (No credentials cache >> found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 >> (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: >> gss_accept_sec_context) errno 0 (Success) >> [20/Jun/2016:13:59:57 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) >> [20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with >> GSSAPI auth resumed > > > > Sean Hogan > > > > > > Inactive hide details for Petr Spacek ---06/21/2016 10:20:43 PM---On > 22.6.2016 02:56, Sean Hogan wrote: > More infoPetr Spacek ---06/21/2016 > 10:20:43 PM---On 22.6.2016 02:56, Sean Hogan wrote: > More info > > From: Petr Spacek > To: freeipa-users at redhat.com > Date: 06/21/2016 10:20 PM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > Sent by: freeipa-users-bounces at redhat.com > > > > On 22.6.2016 02:56, Sean Hogan wrote: >> More info >> >> >> Krb5 log is showing: >> Jun 21 20:42:47 Firstmaster.domain.local krb5kdc[2141](info): AS_REQ (4 >> etypes {18 17 16 23}) 10.x.x.x: LOOKING_UP_CLIENT: admin at domain.LOCAL for >> krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL, Server error > > > Hello, > > this is really fishy. I would bet that there is a problem with LDAP server > and > DNS errors are just consequence of it. > > I suspect that you will not be able to finish steps mentioned in > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a3.FailedtoinitcredentialsorFailedtogetinitialcredentialsDecryptintegritycheckfailedorClientscredentialshavebeenrevoked > > > If it is the case I would turn your attention to krb5kdc.log and LDAP > server > logs in /var/log/dirsrv/* > > There must be something wrong with the LDAP server. > > Petr^2 Spacek > > >> >> [bob at Firstmaster etc]# kinit -v admin >> kinit: Credentials cache file '/tmp/krb5cc_0' not found while validating >> credentials >> >> >> >> >> >> >> Sean Hogan >> >> >> >> >> >> >> From: Sean Hogan/Durham/IBM >> To: freeipa-users >> Date: 06/21/2016 12:02 PM >> Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem >> >> >> Has anyone seen these before? >> >> >> >> First Master IPA DNS logs show: Looks like the host names are getting > the >> domain twice domain.local.domain.local >> >> >> client 10.x.x.x#58094: query failed (SERVFAIL) for >> server1.domain.local.domain.local/IN/AAAA at query.c:6569 >> timeout in ldap_pool_getconnection(): try to raise 'connections' > parameter; >> potential deadlock? >> client 10.x.x.x#44147: query failed (SERVFAIL) for >> x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 >> timeout in ldap_pool_getconnection(): try to raise 'connections' > parameter; >> potential deadlock? >> client 10.x.x.x#56466: query failed (SERVFAIL) for >> x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 >> timeout in ldap_pool_getconnection(): try to raise 'connections' > parameter; >> potential deadlock? >> client 10.x.x.x53367: query failed (SERVFAIL) for >> server2.domain.local.domain.local/IN/A at query.c:6569 >> timeout in ldap_pool_getconnection(): try to raise 'connections' > parameter; >> potential deadlock? >> client 10.x.x.x#53367: query failed (SERVFAIL) for >> server2.domain.local.domain.local/IN/AAAA at query.c:6569 >> >> >> >> So enrolls are failing at this point when tyring to enroll to a replica: >> >> [bob at server1 log]# ipa-client-install ?enable-dns-updates >> Discovery was successful! >> Hostname: server1.watson.local >> Realm: DOMAIN.LOCAL >> DNS Domain: domain.local >> IPA Server: ipareplica.domain.local >> BaseDN: dc=domain,dc=local >> >> Continue to configure the system with these values? [no]: yes >> User authorized to enroll computers: bob >> Synchronizing time with KDC... >> Password for bob at DOMAIN.LOCAL: >> Successfully retrieved CA cert >> Subject: CN=Certificate Authority,O=DOMAIN.LOCAL >> Issuer: CN=Certificate Authority,O=DOMAIN.LOCAL >> Valid From: Tue Jan 06 19:37:09 2015 UTC >> Valid Until: Sat Jan 06 19:37:09 2035 UTC >> >> Enrolled in IPA realm DOMAIN.LOCAL >> Attempting to get host TGT... >> Created /etc/ipa/default.conf >> New SSSD config will be created >> Configured sudoers in /etc/nsswitch.conf >> Configured /etc/sssd/sssd.conf >> Configured /etc/krb5.conf for IPA realm DOMAIN.LOCAL >> trying https://ipareplica.domain.local/ipa/xml >> Cannot connect to the server due to Kerberos error: Kerberos error: >> Kerberos error: ('Unspecified GSS failure. Minor code may provide more >> information', 851968)/('KDC returned error string: PROCESS_TGS', >> -1765328324)/. Trying with delegate=True >> trying https://ipareplica.domain.local/ipa/xml >> Second connect with delegate=True also failed: Kerberos error: Kerberos >> error: ('Unspecified GSS failure. Minor code may provide more >> information', 851968)/('KDC returned error string: PROCESS_TGS', >> -1765328324)/ >> Cannot connect to the IPA server XML-RPC interface: Kerberos error: >> Kerberos error: ('Unspecified GSS failure. Minor code may provide more >> information', 851968)/('KDC returned error string: PROCESS_TGS', >> -1765328324)/ >> Installation failed. Rolling back changes. >> Unenrolling client from IPA server >> Unenrolling host failed: Error obtaining initial credentials: Generic > error >> (see e-text). >> >> Removing Kerberos service principals from /etc/krb5.keytab >> Disabling client Kerberos and LDAP configurations >> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved >> to /etc/sssd/sssd.conf.deleted >> Restoring client configuration files >> nscd daemon is not installed, skip configuration >> nslcd daemon is not installed, skip configuration >> Client uninstall complete. >> >> >> Sean Hogan >> >> >> >> >> >> >> >> >> From: Sean Hogan/Durham/IBM >> To: Sean Hogan/Durham/IBM at IBMUS >> Cc: freeipa-users >> Date: 06/20/2016 12:49 PM >> Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem >> >> >> Also seeing this in the upgrade log on the first master but not on the 7 >> ipas. >> >> ERROR Failed to restart named: Command '/sbin/service named restart ' >> returned non-zero exit status 7 >> >> >> which led me to >> >> https://bugzilla.redhat.com/show_bug.cgi?id=895298 >> >> >> >> >> >> Sean Hogan >> >> >> >> >> >> >> >> From: Sean Hogan/Durham/IBM at IBMUS >> To: freeipa-users >> Date: 06/20/2016 11:46 AM >> Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Hi All.. >> >> I thought we fixed this issue by rebooting the KVM host but it is showing >> again. Our First Master IPA is being rebooted 2 -5 times a day now just > to >> keep it alive. >> >> What we are seeing: >> >> God at FirstMaster log]# kinit admin >> kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting >> initial credentials >> >> DNS is not working as nslookup is failing to a replica.... think once we >> lose DNS it all goes down hill which makes sense. >> >> [god at FirstMaster log]# ipactl stop -----> Just hangs forever.. no > replies.. >> no error.. nothing >> >> I try service named stop and nothing happens >> >> I have the box hard shutdown from KVM console. Reboot it and it works for > a >> little while but eventually back to same behavior. >> >> At this point I can service named stop and it responds... ipactl status > and >> it responds.. but when if I try service named restart I get >> >> [god at FirstMaster log]# service named stop >> Stopping named: ...... >> >> [god at Firstmaster log]# service named start >> Starting named: [FAILED] >> >> [god at FirstMaster log]# service named status >> rndc: connect failed: 127.0.0.1#953: connection refused >> named dead but pid file exists >> >> Rebooted box and it is hung on shutting down domain-local and never fully >> shuts down.. have to get it hard shutdown again. >> During an attempt to gracefully shut down we see this >> >> Shutting Down dirsrv: >> PKI-IPA OK >> DOMAIN-LOCAL FAILED >> *** Error: 1 instance(s) unsuccessfully stopped FAILED >> >> Then it moves on to shut other things down and returns to dirsrv >> Shutting Down dirsrv: >> PKI-IPA....server already stopped FAILED {Makes sense.. it died earlier} >> DOMAIN-LOCAL... {this sits here til we hard shutdown} >> >> >> >> bind-libs-9.8.2-0.47.rc1.el6.x86_64 >> bind-9.8.2-0.47.rc1.el6.x86_64 >> bind-utils-9.8.2-0.47.rc1.el6.x86_64 >> >> >> ipa-client-3.0.0-50.el6.1.x86_64 >> ipa-server-selinux-3.0.0-50.el6.1.x86_64 >> ipa-server-3.0.0-50.el6.1.x86_64 >> sssd-ipa-1.13.3-22.el6.x86_64 >> >> >> /var/log/dirsrv/slapd-DOMAIN-LOCAL >> [20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 >> starting up >> [20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries > set >> up under cn=computers, cn=compat,dc=domain,dc=local >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV >> [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 >> 5688d8e6001000070000] which is present in RUV [changelog max RUV] >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> replica_check_for_data_reload: Warning: for replica dc=domain,dc=local >> there were some differences between the changelog max RUV and the > database >> RUV. If there are obsolete elements in the database RUV, you should > remove >> them using the CLEANALLRUV task. If they are not obsolete, you should > check >> their status to see why there are no changes from those servers in the >> changelog. >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] - slapd started. Listening on All Interfaces >> port 389 for LDAP requests >> [20/Jun/2016:13:29:07 -0400] - Listening on All Interfaces port 636 for >> LDAPS requests >> [20/Jun/2016:13:29:07 -0400] - Listening >> on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meTo1server.domain.local" (1server:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 0 (Success) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - > -- Petr Spacek @ Red Hat From schogan at us.ibm.com Tue Jun 28 18:21:50 2016 From: schogan at us.ibm.com (Sean Hogan) Date: Tue, 28 Jun 2016 11:21:50 -0700 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: References: <79454fce-7e51-eebf-44eb-c7a472cef1fd@redhat.com> Message-ID: Thanks Petr, Since the last recycle of the Host hosting the First Master it has been stable for about a week now. Only thing I did was to spread out my replication agreements. I had 8 replications hitting it but now have 4 going to it and the other 4 to its backup replica with the first master and the backup replica having an agreement. Not sure that fixed it or not but it seems to be stable at this point and I know the docs say no more than 4 replications agreements so maybe it was the cause. Sean Hogan From: Petr Spacek To: Sean Hogan/Durham/IBM at IBMUS Cc: freeipa-users at redhat.com Date: 06/28/2016 10:24 AM Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem On 22.6.2016 23:09, Sean Hogan wrote: > SLAPD showing > > 22/Jun/2016:17:01:59 -0400] slapi_ldap_bind - Error: could not perform > interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) > [22/Jun/2016:17:06:59 -0400] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 > (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context) errno 0 (Success) > > > where would these creds be and what ID? I am using SASL so I assume it to > be sasl_user DNS/FirstMaster.watson.local or something like that? These are in /etc/dirsrv/ds.keytab. I would start with # klist -kt /etc/dirsrv/ds.keytab and try to proceed with kinit etc. (very similarly to the bind-dyndb-ldap how-to). I hope it helps. Petr^2 Spacek > From: Sean Hogan/Durham/IBM at IBMUS > To: Petr Spacek > Cc: freeipa-users at redhat.com > Date: 06/22/2016 08:36 AM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > Sent by: freeipa-users-bounces at redhat.com > > > > Hi Peter... > > Yes..... this has me doing loops in my head to /dev/null > > You are correct I could not complete the BIND steps... I did them yesterday > but did not post results as I wanted to stop bugging you all :) > The initial credential section of that I could not complete nor can I get > an keytab without it and I don't think I have an issue with cert versions > (used the SASL section). The upgrade log from 3.47 to 3.50 on this one > server did show an error with named though. > > I had the box powered down again last night after testing the BIND > procedures... and its been up since then. Which makes we really not sure > what is going on(DNS DOS from internal maybe? I get a lot of outside > requests showing network unreachable and I don't forward to a outside DNS). > If it was a password/cert/cipher/file perm issue then I don't see how it > can work at all after a reboot. > > I am thinking it needs a rebuild.. I have not done this on a First Master > IPA is there anything I need to be take into consider with it being first > master? Right now I have 8 IPAs all DNS, NTP and CAs on differ vlans but > the first master is the fail back IPA(on the only vlan that can talk to the > others) in case there local vlan IPA dies. First Master is also the master > CA in the realm where everything is enrolled to originally. We then mod > everything to point to the vlan IPA with the Firstmaster as secondary with > our vlan-specific scripts we run after ipa client install. > > With the box rebooted last night I am now getting normal functionality but > it prob wont last long as indicated from the past... > > Working > [bob at FirstMaster ~]# kinit admin > Password for admin at DOMAIN.LOCAL: > Warning: Your password will expire in 6 days on Tue Jun 28 14:55:52 2016 > [bob at FirstMaster ~]# > > I did post ldap logs in my first email though... will readd them to this > and when it dies off again I will add more. > > >> [20/Jun/2016:13:59:00 -0400] - Detected Disorderly Shutdown last time >> Directory Server was running, recovering database. >> [20/Jun/2016:13:59:01 -0400] schema-compat-plugin - warning: no entries > set >> up under cn=computers, cn=compat,dc=domain,dc=local >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV >> [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 >> 5688d8e6001000070000] which is present in RUV [changelog max RUV] >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> replica_check_for_data_reload: Warning: for replica dc=domain,dc=local >> there were some differences between the changelog max RUV and the > database >> RUV. If there are obsolete elements in the database RUV, you should > remove >> them using the CLEANALLRUV task. If they are not obsolete, you should > check >> their status to see why there are no changes from those servers in the >> changelog. >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meTobldvxl0011.domain.local" (1server:389): Replication bind > with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:48 -0400] - slapd started. Listening on All Interfaces >> port 389 for LDAP requests >> [20/Jun/2016:13:59:48 -0400] - Listening on All Interfaces port 636 for >> LDAPS requests >> [20/Jun/2016:13:59:48 -0400] - Listening >> on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 0 (Success) >> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with >> GSSAPI auth resumed >> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 >> (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: >> gss_accept_sec_context) errno 0 (Success) >> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) >> [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with >> GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): >> authentication failure: GSSAPI Failure: gss_accept_sec_context) >> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (No credentials cache >> found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (No credentials cache >> found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (No credentials cache >> found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (No credentials cache >> found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (No credentials cache >> found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 >> (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: >> gss_accept_sec_context) errno 0 (Success) >> [20/Jun/2016:13:59:57 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) >> [20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with >> GSSAPI auth resumed > > > > Sean Hogan > > > > > > Inactive hide details for Petr Spacek ---06/21/2016 10:20:43 PM---On > 22.6.2016 02:56, Sean Hogan wrote: > More infoPetr Spacek ---06/21/2016 > 10:20:43 PM---On 22.6.2016 02:56, Sean Hogan wrote: > More info > > From: Petr Spacek > To: freeipa-users at redhat.com > Date: 06/21/2016 10:20 PM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > Sent by: freeipa-users-bounces at redhat.com > > > > On 22.6.2016 02:56, Sean Hogan wrote: >> More info >> >> >> Krb5 log is showing: >> Jun 21 20:42:47 Firstmaster.domain.local krb5kdc[2141](info): AS_REQ (4 >> etypes {18 17 16 23}) 10.x.x.x: LOOKING_UP_CLIENT: admin at domain.LOCAL for >> krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL, Server error > > > Hello, > > this is really fishy. I would bet that there is a problem with LDAP server > and > DNS errors are just consequence of it. > > I suspect that you will not be able to finish steps mentioned in > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a3.FailedtoinitcredentialsorFailedtogetinitialcredentialsDecryptintegritycheckfailedorClientscredentialshavebeenrevoked > > > If it is the case I would turn your attention to krb5kdc.log and LDAP > server > logs in /var/log/dirsrv/* > > There must be something wrong with the LDAP server. > > Petr^2 Spacek > > >> >> [bob at Firstmaster etc]# kinit -v admin >> kinit: Credentials cache file '/tmp/krb5cc_0' not found while validating >> credentials >> >> >> >> >> >> >> Sean Hogan >> >> >> >> >> >> >> From: Sean Hogan/Durham/IBM >> To: freeipa-users >> Date: 06/21/2016 12:02 PM >> Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem >> >> >> Has anyone seen these before? >> >> >> >> First Master IPA DNS logs show: Looks like the host names are getting > the >> domain twice domain.local.domain.local >> >> >> client 10.x.x.x#58094: query failed (SERVFAIL) for >> server1.domain.local.domain.local/IN/AAAA at query.c:6569 >> timeout in ldap_pool_getconnection(): try to raise 'connections' > parameter; >> potential deadlock? >> client 10.x.x.x#44147: query failed (SERVFAIL) for >> x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 >> timeout in ldap_pool_getconnection(): try to raise 'connections' > parameter; >> potential deadlock? >> client 10.x.x.x#56466: query failed (SERVFAIL) for >> x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 >> timeout in ldap_pool_getconnection(): try to raise 'connections' > parameter; >> potential deadlock? >> client 10.x.x.x53367: query failed (SERVFAIL) for >> server2.domain.local.domain.local/IN/A at query.c:6569 >> timeout in ldap_pool_getconnection(): try to raise 'connections' > parameter; >> potential deadlock? >> client 10.x.x.x#53367: query failed (SERVFAIL) for >> server2.domain.local.domain.local/IN/AAAA at query.c:6569 >> >> >> >> So enrolls are failing at this point when tyring to enroll to a replica: >> >> [bob at server1 log]# ipa-client-install ?enable-dns-updates >> Discovery was successful! >> Hostname: server1.watson.local >> Realm: DOMAIN.LOCAL >> DNS Domain: domain.local >> IPA Server: ipareplica.domain.local >> BaseDN: dc=domain,dc=local >> >> Continue to configure the system with these values? [no]: yes >> User authorized to enroll computers: bob >> Synchronizing time with KDC... >> Password for bob at DOMAIN.LOCAL: >> Successfully retrieved CA cert >> Subject: CN=Certificate Authority,O=DOMAIN.LOCAL >> Issuer: CN=Certificate Authority,O=DOMAIN.LOCAL >> Valid From: Tue Jan 06 19:37:09 2015 UTC >> Valid Until: Sat Jan 06 19:37:09 2035 UTC >> >> Enrolled in IPA realm DOMAIN.LOCAL >> Attempting to get host TGT... >> Created /etc/ipa/default.conf >> New SSSD config will be created >> Configured sudoers in /etc/nsswitch.conf >> Configured /etc/sssd/sssd.conf >> Configured /etc/krb5.conf for IPA realm DOMAIN.LOCAL >> trying https://ipareplica.domain.local/ipa/xml >> Cannot connect to the server due to Kerberos error: Kerberos error: >> Kerberos error: ('Unspecified GSS failure. Minor code may provide more >> information', 851968)/('KDC returned error string: PROCESS_TGS', >> -1765328324)/. Trying with delegate=True >> trying https://ipareplica.domain.local/ipa/xml >> Second connect with delegate=True also failed: Kerberos error: Kerberos >> error: ('Unspecified GSS failure. Minor code may provide more >> information', 851968)/('KDC returned error string: PROCESS_TGS', >> -1765328324)/ >> Cannot connect to the IPA server XML-RPC interface: Kerberos error: >> Kerberos error: ('Unspecified GSS failure. Minor code may provide more >> information', 851968)/('KDC returned error string: PROCESS_TGS', >> -1765328324)/ >> Installation failed. Rolling back changes. >> Unenrolling client from IPA server >> Unenrolling host failed: Error obtaining initial credentials: Generic > error >> (see e-text). >> >> Removing Kerberos service principals from /etc/krb5.keytab >> Disabling client Kerberos and LDAP configurations >> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved >> to /etc/sssd/sssd.conf.deleted >> Restoring client configuration files >> nscd daemon is not installed, skip configuration >> nslcd daemon is not installed, skip configuration >> Client uninstall complete. >> >> >> Sean Hogan >> >> >> >> >> >> >> >> >> From: Sean Hogan/Durham/IBM >> To: Sean Hogan/Durham/IBM at IBMUS >> Cc: freeipa-users >> Date: 06/20/2016 12:49 PM >> Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem >> >> >> Also seeing this in the upgrade log on the first master but not on the 7 >> ipas. >> >> ERROR Failed to restart named: Command '/sbin/service named restart ' >> returned non-zero exit status 7 >> >> >> which led me to >> >> https://bugzilla.redhat.com/show_bug.cgi?id=895298 >> >> >> >> >> >> Sean Hogan >> >> >> >> >> >> >> >> From: Sean Hogan/Durham/IBM at IBMUS >> To: freeipa-users >> Date: 06/20/2016 11:46 AM >> Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Hi All.. >> >> I thought we fixed this issue by rebooting the KVM host but it is showing >> again. Our First Master IPA is being rebooted 2 -5 times a day now just > to >> keep it alive. >> >> What we are seeing: >> >> God at FirstMaster log]# kinit admin >> kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting >> initial credentials >> >> DNS is not working as nslookup is failing to a replica.... think once we >> lose DNS it all goes down hill which makes sense. >> >> [god at FirstMaster log]# ipactl stop -----> Just hangs forever.. no > replies.. >> no error.. nothing >> >> I try service named stop and nothing happens >> >> I have the box hard shutdown from KVM console. Reboot it and it works for > a >> little while but eventually back to same behavior. >> >> At this point I can service named stop and it responds... ipactl status > and >> it responds.. but when if I try service named restart I get >> >> [god at FirstMaster log]# service named stop >> Stopping named: ...... >> >> [god at Firstmaster log]# service named start >> Starting named: [FAILED] >> >> [god at FirstMaster log]# service named status >> rndc: connect failed: 127.0.0.1#953: connection refused >> named dead but pid file exists >> >> Rebooted box and it is hung on shutting down domain-local and never fully >> shuts down.. have to get it hard shutdown again. >> During an attempt to gracefully shut down we see this >> >> Shutting Down dirsrv: >> PKI-IPA OK >> DOMAIN-LOCAL FAILED >> *** Error: 1 instance(s) unsuccessfully stopped FAILED >> >> Then it moves on to shut other things down and returns to dirsrv >> Shutting Down dirsrv: >> PKI-IPA....server already stopped FAILED {Makes sense.. it died earlier} >> DOMAIN-LOCAL... {this sits here til we hard shutdown} >> >> >> >> bind-libs-9.8.2-0.47.rc1.el6.x86_64 >> bind-9.8.2-0.47.rc1.el6.x86_64 >> bind-utils-9.8.2-0.47.rc1.el6.x86_64 >> >> >> ipa-client-3.0.0-50.el6.1.x86_64 >> ipa-server-selinux-3.0.0-50.el6.1.x86_64 >> ipa-server-3.0.0-50.el6.1.x86_64 >> sssd-ipa-1.13.3-22.el6.x86_64 >> >> >> /var/log/dirsrv/slapd-DOMAIN-LOCAL >> [20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 >> starting up >> [20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries > set >> up under cn=computers, cn=compat,dc=domain,dc=local >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: RUV >> [database RUV] does not contain element [{replica 7} 55ca26a0000900070000 >> 5688d8e6001000070000] which is present in RUV [changelog max RUV] >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> replica_check_for_data_reload: Warning: for replica dc=domain,dc=local >> there were some differences between the changelog max RUV and the > database >> RUV. If there are obsolete elements in the database RUV, you should > remove >> them using the CLEANALLRUV task. If they are not obsolete, you should > check >> their status to see why there are no changes from those servers in the >> changelog. >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] - slapd started. Listening on All Interfaces >> port 389 for LDAP requests >> [20/Jun/2016:13:29:07 -0400] - Listening on All Interfaces port 636 for >> LDAPS requests >> [20/Jun/2016:13:29:07 -0400] - Listening >> on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests >> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >> for requested realm) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meTo1server.domain.local" (1server:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 >> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >> failure. Minor code may provide more information (Credentials cache file >> '/tmp/krb5cc_495' not found)) errno 0 (Success) >> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >> agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with >> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic > failure: >> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >> information (Credentials cache file '/tmp/krb5cc_495' not found)) >> [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - > -- Petr Spacek @ Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From hindsn at gmail.com Tue Jun 28 18:33:51 2016 From: hindsn at gmail.com (Nicholas Hinds) Date: Tue, 28 Jun 2016 18:33:51 +0000 Subject: [Freeipa-users] How to change the Kerberos Master Key? Message-ID: Hi, I have been trying to change the Kerberos Master Key of my FreeIPA installation, without success. On test installations, I have tried following the instructions on http://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-master-key, but from the "kdb5_util update_princ_encryption" step onwards all kdb5_util commands fail with "kdb5_util: No matching key in entry while looking up active master key", and even "kdb5_util list_mkeys" fails to run after that point. I found https://fedorahosted.org/freeipa/ticket/4976 to document the mechanism to change the Kerberos Master Key. It mentions that "Currently the procedure is very hard and manual", but does not explain what the very hard and manual way to change the key is. Is it currently possible to change the Kerberos Master Key? If not, is it okay to have a weak password set as the Kerberos Master Key if I secure access to my FreeIPA server? Thanks, Nicholas. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pgb205 at yahoo.com Tue Jun 28 20:06:39 2016 From: pgb205 at yahoo.com (pgb205) Date: Tue, 28 Jun 2016 20:06:39 +0000 (UTC) Subject: [Freeipa-users] Unable to add external group In-Reply-To: <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> Trust is successfully established ipa trust-find---------------1 trust matched---------------? Realm name: ?ad_domain.local? Domain NetBIOS name: AD_DOMAIN and I can get kerberos ticket and access to servicesKRB5_TRACE=/dev/stderr kvno -S cifs ADDC.AD_DOMAIN [3552] 1467143851.633980: Received creds for desired service cifs/ADDC.AD_DOMAIN[3552] 1467143851.634008: Storing my_user at AD_DOMAIN -> cifs/ADDC at AD_DOMAIN in KEYRING:persistent:0:krb_ccache_02UjQwjcifs/ADDC.AD_DOMAIN: kvno = 29 time is also correct and matches on both ipa and Domain Controller When I go with the last few steps to add external AD group to the IPA --external I get the followingipa group-add-member ad_domain_admins_external --external 'AD_DOMAIN\Ops_Admins'[member user]:[member group]:? Group name: ad_domain_admins_external? Description: ad_domain_admins external map? Failed members:? ? member user:? ? member group: AD_DOMAIN\Ops_Admins: trusted domain object not found-------------------------Number of members added 0 I have verified the Ops_Admins is readable by everyone in Active Directory.? In error_log I get [:error] [pid 2619] ipa: INFO: [jsonserver_session] admin at IPA_DOMAIN: group_add_member(u'ad_domain_admins_external', ipaexternalmember=(u'AD_DOMAIN\\\\Ops_Admins',), all=False, raw=False, version=u'2.156', no_members=False): SUCCESS Any idea on what steps I'm missing or what other things to check ? thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Jun 28 20:25:24 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Jun 2016 23:25:24 +0300 Subject: [Freeipa-users] Unable to add external group In-Reply-To: <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> Message-ID: <20160628202524.lot7fo7spifupitb@redhat.com> On Tue, 28 Jun 2016, pgb205 wrote: >Trust is successfully established > >ipa trust-find---------------1 trust matched---------------? Realm name: ?ad_domain.local? Domain NetBIOS name: AD_DOMAIN >and I can get kerberos ticket and access to servicesKRB5_TRACE=/dev/stderr kvno -S cifs ADDC.AD_DOMAIN >[3552] 1467143851.633980: Received creds for desired service cifs/ADDC.AD_DOMAIN[3552] 1467143851.634008: Storing my_user at AD_DOMAIN -> cifs/ADDC at AD_DOMAIN in KEYRING:persistent:0:krb_ccache_02UjQwjcifs/ADDC.AD_DOMAIN: kvno = 29 >time is also correct and matches on both ipa and Domain Controller >When I go with the last few steps to add external AD group to the IPA --external I get the followingipa group-add-member ad_domain_admins_external --external 'AD_DOMAIN\Ops_Admins'[member user]:[member group]:? Group name: ad_domain_admins_external? Description: ad_domain_admins external map? Failed members:? ? member user:? ? member group: AD_DOMAIN\Ops_Admins: trusted domain object not found-------------------------Number of members added 0 >I have verified the Ops_Admins is readable by everyone in Active Directory.? >In error_log I get >[:error] [pid 2619] ipa: INFO: [jsonserver_session] admin at IPA_DOMAIN: group_add_member(u'ad_domain_admins_external', ipaexternalmember=(u'AD_DOMAIN\\\\Ops_Admins',), all=False, raw=False, version=u'2.156', no_members=False): SUCCESS >Any idea on what steps I'm missing or what other things to check ? If you have "trusted domain object not found", this means you don't really have trust established correctly. Unfortunately, sometimes we cannot get proper error message back to the user as Samba Python bindings don't give us much details. See http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust on how to generate proper debug logs for trust to see what is there. You kvno output is of no use -- obviously AD user would be able to obtain a ticket to AD DC's service, this is not a surprise. -- / Alexander Bokovoy From michael.rainey.ctr at nrlssc.navy.mil Tue Jun 28 21:41:39 2016 From: michael.rainey.ctr at nrlssc.navy.mil (Michael Rainey (Contractor)) Date: Tue, 28 Jun 2016 16:41:39 -0500 Subject: [Freeipa-users] freeIPA 4.2: Smart Card Issues Message-ID: Greetings, Back in March I contacted the mailing list in regard to a problem I was having with smartcards and screen locking. At that time I was provided a patch to implement to lock the screen when the smartcard was removed and it worked well. Today it looks like the patch may have made its way to the repo and I am starting to see some issues occuring on my test machines. When the smartcard is inserted into the reader a message flashes on the screen "That didn't work. Please try again." Also, it doesn't seem to prompt for a pin for the smartcard. It just shows the password field. Unfortunately, the logs didn't reveal much, I may need to tweak the debug level if more information is needed. I grabbed the files from https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 I had to modify the smartcard-auth file to the following: auth required pam_env.so auth sufficient pam_sss.so allow_missing_name #auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so #password required pam_pkcs11.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so The dconf file /etc/dconf/db/distro.d/10-authconfig [org/gnome/login-screen] enable-fingerprint-authentication=false and /etc/dconf/db/distro.d/locks/10-authconfig-locks /org/gnome/login-screen/enable-fingerprint-authentication I'm currently running the following: * Scientific Linux 7.2 64bit * 4.2.0-15.sl7_2.17 * GDM 3.14.2 * GNOME Shell 3.14.4 Hopefully, I have given you enough information to work the problem. Have there been changes to the way freeIPA is configured for smartcard use? Sincerely, -- *Michael Rainey* -------------- next part -------------- An HTML attachment was scrubbed... URL: From kliu at alumni.warwick.ac.uk Wed Jun 29 01:58:23 2016 From: kliu at alumni.warwick.ac.uk (Barry) Date: Wed, 29 Jun 2016 09:58:23 +0800 Subject: [Freeipa-users] How to reisnatll the ca or the dogtag system Message-ID: Hi: Errors occur ...cert ni problem ..seem ca error and cannot tract cert. thx ipa-replica-prepare c03.abc.com --ip-address 192.168.1.73 Directory Manager (existing master) password: preparation of replica failed: cannot connect to u'ldapi://%2fvar%2frun%2fslapd-WISERS-COM.socket': LDAP Server Down cannot connect to u'ldapi://%2fvar%2frun%2fslapd-ABC.COM.socket': LDAP Server Down File "/usr/sbin/ipa-replica-prepare", line 490, in main() File "/usr/sbin/ipa-replica-prepare", line 274, in main conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dirman_password) File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 846, in create_connection self.handle_errors(e) File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 736, in handle_errors error=u'LDAP Server Down') [root at central ~]# ipa-replica-prepare central03.wisers.com --ip-address 192.168.1.73 Directory Manager (existing master) password: preparation of replica failed: cannot connect to u'ldapi://%2fvar%2frun%2fslapd-ABC.COM.socket': LDAP Server Down cannot connect to u'ldapi://%2fvar%2frun%2fslapd-ABC-COM.socket': LDAP Server Down File "/usr/sbin/ipa-replica-prepare", line 490, in main() File "/usr/sbin/ipa-replica-prepare", line 274, in main conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dirman_password) File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 846, in create_connection self.handle_errors(e) File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 736, in handle_errors error=u'LDAP Server Down') -------------- next part -------------- An HTML attachment was scrubbed... URL: From pgb205 at yahoo.com Wed Jun 29 02:41:33 2016 From: pgb205 at yahoo.com (pgb205) Date: Wed, 29 Jun 2016 02:41:33 +0000 (UTC) Subject: [Freeipa-users] Unable to add external group In-Reply-To: <20160628202524.lot7fo7spifupitb@redhat.com> References: <1404603960.350204.1465503770002.JavaMail.yahoo.ref@mail.yahoo.com> <1404603960.350204.1465503770002.JavaMail.yahoo@mail.yahoo.com> <1709152181.476973.1467144399578.JavaMail.yahoo@mail.yahoo.com> <20160628202524.lot7fo7spifupitb@redhat.com> Message-ID: <2084275119.657091.1467168093865.JavaMail.yahoo@mail.yahoo.com> Alexander, forwarding sanitized files to you privately From: Alexander Bokovoy To: pgb205 Cc: "Freeipa-users at redhat.com" Sent: Tuesday, June 28, 2016 4:25 PM Subject: Re: [Freeipa-users] Unable to add external group On Tue, 28 Jun 2016, pgb205 wrote: >Trust is successfully established > >ipa trust-find---------------1 trust matched---------------? Realm name: ?ad_domain.local? Domain NetBIOS name: AD_DOMAIN >and I can get kerberos ticket and access to servicesKRB5_TRACE=/dev/stderr kvno -S cifs ADDC.AD_DOMAIN >[3552] 1467143851.633980: Received creds for desired service cifs/ADDC.AD_DOMAIN[3552] 1467143851.634008: Storing my_user at AD_DOMAIN -> cifs/ADDC at AD_DOMAIN in KEYRING:persistent:0:krb_ccache_02UjQwjcifs/ADDC.AD_DOMAIN: kvno = 29 >time is also correct and matches on both ipa and Domain Controller >When I go with the last few steps to add external AD group to the IPA --external I get the followingipa group-add-member ad_domain_admins_external --external 'AD_DOMAIN\Ops_Admins'[member user]:[member group]:? Group name: ad_domain_admins_external? Description: ad_domain_admins external map? Failed members:? ? member user:? ? member group: AD_DOMAIN\Ops_Admins: trusted domain object not found-------------------------Number of members added 0 >I have verified the Ops_Admins is readable by everyone in Active Directory.? >In error_log I get >[:error] [pid 2619] ipa: INFO: [jsonserver_session] admin at IPA_DOMAIN: group_add_member(u'ad_domain_admins_external', ipaexternalmember=(u'AD_DOMAIN\\\\Ops_Admins',), all=False, raw=False, version=u'2.156', no_members=False): SUCCESS >Any idea on what steps I'm missing or what other things to check ? If you have "trusted domain object not found", this means you don't really have trust established correctly. Unfortunately, sometimes we cannot get proper error message back to the user as Samba Python bindings don't give us much details. See http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust on how to generate proper debug logs for trust to see what is there. You kvno output is of no use -- obviously AD user would be able to obtain a ticket to AD DC's service, this is not a surprise. -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From christophe.trefois at uni.lu Wed Jun 29 06:32:51 2016 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Wed, 29 Jun 2016 06:32:51 +0000 Subject: [Freeipa-users] CentOS 7 and FreeIPA Message-ID: <2EBB29CB9A8F494FB5253F6AF2E6A1981DAD95D0@hoshi.uni.lux> Hi all, I see that the package in CentOS 7 official repo is only 4.2.0. Is this the recommended version or do people generally use the COPR repository or EPEL? I am talking here about stable production release. Thank you for your help :) -- Christophe -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4614 bytes Desc: not available URL: From sbose at redhat.com Wed Jun 29 07:31:36 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 29 Jun 2016 09:31:36 +0200 Subject: [Freeipa-users] freeIPA 4.2: Smart Card Issues In-Reply-To: References: Message-ID: <20160629073136.GJ18060@p.Speedport_W_724V_Typ_A_05011603_00_009> On Tue, Jun 28, 2016 at 04:41:39PM -0500, Michael Rainey (Contractor) wrote: > Greetings, > > Back in March I contacted the mailing list in regard to a problem I was > having with smartcards and screen locking. At that time I was provided a > patch to implement to lock the screen when the smartcard was removed and it > worked well. Today it looks like the patch may have made its way to the > repo and I am starting to see some issues occuring on my test machines. > When the smartcard is inserted into the reader a message flashes on the > screen "That didn't work. Please try again." Also, it doesn't seem to > prompt for a pin for the smartcard. It just shows the password field. > Unfortunately, the logs didn't reveal much, I may need to tweak the debug > level if more information is needed. yes, it would be good if you can add debug_level=10 to the [pam] section of sssd.conf and send the sssd_pam.log file after testing. > > I grabbed the files from > https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 > > I had to modify the smartcard-auth file to the following: > > auth required pam_env.so > auth sufficient pam_sss.so allow_missing_name > #auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug > wait_for_card > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > #password required pam_pkcs11.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > The dconf file /etc/dconf/db/distro.d/10-authconfig > > [org/gnome/login-screen] > enable-fingerprint-authentication=false > > and /etc/dconf/db/distro.d/locks/10-authconfig-locks > > /org/gnome/login-screen/enable-fingerprint-authentication The configuration looks ok, I'll try to reproduce the issue locally as well. bye, Sumit > > I'm currently running the following: > > * Scientific Linux 7.2 64bit > * 4.2.0-15.sl7_2.17 > * GDM 3.14.2 > * GNOME Shell 3.14.4 > > Hopefully, I have given you enough information to work the problem. Have > there been changes to the way freeIPA is configured for smartcard use? > > Sincerely, > -- > *Michael Rainey* > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From pspacek at redhat.com Wed Jun 29 07:50:21 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Jun 2016 09:50:21 +0200 Subject: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem In-Reply-To: References: <79454fce-7e51-eebf-44eb-c7a472cef1fd@redhat.com> Message-ID: On 28.6.2016 20:21, Sean Hogan wrote: > Thanks Petr, > > Since the last recycle of the Host hosting the First Master it has been > stable for about a week now. Only thing I did was to spread out my > replication agreements. I had 8 replications hitting it but now have 4 > going to it and the other 4 to its backup replica with the first master and > the backup replica having an agreement. > > > Not sure that fixed it or not but it seems to be stable at this point and I > know the docs say no more than 4 replications agreements so maybe it was > the cause. Generally more replication agreements mean more load on the server. Many replication agreements should not cause problems by itself if the server has sufficient performance. Petr^2 Spacek > Sean Hogan > > > > > > > > From: Petr Spacek > To: Sean Hogan/Durham/IBM at IBMUS > Cc: freeipa-users at redhat.com > Date: 06/28/2016 10:24 AM > Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem > > > > On 22.6.2016 23:09, Sean Hogan wrote: >> SLAPD showing >> >> 22/Jun/2016:17:01:59 -0400] slapi_ldap_bind - Error: could not perform >> interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) >> [22/Jun/2016:17:06:59 -0400] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 >> (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: >> gss_accept_sec_context) errno 0 (Success) >> >> >> where would these creds be and what ID? I am using SASL so I assume it > to >> be sasl_user DNS/FirstMaster.watson.local or something like that? > > These are in /etc/dirsrv/ds.keytab. > > I would start with > # klist -kt /etc/dirsrv/ds.keytab > and try to proceed with kinit etc. (very similarly to the bind-dyndb-ldap > how-to). > > I hope it helps. > > Petr^2 Spacek > > >> From: Sean Hogan/Durham/IBM at IBMUS >> To: Petr Spacek >> Cc: freeipa-users at redhat.com >> Date: 06/22/2016 08:36 AM >> Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> Hi Peter... >> >> Yes..... this has me doing loops in my head to /dev/null >> >> You are correct I could not complete the BIND steps... I did them > yesterday >> but did not post results as I wanted to stop bugging you all :) >> The initial credential section of that I could not complete nor can I get >> an keytab without it and I don't think I have an issue with cert versions >> (used the SASL section). The upgrade log from 3.47 to 3.50 on this one >> server did show an error with named though. >> >> I had the box powered down again last night after testing the BIND >> procedures... and its been up since then. Which makes we really not sure >> what is going on(DNS DOS from internal maybe? I get a lot of outside >> requests showing network unreachable and I don't forward to a outside > DNS). >> If it was a password/cert/cipher/file perm issue then I don't see how it >> can work at all after a reboot. >> >> I am thinking it needs a rebuild.. I have not done this on a First Master >> IPA is there anything I need to be take into consider with it being first >> master? Right now I have 8 IPAs all DNS, NTP and CAs on differ vlans but >> the first master is the fail back IPA(on the only vlan that can talk to > the >> others) in case there local vlan IPA dies. First Master is also the > master >> CA in the realm where everything is enrolled to originally. We then mod >> everything to point to the vlan IPA with the Firstmaster as secondary > with >> our vlan-specific scripts we run after ipa client install. >> >> With the box rebooted last night I am now getting normal functionality > but >> it prob wont last long as indicated from the past... >> >> Working >> [bob at FirstMaster ~]# kinit admin >> Password for admin at DOMAIN.LOCAL: >> Warning: Your password will expire in 6 days on Tue Jun 28 14:55:52 2016 >> [bob at FirstMaster ~]# >> >> I did post ldap logs in my first email though... will readd them to this >> and when it dies off again I will add more. >> >> >>> [20/Jun/2016:13:59:00 -0400] - Detected Disorderly Shutdown last time >>> Directory Server was running, recovering database. >>> [20/Jun/2016:13:59:01 -0400] schema-compat-plugin - warning: no entries >> set >>> up under cn=computers, cn=compat,dc=domain,dc=local >>> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - ruv_compare_ruv: > RUV >>> [database RUV] does not contain element [{replica 7} > 55ca26a0000900070000 >>> 5688d8e6001000070000] which is present in RUV [changelog max RUV] >>> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >>> replica_check_for_data_reload: Warning: for replica dc=domain,dc=local >>> there were some differences between the changelog max RUV and the >> database >>> RUV. If there are obsolete elements in the database RUV, you should >> remove >>> them using the CLEANALLRUV task. If they are not obsolete, you should >> check >>> their status to see why there are no changes from those servers in the >>> changelog. >>> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >>> agmt="cn=meTobldvxl0011.domain.local" (1server:389): Replication bind >> with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:59:48 -0400] - slapd started. Listening on All > Interfaces >>> port 389 for LDAP requests >>> [20/Jun/2016:13:59:48 -0400] - Listening on All Interfaces port 636 for >>> LDAPS requests >>> [20/Jun/2016:13:59:48 -0400] - Listening >>> on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests >>> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:59:48 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:59:48 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 0 (Success) >>> [20/Jun/2016:13:59:48 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:59:48 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with >>> GSSAPI auth resumed >>> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > 49 >>> (Invalid credentials) (SASL(-13): authentication failure: GSSAPI > Failure: >>> gss_accept_sec_context) errno 0 (Success) >>> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) >>> [20/Jun/2016:13:59:51 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with >>> GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): >>> authentication failure: GSSAPI Failure: gss_accept_sec_context) >>> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (No credentials cache >>> found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (No credentials cache >>> found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (No credentials cache >>> found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (No credentials cache >>> found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:59:51 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (No credentials cache >>> found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > 49 >>> (Invalid credentials) (SASL(-13): authentication failure: GSSAPI > Failure: >>> gss_accept_sec_context) errno 0 (Success) >>> [20/Jun/2016:13:59:57 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) >>> [20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with >>> GSSAPI auth resumed >> >> >> >> Sean Hogan >> >> >> >> >> >> Inactive hide details for Petr Spacek ---06/21/2016 10:20:43 PM---On >> 22.6.2016 02:56, Sean Hogan wrote: > More infoPetr Spacek ---06/21/2016 >> 10:20:43 PM---On 22.6.2016 02:56, Sean Hogan wrote: > More info >> >> From: Petr Spacek >> To: freeipa-users at redhat.com >> Date: 06/21/2016 10:20 PM >> Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> On 22.6.2016 02:56, Sean Hogan wrote: >>> More info >>> >>> >>> Krb5 log is showing: >>> Jun 21 20:42:47 Firstmaster.domain.local krb5kdc[2141](info): AS_REQ (4 >>> etypes {18 17 16 23}) 10.x.x.x: LOOKING_UP_CLIENT: admin at domain.LOCAL > for >>> krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL, Server error >> >> >> Hello, >> >> this is really fishy. I would bet that there is a problem with LDAP > server >> and >> DNS errors are just consequence of it. >> >> I suspect that you will not be able to finish steps mentioned in >> > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a3.FailedtoinitcredentialsorFailedtogetinitialcredentialsDecryptintegritycheckfailedorClientscredentialshavebeenrevoked > >> >> >> If it is the case I would turn your attention to krb5kdc.log and LDAP >> server >> logs in /var/log/dirsrv/* >> >> There must be something wrong with the LDAP server. >> >> Petr^2 Spacek >> >> >>> >>> [bob at Firstmaster etc]# kinit -v admin >>> kinit: Credentials cache file '/tmp/krb5cc_0' not found while validating >>> credentials >>> >>> >>> >>> >>> >>> >>> Sean Hogan >>> >>> >>> >>> >>> >>> >>> From: Sean Hogan/Durham/IBM >>> To: freeipa-users >>> Date: 06/21/2016 12:02 PM >>> Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem >>> >>> >>> Has anyone seen these before? >>> >>> >>> >>> First Master IPA DNS logs show: Looks like the host names are getting >> the >>> domain twice domain.local.domain.local >>> >>> >>> client 10.x.x.x#58094: query failed (SERVFAIL) for >>> server1.domain.local.domain.local/IN/AAAA at query.c:6569 >>> timeout in ldap_pool_getconnection(): try to raise 'connections' >> parameter; >>> potential deadlock? >>> client 10.x.x.x#44147: query failed (SERVFAIL) for >>> x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 >>> timeout in ldap_pool_getconnection(): try to raise 'connections' >> parameter; >>> potential deadlock? >>> client 10.x.x.x#56466: query failed (SERVFAIL) for >>> x.x.x.10.in-addr.arpa/IN/PTR at query.c:6569 >>> timeout in ldap_pool_getconnection(): try to raise 'connections' >> parameter; >>> potential deadlock? >>> client 10.x.x.x53367: query failed (SERVFAIL) for >>> server2.domain.local.domain.local/IN/A at query.c:6569 >>> timeout in ldap_pool_getconnection(): try to raise 'connections' >> parameter; >>> potential deadlock? >>> client 10.x.x.x#53367: query failed (SERVFAIL) for >>> server2.domain.local.domain.local/IN/AAAA at query.c:6569 >>> >>> >>> >>> So enrolls are failing at this point when tyring to enroll to a replica: >>> >>> [bob at server1 log]# ipa-client-install ?enable-dns-updates >>> Discovery was successful! >>> Hostname: server1.watson.local >>> Realm: DOMAIN.LOCAL >>> DNS Domain: domain.local >>> IPA Server: ipareplica.domain.local >>> BaseDN: dc=domain,dc=local >>> >>> Continue to configure the system with these values? [no]: yes >>> User authorized to enroll computers: bob >>> Synchronizing time with KDC... >>> Password for bob at DOMAIN.LOCAL: >>> Successfully retrieved CA cert >>> Subject: CN=Certificate Authority,O=DOMAIN.LOCAL >>> Issuer: CN=Certificate Authority,O=DOMAIN.LOCAL >>> Valid From: Tue Jan 06 19:37:09 2015 UTC >>> Valid Until: Sat Jan 06 19:37:09 2035 UTC >>> >>> Enrolled in IPA realm DOMAIN.LOCAL >>> Attempting to get host TGT... >>> Created /etc/ipa/default.conf >>> New SSSD config will be created >>> Configured sudoers in /etc/nsswitch.conf >>> Configured /etc/sssd/sssd.conf >>> Configured /etc/krb5.conf for IPA realm DOMAIN.LOCAL >>> trying https://ipareplica.domain.local/ipa/xml >>> Cannot connect to the server due to Kerberos error: Kerberos error: >>> Kerberos error: ('Unspecified GSS failure. Minor code may provide more >>> information', 851968)/('KDC returned error string: PROCESS_TGS', >>> -1765328324)/. Trying with delegate=True >>> trying https://ipareplica.domain.local/ipa/xml >>> Second connect with delegate=True also failed: Kerberos error: Kerberos >>> error: ('Unspecified GSS failure. Minor code may provide more >>> information', 851968)/('KDC returned error string: PROCESS_TGS', >>> -1765328324)/ >>> Cannot connect to the IPA server XML-RPC interface: Kerberos error: >>> Kerberos error: ('Unspecified GSS failure. Minor code may provide more >>> information', 851968)/('KDC returned error string: PROCESS_TGS', >>> -1765328324)/ >>> Installation failed. Rolling back changes. >>> Unenrolling client from IPA server >>> Unenrolling host failed: Error obtaining initial credentials: Generic >> error >>> (see e-text). >>> >>> Removing Kerberos service principals from /etc/krb5.keytab >>> Disabling client Kerberos and LDAP configurations >>> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved >>> to /etc/sssd/sssd.conf.deleted >>> Restoring client configuration files >>> nscd daemon is not installed, skip configuration >>> nslcd daemon is not installed, skip configuration >>> Client uninstall complete. >>> >>> >>> Sean Hogan >>> >>> >>> >>> >>> >>> >>> >>> >>> From: Sean Hogan/Durham/IBM >>> To: Sean Hogan/Durham/IBM at IBMUS >>> Cc: freeipa-users >>> Date: 06/20/2016 12:49 PM >>> Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem >>> >>> >>> Also seeing this in the upgrade log on the first master but not on the 7 >>> ipas. >>> >>> ERROR Failed to restart named: Command '/sbin/service named restart ' >>> returned non-zero exit status 7 >>> >>> >>> which led me to >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=895298 >>> >>> >>> >>> >>> >>> Sean Hogan >>> >>> >>> >>> >>> >>> >>> >>> From: Sean Hogan/Durham/IBM at IBMUS >>> To: freeipa-users >>> Date: 06/20/2016 11:46 AM >>> Subject: Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem >>> Sent by: freeipa-users-bounces at redhat.com >>> >>> >>> >>> Hi All.. >>> >>> I thought we fixed this issue by rebooting the KVM host but it is > showing >>> again. Our First Master IPA is being rebooted 2 -5 times a day now just >> to >>> keep it alive. >>> >>> What we are seeing: >>> >>> God at FirstMaster log]# kinit admin >>> kinit: Cannot contact any KDC for realm 'Domain.LOCAL' while getting >>> initial credentials >>> >>> DNS is not working as nslookup is failing to a replica.... think once we >>> lose DNS it all goes down hill which makes sense. >>> >>> [god at FirstMaster log]# ipactl stop -----> Just hangs forever.. no >> replies.. >>> no error.. nothing >>> >>> I try service named stop and nothing happens >>> >>> I have the box hard shutdown from KVM console. Reboot it and it works > for >> a >>> little while but eventually back to same behavior. >>> >>> At this point I can service named stop and it responds... ipactl status >> and >>> it responds.. but when if I try service named restart I get >>> >>> [god at FirstMaster log]# service named stop >>> Stopping named: ...... >>> >>> [god at Firstmaster log]# service named start >>> Starting named: [FAILED] >>> >>> [god at FirstMaster log]# service named status >>> rndc: connect failed: 127.0.0.1#953: connection refused >>> named dead but pid file exists >>> >>> Rebooted box and it is hung on shutting down domain-local and never > fully >>> shuts down.. have to get it hard shutdown again. >>> During an attempt to gracefully shut down we see this >>> >>> Shutting Down dirsrv: >>> PKI-IPA OK >>> DOMAIN-LOCAL FAILED >>> *** Error: 1 instance(s) unsuccessfully stopped FAILED >>> >>> Then it moves on to shut other things down and returns to dirsrv >>> Shutting Down dirsrv: >>> PKI-IPA....server already stopped FAILED {Makes sense.. it died earlier} >>> DOMAIN-LOCAL... {this sits here til we hard shutdown} >>> >>> >>> >>> bind-libs-9.8.2-0.47.rc1.el6.x86_64 >>> bind-9.8.2-0.47.rc1.el6.x86_64 >>> bind-utils-9.8.2-0.47.rc1.el6.x86_64 >>> >>> >>> ipa-client-3.0.0-50.el6.1.x86_64 >>> ipa-server-selinux-3.0.0-50.el6.1.x86_64 >>> ipa-server-3.0.0-50.el6.1.x86_64 >>> sssd-ipa-1.13.3-22.el6.x86_64 >>> >>> >>> /var/log/dirsrv/slapd-DOMAIN-LOCAL >>> [20/Jun/2016:13:29:06 -0400] - 389-Directory/1.2.11.15 B2016.063.2110 >>> starting up >>> [20/Jun/2016:13:29:06 -0400] schema-compat-plugin - warning: no entries >> set >>> up under cn=computers, cn=compat,dc=domain,dc=local >>> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - ruv_compare_ruv: > RUV >>> [database RUV] does not contain element [{replica 7} > 55ca26a0000900070000 >>> 5688d8e6001000070000] which is present in RUV [changelog max RUV] >>> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >>> replica_check_for_data_reload: Warning: for replica dc=domain,dc=local >>> there were some differences between the changelog max RUV and the >> database >>> RUV. If there are obsolete elements in the database RUV, you should >> remove >>> them using the CLEANALLRUV task. If they are not obsolete, you should >> check >>> their status to see why there are no changes from those servers in the >>> changelog. >>> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver8.domain.local" (server8:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver9.domain.local" (server9:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver3.domain.local" (server3:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:29:07 -0400] - slapd started. Listening on All > Interfaces >>> port 389 for LDAP requests >>> [20/Jun/2016:13:29:07 -0400] - Listening on All Interfaces port 636 for >>> LDAPS requests >>> [20/Jun/2016:13:29:07 -0400] - Listening >>> on /var/run/slapd-DOMAIN-LOCAL.socket for LDAPI requests >>> [20/Jun/2016:13:29:07 -0400] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/server1.domain.local at DOMAIN.LOCAL] in >>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC >>> for requested realm) >>> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver4.domain.local" (server4:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >>> agmt="cn=meTo1server.domain.local" (1server:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 2 (No such file or directory) >>> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver7.domain.local" (server7:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:29:07 -0400] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 >>> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS >>> failure. Minor code may provide more information (Credentials cache file >>> '/tmp/krb5cc_495' not found)) errno 0 (Success) >>> [20/Jun/2016:13:29:07 -0400] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error) >>> [20/Jun/2016:13:29:07 -0400] NSMMReplicationPlugin - >>> agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with >>> GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic >> failure: >>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more >>> information (Credentials cache file '/tmp/krb5cc_495' not found)) >>> [20/Jun/2016:13:29:10 -0400] NSMMReplicationPlugin - From mbasti at redhat.com Wed Jun 29 07:51:41 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jun 2016 09:51:41 +0200 Subject: [Freeipa-users] CentOS 7 and FreeIPA In-Reply-To: <2EBB29CB9A8F494FB5253F6AF2E6A1981DAD95D0@hoshi.uni.lux> References: <2EBB29CB9A8F494FB5253F6AF2E6A1981DAD95D0@hoshi.uni.lux> Message-ID: <3e19009e-1a44-c2f7-fb36-9669854068b0@redhat.com> On 29.06.2016 08:32, Christophe TREFOIS wrote: > > Hi all, > > I see that the package in CentOS 7 official repo is only 4.2.0. > > Is this the recommended version or do people generally use the COPR > repository or EPEL? > > I am talking here about stable production release. > Hello, For stable production release, 4.2 is what you need. COPR repos does not guarantee anything. HTH Martin^2 > Thank you for your help J > > -- > > Christophe > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christophe.trefois at uni.lu Wed Jun 29 08:39:06 2016 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Wed, 29 Jun 2016 08:39:06 +0000 Subject: [Freeipa-users] CentOS 7 and FreeIPA In-Reply-To: <3e19009e-1a44-c2f7-fb36-9669854068b0@redhat.com> References: <2EBB29CB9A8F494FB5253F6AF2E6A1981DAD95D0@hoshi.uni.lux> <3e19009e-1a44-c2f7-fb36-9669854068b0@redhat.com> Message-ID: <10E7592F-4004-46EC-9839-63DFDB4E2CF0@uni.lu> Hi Martin, But does the official repo also include point releases to 4.2.x or only 4.2.0? Best, Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSIT? DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb [Facebook] [Twitter] [Google Plus] [Linkedin] [skype] ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- On 29 Jun 2016, at 09:51, Martin Basti > wrote: On 29.06.2016 08:32, Christophe TREFOIS wrote: Hi all, I see that the package in CentOS 7 official repo is only 4.2.0. Is this the recommended version or do people generally use the COPR repository or EPEL? I am talking here about stable production release. Hello, For stable production release, 4.2 is what you need. COPR repos does not guarantee anything. HTH Martin^2 Thank you for your help :) -- Christophe -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jun 29 08:40:55 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jun 2016 10:40:55 +0200 Subject: [Freeipa-users] CentOS 7 and FreeIPA In-Reply-To: <10E7592F-4004-46EC-9839-63DFDB4E2CF0@uni.lu> References: <2EBB29CB9A8F494FB5253F6AF2E6A1981DAD95D0@hoshi.uni.lux> <3e19009e-1a44-c2f7-fb36-9669854068b0@redhat.com> <10E7592F-4004-46EC-9839-63DFDB4E2CF0@uni.lu> Message-ID: <480910d6-59d2-c34f-bc6d-08f65bad973a@redhat.com> On 29.06.2016 10:39, Christophe TREFOIS wrote: > Hi Martin, > > But does the official repo also include point releases to 4.2.x or > only 4.2.0? It is 4.2.0 with tons of backported patches from 4.2.x, it is not too much different from 4.2.x Martin > > Best, > > Dr Christophe Trefois, Dipl.-Ing. > Technical Specialist / Post-Doc > > UNIVERSIT? DU LUXEMBOURG > > LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE > Campus Belval | House of Biomedicine > 6, avenue du Swing > L-4367 Belvaux > T:+352 46 66 44 6124 > F:+352 46 66 44 6949 > http://www.uni.lu/lcsb > > Facebook Twitter > Google Plus > Linkedin > skype > > > ---- > This message is confidential and may contain privileged information. > It is intended for the named recipient only. > If you receive it in error please notify me and permanently delete the > original message and any copies. > ---- > > >> On 29 Jun 2016, at 09:51, Martin Basti > > wrote: >> >> >> >> On 29.06.2016 08:32, Christophe TREFOIS wrote: >>> Hi all, >>> I see that the package in CentOS 7 official repo is only 4.2.0. >>> Is this the recommended version or do people generally use the COPR >>> repository or EPEL? >>> I am talking here about stable production release. >> >> Hello, >> >> For stable production release, 4.2 is what you need. COPR repos does >> not guarantee anything. >> >> HTH >> Martin^2 >> >>> Thank you for your helpJ >>> -- >>> Christophe >>> >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christophe.trefois at uni.lu Wed Jun 29 08:41:41 2016 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Wed, 29 Jun 2016 08:41:41 +0000 Subject: [Freeipa-users] CentOS 7 and FreeIPA In-Reply-To: <480910d6-59d2-c34f-bc6d-08f65bad973a@redhat.com> References: <2EBB29CB9A8F494FB5253F6AF2E6A1981DAD95D0@hoshi.uni.lux> <3e19009e-1a44-c2f7-fb36-9669854068b0@redhat.com> <10E7592F-4004-46EC-9839-63DFDB4E2CF0@uni.lu> <480910d6-59d2-c34f-bc6d-08f65bad973a@redhat.com> Message-ID: Ah so 4.2.0 gets regular updates backported from the the minor point releases? Good to know :)) Kind regards, ? Christophe Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSIT? DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb [Facebook] [Twitter] [Google Plus] [Linkedin] [skype] ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- On 29 Jun 2016, at 10:40, Martin Basti > wrote: On 29.06.2016 10:39, Christophe TREFOIS wrote: Hi Martin, But does the official repo also include point releases to 4.2.x or only 4.2.0? It is 4.2.0 with tons of backported patches from 4.2.x, it is not too much different from 4.2.x Martin Best, Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSIT? DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb [Facebook] [Twitter] [Google Plus] [Linkedin] [skype] ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- On 29 Jun 2016, at 09:51, Martin Basti <mbasti at redhat.com> wrote: On 29.06.2016 08:32, Christophe TREFOIS wrote: Hi all, I see that the package in CentOS 7 official repo is only 4.2.0. Is this the recommended version or do people generally use the COPR repository or EPEL? I am talking here about stable production release. Hello, For stable production release, 4.2 is what you need. COPR repos does not guarantee anything. HTH Martin^2 Thank you for your help :) -- Christophe -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmj at ast.cam.ac.uk Wed Jun 29 17:05:11 2016 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Wed, 29 Jun 2016 18:05:11 +0100 Subject: [Freeipa-users] How to unset a user's kerberos principal expiration date? Message-ID: Hi If I set a kerberos principal for a user to expire on a given date using: ipa user-mod --principal-expiration=DATE is it possible to later remove this expiration date rather than just set it to a time far in the future? Thanks Roderick Johnstone From ladner.danila at gmail.com Wed Jun 29 19:33:34 2016 From: ladner.danila at gmail.com (Danila Ladner) Date: Wed, 29 Jun 2016 15:33:34 -0400 Subject: [Freeipa-users] Freeipa and spacewalk integration. Message-ID: Hello Folks. I am stuck at this task integrating spacewalk freeipa authorization. I have followed this docs from spacewalk to enable web authentication with FreeIPA: https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA I did all the steps above and trying to authenticate with the user I do not have in the internal spacewalk database, but ssd ifp with sssd_dbus should help me with that. My configs: sssd.conf: [domain/lon1.veliosystems.com] ldap_user_extra_attrs = mail, givenname, sn, ou cache_credentials = True krb5_store_password_if_offline = True krb5_realm = VELIOSYSTEMS.COM ipa_domain = lon1.veliosystems.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = spcwlk1.lon1.veliosystems.com chpass_provider = ipa ipa_server = _srv_, ipa1.sec1.veliosystems.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 9 [sssd] services = nss, pam, ssh, sudo, ifp config_file_version = 2 domains = lon1.veliosystems.com debug_level = 9 [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] allowed_uids = apache, root user_attributes = +mail, +givenname, +sn debug_level = 9 [root at spcwlk1.lon1 conf.d]# when i try to login to the Spacewalk UI my pam auth passes as you can see from /var/log/httpd/ssl_error.log: [Wed Jun 29 19:12:42 2016] [warn] mod_authnz_pam: PAM account validation failed for user admin: Permission denied [Wed Jun 29 19:20:33 2016] [notice] mod_authnz_pam: PAM authentication passed for user dladner But i see this after entering password: ? I did enabled sssd and sssd_ifp logs and see all the lookups go through if you need them i can provide them. The problem is it seems on the step where spacewalk can't create a new user based on Organization Unit name. I am a little bit lost and firstly asked Spacewalk community but no one was able to help me. If anyone has any additional information where can I troubleshoot further, i'd appreciate it. I have integrated Jenkins UI with LDAP/IPA auth and it works just fine, so I am sure it is not IPA backend, but something in particular with spacewalk httpd modules, but still can't figure out what exactly is the issue. If anyone have some information or done similar integration, i'd appreciate if you can share it. Thank you, Danila Ladner. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2016-06-29 at 3.28.36 PM.png Type: image/png Size: 169693 bytes Desc: not available URL: From joannadelaporte at gmail.com Wed Jun 29 20:29:08 2016 From: joannadelaporte at gmail.com (Joanna Delaporte) Date: Wed, 29 Jun 2016 15:29:08 -0500 Subject: [Freeipa-users] How to migrate users with md5 and sha512 passwords Message-ID: I am migrating an NIS domain to IPA. I have attempted to follow the instructions for NIS account crypted password migration, but I haven't yet successfully used password authentication to log in to remote machines. The instructions expect I would migrate DES-encrypted passwords, but I have a mixture of md5 and sha512-encrypted passwords. Do I need to follow a different process, or am I chasing the wrong problem? This is my first IPA realm. -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelaporte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From bahanw042014 at gmail.com Thu Jun 30 06:54:16 2016 From: bahanw042014 at gmail.com (bahan w) Date: Thu, 30 Jun 2016 08:54:16 +0200 Subject: [Freeipa-users] How to deactivate automatic kinit at ssh login ? Message-ID: Hello ! I'm using freeipa 3.0.0-47. I send you this mail concerning the automatic kinit at ssh login ? I wanted to know if it was possible to deactivate it on a specific server ? The reason is that I have some of my users who often use another ticket that their own and this feature can be annoying for them. BR. Bahan -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Thu Jun 30 07:21:48 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 30 Jun 2016 09:21:48 +0200 Subject: [Freeipa-users] How to unset a user's kerberos principal expiration date? In-Reply-To: References: Message-ID: On 29/06/16 19:05, Roderick Johnstone wrote: > Hi > > If I set a kerberos principal for a user to expire on a given date using: > ipa user-mod --principal-expiration=DATE > is it possible to later remove this expiration date rather than just set > it to a time far in the future? > > Thanks > > Roderick Johnstone > Hello Roderick, AFAIK the only way to remove principal expiration at the time is remove krbPrincipalExpiration attribute from the user entry in DS. $ kinit admin Password for admin at EXAMPLE.ORG $ ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: admin at EXAMPLE.ORG SASL SSF: 56 SASL data security layer installed. dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org changetype: modify delete: krbprincipalexpiration modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org" I think that it makes sense to expose this in API. Could you please file RFE (https://fedorahosted.org/freeipa/newticket)? -- David Kupka From dev at mdfive.dz Thu Jun 30 09:28:20 2016 From: dev at mdfive.dz (dev at mdfive.dz) Date: Thu, 30 Jun 2016 11:28:20 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day Message-ID: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> Hi, The Directory Services crashes several times a day. It's installed on CentOS 7 VM : Installed Packages Name : ipa-server Arch : x86_64 Version : 4.2.0 # ipactl status Directory Service: STOPPED krb5kdc Service: RUNNING kadmin Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful Before each crash, I have these messages in /var/log/dirsrv/slapd-XXXXX/errors : [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file encoding.c, line 171]: generating kerberos keys failed [Invalid argument] [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, line 225]: key encryption/encoding failed Any help? Best regards From jpazdziora at redhat.com Thu Jun 30 10:09:13 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 30 Jun 2016 12:09:13 +0200 Subject: [Freeipa-users] Freeipa and spacewalk integration. In-Reply-To: References: Message-ID: <20160630100913.GB10043@redhat.com> On Wed, Jun 29, 2016 at 03:33:34PM -0400, Danila Ladner wrote: > Hello Folks. > > I am stuck at this task integrating spacewalk freeipa authorization. > > I have followed this docs from spacewalk to enable web authentication with > FreeIPA: > > https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA > > I did all the steps above and trying to authenticate with the user I do not > have in the internal spacewalk database, but ssd ifp with sssd_dbus should > help me with that. [...] > I did enabled sssd and sssd_ifp logs and see all the lookups go through if > you need them i can provide them. > The problem is it seems on the step where spacewalk can't create a new user > based on Organization Unit name. > I am a little bit lost and firstly asked Spacewalk community but no one was > able to help me. > If anyone has any additional information where can I troubleshoot further, > i'd appreciate it. I have integrated Jenkins UI with LDAP/IPA auth and it > works just fine, so I am sure it is not IPA backend, but something in > particular with spacewalk httpd modules, but still can't figure out what > exactly is the issue. > If anyone have some information or done similar integration, i'd appreciate > if you can share it. What Spacewalk version and what OS and version is this? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From tomek at pipebreaker.pl Thu Jun 30 10:11:08 2016 From: tomek at pipebreaker.pl (Tomasz Torcz) Date: Thu, 30 Jun 2016 12:11:08 +0200 Subject: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1 In-Reply-To: <576AA008.9040100@redhat.com> References: <20160527122848.GA333519@mother.pipebreaker.pl> <5763C3A6.3050802@redhat.com> <20160618171354.GA439585@mother.pipebreaker.pl> <57660B3F.2010308@redhat.com> <20160620080714.GA275278@mother.pipebreaker.pl> <57697B8B.3020600@redhat.com> <20160622082812.GA1285792@mother.pipebreaker.pl> <576AA008.9040100@redhat.com> Message-ID: <20160630101107.GA1478857@mother.pipebreaker.pl> On Wed, Jun 22, 2016 at 10:26:16AM -0400, Rob Crittenden wrote: > Tomasz Torcz wrote: > > On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote: > > > > > > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) > > > > > > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083] > > > > > > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: [jsonserver_session] admin at PIPEBREAKER.PL: cert_find(version=u'2.164'): CertificateOperationError > > > > > > > > > > > > How to fix those? > > > > > > > > > > You'll need to look at the dogtag debug log for the reason it threw a 500, > > > > > it's in /var/log/pki-tomcat/ca or something close to that. > > > > > > > > > > > > I've looked into the logs but I'm not wiser. Is there a setting to get > > > > rid of java traceback from logs and get more useful messages? There seem > > > > to be a problem with SSL connection to port 636, maybe because it seems to use > > > > expired certificate? > > > > > > Not that I know of. The debug log is sure a firehose but you've identified > > > the problem. > > > > > > > $ echo | openssl s_client -connect okda.pipebreaker.pl:636 | openssl x509 -noout > > > > depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority > > > > verify return:1 > > > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl > > > > verify error:num=10:certificate has expired > > > > notAfter=Nov 17 12:19:28 2015 GMT > > > > verify return:1 > > > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl > > > > notAfter=Nov 17 12:19:28 2015 GMT > > > > verify return:1 > > > > DONE > > > > > > Run getcert list and look at the expiration dates. What you want to do is > > > kill ntpd, set the date back to say a week before the oldest date, restart > > > the dirsrv, restart the pki-tomcat/pki-cad service then restart certmonger. > > > This should force a renewal attempt. > > What you need to do is setup certmonger to track all the certificates > properly and get things renewed. I'm away from my desk so can't provide any > instructions on how to do this and they depend on whether or not this > machine is the renewal master. I've used instructions from https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.html to remind certmonger about other certificates. I had to adjust paths: -d /var/lib/pki/pki-tomcat/alias/ -B /usr/libexec/ipa/certmonger/stop_pkicad and -C '/usr/libexec/ipa/certmonger/renew_ca_cert "${nickname}"' I've rolled back time and I'm waiting for certmonger to refresh those certs: Request ID '20160630083224': status: MONITORING subject: CN=CA Audit,O=PIPEBREAKER.PL expires: 2015-11-06 09:42:50 UTC Request ID '20160630083226': status: MONITORING subject: CN=CA Subsystem,O=PIPEBREAKER.PL expires: 2015-11-06 09:42:49 UTC Request ID '20160630083227': status: MONITORING subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL expires: 2017-10-25 15:20:52 UTC root at okda ca$ date Thu Nov 5 11:39:41 CET 2015 It's been 2 hours and certificates are still not refreshed. > > P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing already expired CA certificate) didn't > > make into FreeIPA 4.4.0 alpha. :-( > > This is unrelated. I seriously doubt your CA is near expiration (my guess is > it expires in 2033). I'm not sure about CA certificate itself, but "CA Subsystem" certificate is expired. As far as I understand, 1752 is about refreshing certs by going directly through socket, mitigating expired certificates. -- Tomasz Torcz "Funeral in the morning, IDE hacking xmpp: zdzichubg at chrome.pl in the afternoon and evening." - Alan Cox From lkrispen at redhat.com Thu Jun 30 10:13:03 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 30 Jun 2016 12:13:03 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> Message-ID: <5774F0AF.5010407@redhat.com> can you get a core file ? http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: > Hi, > > The Directory Services crashes several times a day. It's installed on > CentOS 7 VM : > > Installed Packages > Name : ipa-server > Arch : x86_64 > Version : 4.2.0 > > # ipactl status > Directory Service: STOPPED > krb5kdc Service: RUNNING > kadmin Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa: INFO: The ipactl command was successful > > > Before each crash, I have these messages in > /var/log/dirsrv/slapd-XXXXX/errors : > > [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file > encoding.c, line 171]: generating kerberos keys failed [Invalid argument] > [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, > line 225]: key encryption/encoding failed > > > Any help? > Best regards > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From dev at mdfive.dz Thu Jun 30 10:34:42 2016 From: dev at mdfive.dz (dev at mdfive.dz) Date: Thu, 30 Jun 2016 12:34:42 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: <5774F0AF.5010407@redhat.com> References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> <5774F0AF.5010407@redhat.com> Message-ID: <0d3184fb5973cce835c00657a885e6f0@mdfive.dz> Hi, There is no 389-ds-base-debuginfo in repos # yum search debug-info | sort | head 0install-debuginfo.x86_64 : Debug information for package 0install 2048-cli-debuginfo.x86_64 : Debug information for package 2048-cli 389-admin-debuginfo.x86_64 : Debug information for package 389-admin 389-adminutil-debuginfo.x86_64 : Debug information for package 389-adminutil 3proxy-debuginfo.x86_64 : Debug information for package 3proxy aalib-debuginfo.x86_64 : Debug information for package aalib abduco-debuginfo.x86_64 : Debug information for package abduco activemq-cpp-debuginfo.x86_64 : Debug information for package activemq-cpp admesh-debuginfo.x86_64 : Debug information for package admesh advancecomp-debuginfo.x86_64 : Debug information for package advancecomp Regards On 2016-06-30 12:13, Ludwig Krispenz wrote: > can you get a core file ? > http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes > > > On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >> Hi, >> >> The Directory Services crashes several times a day. It's installed on >> CentOS 7 VM : >> >> Installed Packages >> Name : ipa-server >> Arch : x86_64 >> Version : 4.2.0 >> >> # ipactl status >> Directory Service: STOPPED >> krb5kdc Service: RUNNING >> kadmin Service: RUNNING >> ipa_memcached Service: RUNNING >> httpd Service: RUNNING >> pki-tomcatd Service: RUNNING >> ipa-otpd Service: RUNNING >> ipa: INFO: The ipactl command was successful >> >> >> Before each crash, I have these messages in >> /var/log/dirsrv/slapd-XXXXX/errors : >> >> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file >> encoding.c, line 171]: generating kerberos keys failed [Invalid >> argument] >> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, >> line 225]: key encryption/encoding failed >> >> >> Any help? >> Best regards >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Charles Cachera, Michael Cunningham, Michael > O'Neill, Eric Shander From dev at mdfive.dz Thu Jun 30 10:52:42 2016 From: dev at mdfive.dz (dev at mdfive.dz) Date: Thu, 30 Jun 2016 12:52:42 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day Message-ID: Ok, for centos 7 i installed it with : yum install -y --enablerepo=base-debuginfo 389-ds-base-debuginfo I'll be back since i get core file Regards On 2016-06-30 12:34, dev at mdfive.dz wrote: > Hi, > > There is no 389-ds-base-debuginfo in repos > > # yum search debug-info | sort | head > > 0install-debuginfo.x86_64 : Debug information for package 0install > 2048-cli-debuginfo.x86_64 : Debug information for package 2048-cli > 389-admin-debuginfo.x86_64 : Debug information for package 389-admin > 389-adminutil-debuginfo.x86_64 : Debug information for package > 389-adminutil > 3proxy-debuginfo.x86_64 : Debug information for package 3proxy > aalib-debuginfo.x86_64 : Debug information for package aalib > abduco-debuginfo.x86_64 : Debug information for package abduco > activemq-cpp-debuginfo.x86_64 : Debug information for package > activemq-cpp > admesh-debuginfo.x86_64 : Debug information for package admesh > advancecomp-debuginfo.x86_64 : Debug information for package > advancecomp > > > Regards > > On 2016-06-30 12:13, Ludwig Krispenz wrote: >> can you get a core file ? >> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes >> >> >> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >>> Hi, >>> >>> The Directory Services crashes several times a day. It's installed on >>> CentOS 7 VM : >>> >>> Installed Packages >>> Name : ipa-server >>> Arch : x86_64 >>> Version : 4.2.0 >>> >>> # ipactl status >>> Directory Service: STOPPED >>> krb5kdc Service: RUNNING >>> kadmin Service: RUNNING >>> ipa_memcached Service: RUNNING >>> httpd Service: RUNNING >>> pki-tomcatd Service: RUNNING >>> ipa-otpd Service: RUNNING >>> ipa: INFO: The ipactl command was successful >>> >>> >>> Before each crash, I have these messages in >>> /var/log/dirsrv/slapd-XXXXX/errors : >>> >>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file >>> encoding.c, line 171]: generating kerberos keys failed [Invalid >>> argument] >>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>> encoding.c, line 225]: key encryption/encoding failed >>> >>> >>> Any help? >>> Best regards >>> >> >> -- >> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, >> Commercial register: Amtsgericht Muenchen, HRB 153243, >> Managing Directors: Charles Cachera, Michael Cunningham, Michael >> O'Neill, Eric Shander From rob.verduijn at gmail.com Thu Jun 30 11:22:34 2016 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Thu, 30 Jun 2016 13:22:34 +0200 Subject: [Freeipa-users] what is the best way to create a search account Message-ID: Hello, What would be the most appropriate way to create a search account so that a third party tool (wildfly) can use it to search the ipa domain for credentials ? Cheers Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomek at pipebreaker.pl Thu Jun 30 11:59:25 2016 From: tomek at pipebreaker.pl (Tomasz Torcz) Date: Thu, 30 Jun 2016 13:59:25 +0200 Subject: [Freeipa-users] what is the best way to create a search account In-Reply-To: References: Message-ID: <20160630115925.GB1478857@mother.pipebreaker.pl> On Thu, Jun 30, 2016 at 01:22:34PM +0200, Rob Verduijn wrote: > Hello, > > > What would be the most appropriate way to create a search account so that a > third party tool (wildfly) can use it to search the ipa domain for > credentials ? I guess http://www.freeipa.org/page/HowTo/LDAP#System_Accounts -- Tomasz Torcz "Funeral in the morning, IDE hacking xmpp: zdzichubg at chrome.pl in the afternoon and evening." - Alan Cox From dev at mdfive.dz Thu Jun 30 12:27:30 2016 From: dev at mdfive.dz (dev at mdfive.dz) Date: Thu, 30 Jun 2016 14:27:30 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: <5774F0AF.5010407@redhat.com> References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> <5774F0AF.5010407@redhat.com> Message-ID: <9b5b49d0143f82b1cf3f17691a7c471a@mdfive.dz> Hi, Please find strace on a core file : http://pastebin.com/v9cUzau4 Regards On 2016-06-30 12:13, Ludwig Krispenz wrote: > can you get a core file ? > http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes > > > On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >> Hi, >> >> The Directory Services crashes several times a day. It's installed on >> CentOS 7 VM : >> >> Installed Packages >> Name : ipa-server >> Arch : x86_64 >> Version : 4.2.0 >> >> # ipactl status >> Directory Service: STOPPED >> krb5kdc Service: RUNNING >> kadmin Service: RUNNING >> ipa_memcached Service: RUNNING >> httpd Service: RUNNING >> pki-tomcatd Service: RUNNING >> ipa-otpd Service: RUNNING >> ipa: INFO: The ipactl command was successful >> >> >> Before each crash, I have these messages in >> /var/log/dirsrv/slapd-XXXXX/errors : >> >> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file >> encoding.c, line 171]: generating kerberos keys failed [Invalid >> argument] >> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, >> line 225]: key encryption/encoding failed >> >> >> Any help? >> Best regards >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Charles Cachera, Michael Cunningham, Michael > O'Neill, Eric Shander From natxo.asenjo at gmail.com Thu Jun 30 12:36:24 2016 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Thu, 30 Jun 2016 14:36:24 +0200 Subject: [Freeipa-users] what is the best way to create a search account In-Reply-To: References: Message-ID: hi Rob, On Thu, Jun 30, 2016 at 1:22 PM, Rob Verduijn wrote: > Hello, > > > What would be the most appropriate way to create a search account so that > a third party tool (wildfly) can use it to search the ipa domain for > credentials ? > I just create a normal account. We rotate passwords on a regular basis, but you could just set the krbpasswordexpiration attribute far in the future. -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Thu Jun 30 12:45:31 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 30 Jun 2016 14:45:31 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: <9b5b49d0143f82b1cf3f17691a7c471a@mdfive.dz> References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> <5774F0AF.5010407@redhat.com> <9b5b49d0143f82b1cf3f17691a7c471a@mdfive.dz> Message-ID: <5775146B.6000104@redhat.com> On 06/30/2016 02:27 PM, dev at mdfive.dz wrote: > Hi, > > Please find strace on a core file : http://pastebin.com/v9cUzau4 the crash is in an IPA plugin, ipa_pwd_extop, to get a better stack you would have to install also the debuginfo for ipa-server. and then someone familiar with this plugin should look into it > > Regards > > > On 2016-06-30 12:13, Ludwig Krispenz wrote: >> can you get a core file ? >> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes >> >> >> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >>> Hi, >>> >>> The Directory Services crashes several times a day. It's installed >>> on CentOS 7 VM : >>> >>> Installed Packages >>> Name : ipa-server >>> Arch : x86_64 >>> Version : 4.2.0 >>> >>> # ipactl status >>> Directory Service: STOPPED >>> krb5kdc Service: RUNNING >>> kadmin Service: RUNNING >>> ipa_memcached Service: RUNNING >>> httpd Service: RUNNING >>> pki-tomcatd Service: RUNNING >>> ipa-otpd Service: RUNNING >>> ipa: INFO: The ipactl command was successful >>> >>> >>> Before each crash, I have these messages in >>> /var/log/dirsrv/slapd-XXXXX/errors : >>> >>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file >>> encoding.c, line 171]: generating kerberos keys failed [Invalid >>> argument] >>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>> encoding.c, line 225]: key encryption/encoding failed >>> >>> >>> Any help? >>> Best regards >>> >> >> -- >> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, >> Commercial register: Amtsgericht Muenchen, HRB 153243, >> Managing Directors: Charles Cachera, Michael Cunningham, Michael >> O'Neill, Eric Shander -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From ryan.clough at decisionsciences.com Fri Jun 24 22:36:22 2016 From: ryan.clough at decisionsciences.com (Clough, Ryan) Date: Fri, 24 Jun 2016 15:36:22 -0700 Subject: [Freeipa-users] 7.x replica install from 6.x master fails In-Reply-To: <57110E97.7060802@redhat.com> References: <56FA5C2F.3070200@redhat.com> <570674EC.1060204@redhat.com> <5710F563.1050507@redhat.com> <57110E97.7060802@redhat.com> Message-ID: I too ran into this issue of certificate serial mismatch. Just wanted to shoot a note thanking the two of you for helping. Your questions and answers were very well articulated and very detailed. I used the info in this thread to get my replica installed. Thank you! =) ___________________________________________ Ryan Clough Information Systems Decision Sciences On Fri, Apr 15, 2016 at 8:53 AM, Petr Vobornik wrote: > On 04/15/2016 05:13 PM, Ott, Dennis wrote: > > My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have > a cert database at: > > > > /etc/pki/pki-tomcat/alias > > > > At: > > > > /var/lib/pki-ca/alias > > right > > > > > subsystemCert cert-pki-ca has a serial number of 18 (0x12) > > > > At: > > > > uid=CA-$HOST-8443,ou=people,o=ipaca > > > > the certificate has a serial number of 4. > > > > > > What is the best way to fix this? > > > > If it matters, the master installation is old enough to have had its > certs auto-renewed. > > Yes, certs were renewed but the PKI user entry was not which causes the > issue. This has been seen on very old IPA installations. > > 1) Login into IPA Master (RHEL 6) - as root. > > 2) Redirect "subsystemCert cert-pki-ca" to a file. > > # certutil -L -d /var/lib/pki-ca/alias/ -n "subsystemCert cert-pki-ca" > -a > /tmp/subsystemcert.pem > > 3) Drop the header/footer and combine this into a single line. > > # echo && cat /tmp/subsystemcert.pem | sed -rn '/^-----BEGIN > CERTIFICATE-----$/{:1;n;/^-----END > CERTIFICATE-----$/b2;H;b1};:2;${x;s/\s//g;p}' > > 4) String generated in step 3 needs to be added under attribute > "usercertificate;binary:" below. > > > =================================================================================== > # ldapmodify -x -h 127.0.0.1 -p 7389 -D 'cn=Directory Manager' -W << EOF > dn: uid=CA-ptipa1.example.com-9443,ou=people,o=ipaca > changetype: modify > add: usercertificate;binary > usercertificate;binary: MIIDyTCCAr..Y4EKCneFA== <-- ADD the full string > from step 3. > - > replace: description > description: 2;18;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA > Subsystem,O=EXAMPLE.COM > EOF > > =================================================================================== > > Note: the description field attribute has format: > ::: subjectdn> > > > 5) Once the above command is successful restart IPA service > > # service ipa restart > > 6) Check if the mapping is now correct. > > # pki-server ca-user-show CA-ptipa1.example.com-9443 | egrep "User > ID|Description" > > > > > Dennis > > > > > > -----Original Message----- > > From: Petr Vobornik [mailto:pvoborni at redhat.com] > > Sent: Friday, April 15, 2016 10:06 AM > > To: Ott, Dennis; Freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > > > > On 04/15/2016 03:51 PM, Ott, Dennis wrote: > >> Looks like we're out of ideas. > >> > >> I'll proceed with Plan B. > >> > > > > A possibility is also to check if > > > > Serial number of > > > > certutil -d /etc/pki/pki-tomcat/alias -L -n 'subsystemCert cert-pki-ca' > > > > matches serial number of the cert below (4) and if > > > > uid=CA-$HOST-8443,ou=people,o=ipaca > > > > has actually the same cert in userCertificate attribute > > > > Or maybe to do the same with other PKI users in ou=people,o=ipaca > > > >> -----Original Message----- > >> From: Ott, Dennis > >> Sent: Monday, April 11, 2016 12:27 PM > >> To: Ott, Dennis; Petr Vobornik; Freeipa-users at redhat.com > >> Subject: RE: [Freeipa-users] 7.x replica install from 6.x master fails > >> > >> As a test, I attempted to do a replica install on a Fedora 23 machine. > It fails with the same error. > >> > >> Dennis > >> > >> > >> > >> -----Original Message----- > >> From: freeipa-users-bounces at redhat.com > >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ott, Dennis > >> Sent: Thursday, April 07, 2016 5:39 PM > >> To: Petr Vobornik; Freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > >> > >> It doesn't look like that is my problem. The output of pki-server > ca-group-member-find "Subsystem Group" gives: > >> > >> > >> User ID: CA-ptipa1.example.com-9443 > >> Common Name: CA-ptipa1.example.com-9443 > >> Surname: CA-ptipa1.example.com-9443 > >> Type: agentType > >> Description: 2;4;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA > Subsystem,O=EXAMPLE.COM > >> E-mail: > >> > >> All the certs seem valid: > >> > >> # getcert list | grep expires > >> expires: 2017-07-18 00:55:14 UTC > >> expires: 2017-07-18 00:54:14 UTC > >> expires: 2017-07-18 00:54:14 UTC > >> expires: 2017-07-18 00:54:14 UTC > >> expires: 2017-07-18 00:54:14 UTC > >> expires: 2017-08-09 00:54:19 UTC > >> expires: 2017-08-09 00:54:19 UTC > >> expires: 2017-08-09 00:54:21 UTC # > >> > >> I was wondering if I might be hitting this: > >> > >> http://cp.mcafee.com/d/1jWVIi6x8SyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPpI > >> SHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJh > >> bctZ2It9RFfQe00UX7_AJKjBoHYYvhjd79IQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalI > >> l-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh > >> 0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > >> http://cp.mcafee.com/d/5fHCNEg3zqb3BXKfI3D3pJ55d5VBdZZ4SyyCyYOCUOyrdCP > >> qJyLQFm7bCNPFEV72GtD3hOaEXHbdQZ5hTS82H3W6yHOrJNlNRSRTD64XqOrdCPpIDeqR4 > >> INTQaNQDmA_gU03yNmmjBoHYYhod7bVIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-B > >> aMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VM > >> uq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > >> > >> It says it is fixed in pki 10.2.6. 10.2.6 has been released for Fedora > (many months ago), but is not yet available for enterprise. > >> > >> Dennis > >> > >> > >> > >> > >> -----Original Message----- > >> From: Petr Vobornik [mailto:pvoborni at redhat.com] > >> Sent: Thursday, April 07, 2016 10:56 AM > >> To: Ott, Dennis; Freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master fails > >> > >> Sorry for the late response. > >> > >> It looks like a bug > >> http://cp.mcafee.com/d/1jWVIe4xAe3zqb3BXInd7b1EVdCQkkQnCkTTQjqaaqbParz > >> a9ISrdGSa_iBosKr7eLqaEF-waI47nQ7LQl8m7f2H3ab0Ggvhv5mtKqek4Q4hPEVwSrdCP > >> pesRG9px1IyaiffTE-wjSvbVgDkMaA6Of08iAwsyCqekhP0US5LD4Qg1CF2IoiaCy0Qub6 > >> qAaNx85hZ0DI-nd7NJ5CZNPxI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDC > >> y1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > >> But it should be fixed in pki-core-9.0.3-45.el6_7 so I'm not sure. > >> > >> Anyway, > >> java.io.IOException: 2 actually means authentication failure. > >> > >> The authentication problem might be caused by a missing subsystem user > >> (bug #1225589) and there's already a tool to restore it. However, > >> before running the script, please run this command on the master to > >> verify the > >> problem: > >> > >> $ pki-server ca-group-member-find "Subsystem Group" > >> > >> Ideally it should return a user ID "CA--9443" and the > description attribute should contain the subsystem certificate in this > format ";;;". > >> > >> If that's not the case, please run this tool to restore the subsystem > user: > >> > >> $ python /usr/share/pki/scripts/restore-subsystem-user.py > >> > >> Then run this command again to verify the fix: > >> > >> $ pki-server ca-group-member-find "Subsystem Group" > >> > >> If everything works well, please try installing the replica again. > >> > >> Also verify that all certificates in `getcert list` output are not > expired. > >> > >> > >> On 03/31/2016 09:07 PM, Ott, Dennis wrote: > >>> Petr, > >>> > >>> Original 6.x master installed at: > >>> > >>> ipa-server-2.1.3-9 > >>> > >>> pki-ca-9.0.3-20 > >>> > >>> > >>> At the time the migration was attempted, the 6.x master had been > updated to: > >>> > >>> ipa-server-3.0.0-47 > >>> > >>> pki-ca-9.0.3-45 > >>> > >>> > >>> The 7.x replica install has been attempted using a variety of > versions. The log excerpts at the beginning of this email were from an > installation attempt using: > >>> > >>> ipa-server-4.2.0-15.0.1 > >>> > >>> pki-ca-10.2.5-6 > >>> > >>> > >>> It's a standard CA installation. This line is from > /var/log/ipaserverinstall.log showing selfsign as False: > >>> > >>> 2013-09-04T18:41:20Z DEBUG /usr/sbin/ipa-server-install was invoked > >>> with options: {'zone_refresh': 0, 'reverse_zone': None, 'realm_name': > >>> None, 'create_sshfp': True, 'conf_sshd': False, 'conf_ntp': False, > >>> 'subject': None, 'no_forwarders': False, 'persistent_search': True, > >>> 'ui_redirect': True, 'domain_name': None, 'idmax': 0, 'hbac_allow': > >>> True, 'no_reverse': False, 'dirsrv_pkcs12': None, 'unattended': > >>> False, > >>> 'selfsign': False, 'trust_sshfp': False, 'external_ca_file': None, > >>> 'no_host_dns': False, 'http_pkcs12': None, 'zone_notif': False, > >>> 'forwarders': None, 'idstart': 900000000, 'external_ca': False, > >>> 'ip_address': None, 'conf_ssh': False, 'serial_autoincrement': True, > >>> 'zonemgr': None, 'setup_dns': False, 'host_name': None, 'debug': > >>> False, 'external_cert_file': None, 'uninstall': False} > >>> 2013-09-04T18:41:20Z DEBUG missing options might be asked for > >>> interactively later > >>> > >>> > >>> -----Original Message----- > >>> From: Petr Vobornik [mailto:pvoborni at redhat.com] > >>> Sent: Tuesday, March 29, 2016 6:43 AM > >>> To: Ott, Dennis; Freeipa-users at redhat.com > >>> Subject: Re: [Freeipa-users] 7.x replica install from 6.x master > >>> fails > >>> > >>> On 03/24/2016 04:29 PM, Ott, Dennis wrote: > >>>> I am trying to migrate from OS 6.x / IPA 3.0 to OS 7.x / IPA 4.x. > >>>> After working through and solving a few issues, my current efforts > >>>> fail when setting up the replica CA. > >>>> > >>>> If I set up a new, pristine master on OS 6.7, I am able to create an > >>>> OS 7.x replica without any problem. However, if I try to create a > >>>> replica from my two year old test lab instance (production will be > >>>> another matter for the future) it fails. The test lab master was > >>>> created a couple of years ago on OS 6.3 / IPA 2.x and has been > >>>> upgraded to the latest versions in the 6.x chain. It is old enough > >>>> to have had all the certificates renewed, but I believe I have worked > through all the issues related to that. > >>>> > >>>> Below is what I believe are the useful portions of the pertinent logs. > >>>> I?ve not been able to find anything online that speaks to the errors > >>>> I am seeing > >>>> > >>>> Thanks for your help. > >>> > >>> Hello Dennis, > >>> > >>> what are the exact versions of pki-ca and ipa-server on the 6.x master > and 7.x replica? > >>> > >>> What kind of CA installation does the old 6.x master install have? Is > standard installation with CA or does it also use external CA? > >>> > >>> I assume it is not self-sign (very old unsupported type, which could > be converted in 7.x as CA-less). > >>> > >>>> > >>>> /var/log/ipareplica-install.log > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG Configuring certificate server > (pki-tomcatd). > >>>> Estimated time: 3 minutes 30 seconds > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG [1/23]: creating certificate server user > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG group pkiuser exists > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG user pkiuser exists > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG duration: 0 seconds > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG [2/23]: configuring certificate server > instance > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG Loading StateFile from > >>>> '/var/lib/ipa/sysrestore/sysrestore.state' > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG Saving StateFile to > >>>> '/var/lib/ipa/sysrestore/sysrestore.state' > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG Contents of pkispawn configuration file > (/tmp/tmpGQ59ZC): > >>>> > >>>> [CA] > >>>> > >>>> pki_security_domain_name = IPA > >>>> > >>>> pki_enable_proxy = True > >>>> > >>>> pki_restart_configured_instance = False > >>>> > >>>> pki_backup_keys = True > >>>> > >>>> pki_backup_password = XXXXXXXX > >>>> > >>>> pki_profiles_in_ldap = True > >>>> > >>>> pki_client_database_dir = /tmp/tmp-g0CKZ3 > >>>> > >>>> pki_client_database_password = XXXXXXXX > >>>> > >>>> pki_client_database_purge = False > >>>> > >>>> pki_client_pkcs12_password = XXXXXXXX > >>>> > >>>> pki_admin_name = admin > >>>> > >>>> pki_admin_uid = admin > >>>> > >>>> pki_admin_email = root at localhost > >>>> > >>>> pki_admin_password = XXXXXXXX > >>>> > >>>> pki_admin_nickname = ipa-ca-agent > >>>> > >>>> pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM > >>>> > >>>> pki_client_admin_cert_p12 = /root/ca-agent.p12 > >>>> > >>>> pki_ds_ldap_port = 389 > >>>> > >>>> pki_ds_password = XXXXXXXX > >>>> > >>>> pki_ds_base_dn = o=ipaca > >>>> > >>>> pki_ds_database = ipaca > >>>> > >>>> pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM > >>>> > >>>> pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM > >>>> > >>>> pki_ssl_server_subject_dn = cn=pt-idm-vm01.example.com,O=EXAMPLE.COM > >>>> > >>>> pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM > >>>> > >>>> pki_ca_signing_subject_dn = cn=Certificate Authority,O=EXAMPLE.COM > >>>> > >>>> pki_subsystem_nickname = subsystemCert cert-pki-ca > >>>> > >>>> pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca > >>>> > >>>> pki_ssl_server_nickname = Server-Cert cert-pki-ca > >>>> > >>>> pki_audit_signing_nickname = auditSigningCert cert-pki-ca > >>>> > >>>> pki_ca_signing_nickname = caSigningCert cert-pki-ca > >>>> > >>>> pki_ca_signing_key_algorithm = SHA256withRSA > >>>> > >>>> pki_security_domain_hostname = ptipa1.example.com > >>>> > >>>> pki_security_domain_https_port = 443 > >>>> > >>>> pki_security_domain_user = admin > >>>> > >>>> pki_security_domain_password = XXXXXXXX > >>>> > >>>> pki_clone = True > >>>> > >>>> pki_clone_pkcs12_path = /tmp/ca.p12 > >>>> > >>>> pki_clone_pkcs12_password = XXXXXXXX > >>>> > >>>> pki_clone_replication_security = TLS > >>>> > >>>> pki_clone_replication_master_port = 7389 > >>>> > >>>> pki_clone_replication_clone_port = 389 > >>>> > >>>> pki_clone_replicate_schema = False > >>>> > >>>> pki_clone_uri = > >>>> http://cp.mcafee.com/d/k-Kr6zqb3VEVjouhuodCQkkQnCkTTQjqaaqbParza9ISr > >>>> d > >>>> G > >>>> Sa_iBosKrKVXMGgog82KA1N1BeTyH93t5m7hOoHH3b8GOxvQd8e89K8CPpISr9PCJhbc > >>>> m > >>>> D > >>>> 9rkuYf21_YLxIbve9Ew3di5oMAld41EYmcR8lz2gazW1fpYKqfzqaabyr1I5-Aq83iSb > >>>> N > >>>> _ > >>>> VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNK > >>>> V > >>>> J > >>>> USyrh > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG Starting external process > >>>> > >>>> 2016-03-23T21:55:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpGQ59ZC' > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG Process finished, return code=1 > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG stdout=Log file: > >>>> /var/log/pki/pki-ca-spawn.20160323175511.log > >>>> > >>>> Loading deployment configuration from /tmp/tmpGQ59ZC. > >>>> > >>>> Installing CA into /var/lib/pki/pki-tomcat. > >>>> > >>>> Storing deployment configuration into > >>>> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > >>>> > >>>> Installation failed. > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG > >>>> stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: > >>>> InsecureRequestWarning: Unverified HTTPS request is being made. > >>>> Adding certificate verification is strongly advised. See: > >>>> http://cp.mcafee.com/d/5fHCNAi6hESyM-qekS7AnC3pJ55d5VBdZZ4SyyCyYOCUO > >>>> y > >>>> r > >>>> dCPqJyLQFm7bCXKuYaA6420HF0sgpjJUGOgThlxQsCaWMOOaIEnZ3i3y2ry9ISrdCOsV > >>>> H > >>>> k > >>>> iP6UDDO8cZ7ZgCjZ2JGs01PUovI_FfavpKcFBK1NIbve9Ew3di5oMAld41EYmcR8lz2g > >>>> a > >>>> z > >>>> W1fpYKqfzqaabyr1I5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdlj > >>>> h > >>>> 0 > >>>> VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > >>>> > >>>> InsecureRequestWarning) > >>>> > >>>> pkispawn : WARNING ....... unable to validate security domain > user/password > >>>> through REST interface. Interface not available > >>>> > >>>> pkispawn : ERROR ....... Exception from Java Configuration > Servlet: 500 > >>>> Server Error: Internal Server Error > >>>> > >>>> pkispawn : ERROR ....... ParseError: not well-formed (invalid > token): line > >>>> 1, column 0: > >>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. > >>>> PKIException","Code":500,"Message":"Error > >>>> while updating security domain: java.io.IOException: 2"} > >>>> > >>>> 2016-03-23T21:56:51Z CRITICAL Failed to configure CA instance: > >>>> Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpGQ59ZC'' > >>>> returned non-zero exit status 1 > >>>> > >>>> 2016-03-23T21:56:51Z CRITICAL See the installation logs and the > >>>> following files/directories for more information: > >>>> > >>>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki-ca-install.log > >>>> > >>>> 2016-03-23T21:56:51Z CRITICAL /var/log/pki/pki-tomcat > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG Traceback (most recent call last): > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >>>> line 418, in start_creation > >>>> > >>>> run_step(full_msg, method) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >>>> line 408, in run_step > >>>> > >>>> method() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >>>> line 620, in __spawn_instance > >>>> > >>>> DogtagInstance.spawn_instance(self, cfg_file) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" > >>>> , > >>>> line 201, in spawn_instance > >>>> > >>>> self.handle_setup_error(e) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" > >>>> , > >>>> line 465, in handle_setup_error > >>>> > >>>> raise RuntimeError("%s configuration failed." % > >>>> self.subsystem) > >>>> > >>>> RuntimeError: CA configuration failed. > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG [error] RuntimeError: CA configuration > failed. > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG File > >>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, > >>>> in execute > >>>> > >>>> return_value = self.run() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", > >>>> line 311, in run > >>>> > >>>> cfgr.run() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 281, in run > >>>> > >>>> self.execute() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 303, in execute > >>>> > >>>> for nothing in self._executor(): > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 343, in __runner > >>>> > >>>> self._handle_exception(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 365, in _handle_exception > >>>> > >>>> util.raise_exc_info(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 333, in __runner > >>>> > >>>> step() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > >>>> line 87, in run_generator_with_yield_from > >>>> > >>>> raise_exc_info(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > >>>> line 65, in run_generator_with_yield_from > >>>> > >>>> value = gen.send(prev_value) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 524, in _configure > >>>> > >>>> executor.next() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 343, in __runner > >>>> > >>>> self._handle_exception(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 421, in _handle_exception > >>>> > >>>> self.__parent._handle_exception(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 365, in _handle_exception > >>>> > >>>> util.raise_exc_info(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 418, in _handle_exception > >>>> > >>>> super(ComponentBase, self)._handle_exception(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 365, in _handle_exception > >>>> > >>>> util.raise_exc_info(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/core.py", > >>>> line 333, in __runner > >>>> > >>>> step() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > >>>> line 87, in run_generator_with_yield_from > >>>> > >>>> raise_exc_info(exc_info) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/util.py", > >>>> line 65, in run_generator_with_yield_from > >>>> > >>>> value = gen.send(prev_value) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line > >>>> 63, in _install > >>>> > >>>> for nothing in self._installer(self.parent): > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain > >>>> s > >>>> t > >>>> all.py", > >>>> line 879, in main > >>>> > >>>> install(self) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain > >>>> s > >>>> t > >>>> all.py", > >>>> line 295, in decorated > >>>> > >>>> func(installer) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicain > >>>> s > >>>> t > >>>> all.py", > >>>> line 584, in install > >>>> > >>>> ca.install(False, config, options) > >>>> > >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", > >>>> line 106, in install > >>>> > >>>> install_step_0(standalone, replica_config, options) > >>>> > >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", > >>>> line 130, in > >>>> install_step_0 > >>>> > >>>> ra_p12=getattr(options, 'ra_p12', None)) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >>>> line 1543, in install_replica_ca > >>>> > >>>> subject_base=config.subject_base) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >>>> line 486, in configure_instance > >>>> > >>>> self.start_creation(runtime=210) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >>>> line 418, in start_creation > >>>> > >>>> run_step(full_msg, method) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >>>> line 408, in run_step > >>>> > >>>> method() > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >>>> line 620, in __spawn_instance > >>>> > >>>> DogtagInstance.spawn_instance(self, cfg_file) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" > >>>> , > >>>> line 201, in spawn_instance > >>>> > >>>> self.handle_setup_error(e) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py" > >>>> , > >>>> line 465, in handle_setup_error > >>>> > >>>> raise RuntimeError("%s configuration failed." % > >>>> self.subsystem) > >>>> > >>>> 2016-03-23T21:56:51Z DEBUG The ipa-replica-install command failed, > exception: > >>>> RuntimeError: CA configuration failed. > >>>> > >>>> 2016-03-23T21:56:51Z ERROR CA configuration failed. > >>>> > >>>> /var/log/pki/pki-ca-spawn..log > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f > >>>> /etc/pki/pki-tomcat/ca/noise > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... rm -f > /etc/pki/pki-tomcat/pfile > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... ln -s > >>>> /lib/systemd/system/pki-tomcatd at .service > >>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat. > >>>> s > >>>> e > >>>> rvice > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown -h 17:17 > >>>> /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd at pki-tomcat. > >>>> s > >>>> e > >>>> rvice > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ... configuring > >>>> 'pki.server.deployment.scriptlets.configuration' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... mkdir -p > >>>> /root/.dogtag/pki-tomcat/ca > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 755 > >>>> /root/.dogtag/pki-tomcat/ca > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 > >>>> /root/.dogtag/pki-tomcat/ca > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating > >>>> '/root/.dogtag/pki-tomcat/ca/password.conf' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying > >>>> '/root/.dogtag/pki-tomcat/ca/password.conf' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 > >>>> /root/.dogtag/pki-tomcat/ca/password.conf > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 0:0 > >>>> /root/.dogtag/pki-tomcat/ca/password.conf > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... generating > >>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... modifying > >>>> '/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chmod 660 > >>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... chown 17:17 > >>>> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing > 'certutil -N -d > >>>> /tmp/tmp-g0CKZ3 -f /root/.dogtag/pki-tomcat/ca/password.conf' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing > 'systemctl > >>>> daemon-reload' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : INFO ....... executing > 'systemctl start > >>>> pki-tomcatd at pki-tomcat.service' > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection > - server > >>>> may still be down > >>>> > >>>> 2016-03-23 17:55:12 pkispawn : DEBUG ........... No connection > - exception > >>>> thrown: ('Connection aborted.', error(111, 'Connection refused')) > >>>> > >>>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection > - server > >>>> may still be down > >>>> > >>>> 2016-03-23 17:55:13 pkispawn : DEBUG ........... No connection > - exception > >>>> thrown: ('Connection aborted.', error(111, 'Connection refused')) > >>>> > >>>> 2016-03-23 17:55:24 pkispawn : DEBUG ........... version="1.0" > >>>> encoding="UTF-8" > >>>> standalone="no"?>0CA >>>>> r unning10.2.5-6.el7 > >>>> > >>>> 2016-03-23 17:55:25 pkispawn : INFO ....... constructing PKI > >>>> configuration data. > >>>> > >>>> 2016-03-23 17:55:25 pkispawn : INFO ....... configuring PKI > configuration > >>>> data. > >>>> > >>>> 2016-03-23 17:56:51 pkispawn : ERROR ....... Exception from Java > >>>> Configuration Servlet: 500 Server Error: Internal Server Error > >>>> > >>>> 2016-03-23 17:56:51 pkispawn : ERROR ....... ParseError: not > well-formed > >>>> (invalid token): line 1, column 0: > >>>> {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base. > >>>> PKIException","Code":500,"Message":"Error > >>>> while updating security domain: java.io.IOException: 2"} > >>>> > >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Type: > ParseError > >>>> > >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... Error Message: not > >>>> well-formed (invalid token): line 1, column 0 > >>>> > >>>> 2016-03-23 17:56:51 pkispawn : DEBUG ....... File > "/usr/sbin/pkispawn", > >>>> line 597, in main > >>>> > >>>> rv = instance.spawn(deployer) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/c > >>>> o > >>>> n > >>>> figuration.py", > >>>> line 116, in spawn > >>>> > >>>> json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) > >>>> > >>>> File > >>>> "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py" > >>>> , > >>>> line 3906, in configure_pki_data > >>>> > >>>> root = ET.fromstring(e.response.text) > >>>> > >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, > >>>> in XML > >>>> > >>>> parser.feed(text) > >>>> > >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, > >>>> in feed > >>>> > >>>> self._raiseerror(v) > >>>> > >>>> File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, > >>>> in _raiseerror > >>>> > >>>> raise err > >>>> > >>>> /var/log/pki/pki-tomcat/ca/debug > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password > >>>> ok: store in memory cache > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init > >>>> ends > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before > >>>> makeConnection errorIfDown is false > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: > >>>> errorIfDown false > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP > >>>> connection using basic authentication to host > >>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with > >>>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com > >>>> port 389, secure connection, false, authentication type 1 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum > >>>> connections by 3 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available > >>>> connections 3 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of > >>>> connections 3 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In > >>>> LdapBoundConnFactory::getConn() > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: > >>>> true > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is > >>>> connected true > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now > >>>> 2 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: > >>>> param=preop.internaldb.manager_ldif > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif > >>>> file = /usr/share/pki/server/conf/manager.ldif > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif > >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): LDAP > >>>> Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: > >>>> exception in adding entry > >>>> ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68) > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LDAPUtil:importLDIF: > >>>> exception in modifying entry o=ipaca:netscape.ldap.LDAPException: > >>>> error result (20) > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: populateVLVIndexes(): > >>>> start > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Creating > >>>> LdapBoundConnFactor(ConfigurationUtils) > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapBoundConnFactory: > >>>> init > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: > >>>> LdapBoundConnFactory:doCloning true > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init() > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init > >>>> begins > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: > >>>> prompt is internaldb > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: > >>>> try getting from memory cache > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: > >>>> got password from memory > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init: > >>>> password found for prompt. > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: password > >>>> ok: store in memory cache > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: LdapAuthInfo: init > >>>> ends > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: init: before > >>>> makeConnection errorIfDown is false > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: makeConnection: > >>>> errorIfDown false > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: Established LDAP > >>>> connection using basic authentication to host > >>>> pt-idm-vm01.example.com port 389 as cn=Directory Manager > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: initializing with > >>>> mininum 3 and maximum 15 connections to host pt-idm-vm01.example.com > >>>> port 389, secure connection, false, authentication type 1 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: increasing minimum > >>>> connections by 3 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new total available > >>>> connections 3 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: new number of > >>>> connections 3 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: In > >>>> LdapBoundConnFactory::getConn() > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: masterConn is connected: > >>>> true > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: conn is > >>>> connected true > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: getConn: mNumConns now > >>>> 2 > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS: > >>>> param=preop.internaldb.post_ldif > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif > >>>> file = /usr/share/pki/ca/conf/vlv.ldif > >>>> > >>>> [23/Mar/2016:17:56:45][http-bio-8443-exec-3]: importLDIFS(): ldif > >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif > >>>> > >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif > >>>> file = /usr/share/pki/ca/conf/vlvtasks.ldif > >>>> > >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: importLDIFS(): ldif > >>>> file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif > >>>> > >>>> [23/Mar/2016:17:56:46][http-bio-8443-exec-3]: Checking wait_dn > >>>> cn=index1160589769, cn=index, cn=tasks, cn=config > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: Found data for > 'sslserver' > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: > >>>> SystemConfigService:processCerts(): san_server_cert not found for > >>>> tag sslserver > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is > >>>> local > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: caType is > >>>> remote (revised) > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: > >>>> updateConfig() for certTag sslserver > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: updateConfig() done > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: configCert: remote CA > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got > >>>> public key > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertRequestPanel: got > >>>> private key > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: NamePanel: For this > >>>> Cloned CA, always use its Master CA to generate the 'sslserver' > >>>> certificate to avoid any changes which may have been made to the > X500Name directory string encoding order. > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: ConfigurationUtils: > >>>> injectSAN=false > >>>> > >>>> [23/Mar/2016:17:56:48][http-bio-8443-exec-3]: CertUtil > >>>> createRemoteCert: content > >>>> requestor_name=CA-pt-idm-vm01.example.com-8443&profileId=caInternalA > >>>> u > >>>> t > >>>> hServerCert&cert_request_type=pkcs10&cert_request=MIICmzCCAYxxxxxxxx > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrD6JPIBR7AA%3D&xmlOutput=true > >>>> & > >>>> s > >>>> essionID=-4495713718673639316 > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil > >>>> createRemoteCert: status=0 > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: CertUtil > createRemoteCert: > >>>> MIIDxTCCAq2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > >>>> x > >>>> x > >>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTDuSAWm2v7 > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: ConfigurationUtils: > >>>> handleCertRequest() begins > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: > >>>> tag=sslserver > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: > >>>> privKeyID=29c021f3ccfafb1049bd33ce00e9b4ba35f2c1e7 > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCertRequest: > >>>> created cert request > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processing 'sslserver' > certificate: > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): for > >>>> cert tag 'sslserver' using cert type 'remote' > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): process > >>>> remote...import cert > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: > >>>> nickname=Server-Cert cert-pki-ca > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: deleteCert: cert > >>>> deleted successfully > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): > >>>> certchains length=2 > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: handleCerts(): import > >>>> certificate successfully, certTag=sslserver > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Processed 'sslserver' > certificate. > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === BackupKeyCert > >>>> Panel/SavePKCS12 Panel === > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: backupKeys(): start > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Admin Panel === > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: === Done Panel === > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: Updating existing > >>>> security domain > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: isSDHostDomainMaster(): > >>>> Getting domain.xml from CA... > >>>> > >>>> [23/Mar/2016:17:56:50][http-bio-8443-exec-3]: getDomainXML start > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: status=0 > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: getDomainXML: > >>>> domainInfo= >>>> standalone="no"?>IPAptipa1. > >>>> example.com443443 >>>> S > >>>> e > >>>> cureAgentPort>443 >>>> cureAgentPort>u > >>>> cureAgentPort>t > >>>> hPort>44380 >>>> hPort>o > >>>> hPort>n > >>>> e>FALSEpki-cad > >>>> e>T > >>>> e>R > >>>> UE1 >>>> C > >>>> S > >>>> PList>0 >>>> PList>e > >>>> PList>m > >>>> Count>00 >>>> Count>e > >>>> Count>m > >>>> Count>0 > >>>> Count>< > >>>> Count>T > >>>> PSList>0 > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Cloning a domain > >>>> master > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase > >>>> updateDomainXML start hostname=ptipa1.example.com port=443 > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: > >>>> failed to update security domain using admin port 443: > >>>> org.xml.sax.SAXParseException; > >>>> lineNumber: 1; columnNumber: 50; White spaces are required between > >>>> publicId and systemId. > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateSecurityDomain: > >>>> now trying agent port with client auth > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase > >>>> updateDomainXML start hostname=ptipa1.example.com port=443 > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: updateDomainXML() > >>>> nickname=subsystemCert cert-pki-ca > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: WizardPanelBase > updateDomainXML: > >>>> status=1 > >>>> > >>>> [23/Mar/2016:17:56:51][http-bio-8443-exec-3]: Error while updating > >>>> security > >>>> domain: java.io.IOException: 2 > >>>> > >>>> [23/Mar/2016:23:44:52][http-bio-8080-exec-1]: according to ccMode, > >>>> authorization for servlet: caProfileList is LDAP based, not XML {1}, > use default authz mgr: {2}. > >>>> > >>>> /var/log/pki/pki-tomcat/ca/system > >>>> > >>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [3] [3] Cannot > >>>> build CA chain. Error java.security.cert.CertificateException: > >>>> Certificate is not a PKCS > >>>> #11 certificate > >>>> > >>>> 0.localhost-startStop-1 - [23/Mar/2016:17:55:24 EDT] [13] [3] authz > >>>> instance DirAclAuthz initialization failed and skipped, > >>>> error=Property internaldb.ldapconn.port missing value > >>>> > >>>> *Dennis M Ott* > >>>> Infrastructure Administrator > >>>> Infrastructure and Security Operations > >>>> > >>>> *McKesson Corporation > >>>> McKesson Pharmacy Systems and Automation* www.mckesson.com > >>>> > >>>>> -- > >>> Petr Vobornik > >>> > >> -- > >> Petr Vobornik > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> http://cp.mcafee.com/d/5fHCMUe6gUSyMVuXzX0VMSrhhjhupjvvhdEEFELcFKcECPp > >> ISHoHZalxOVIsWqehMGDpMQsyGeWOPtfhktZy0GM-xEGYCXslsttJtVNxeSICPpISr9PCJ > >> hbcat7Q2uPVv1dnoovaAVgtHzIv-iSBSWv6xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoa > >> lIl-BaMVsQv6QmhPPzNI5-Aq83iSbN_VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdl > >> jh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > >> Go to > >> http://cp.mcafee.com/d/FZsSd3gArhosLtNZwsUrdEEFELcFLLECQkkQnCkT6kjpISr > >> lIl-BaMVsSetd78UljIUqehl7tppKDEGe-N0lovgQlujtKaKeKSKYUMDrmjpISrdw0To_Y > >> BJU03xIQh1ysM3d40tY8iEq8zh0qf0XUgBjwNeoalIl-BaMVsQv6QmhPPzNI5-Aq83iSbN > >> > _VbqnrFYq6BQQg3K3Ph17RzVmQQgixiuDDCy1Sdljh0VMuq85tFfUCy1Tp7QdK8CQPrNKVJUSyrh > for more info on the project > >> > > > > > > -- > > Petr Vobornik > > > > > -- > Petr Vobornik > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please report the error to the sender by return email and delete this communication from your records. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tstorai.ext at orange.com Wed Jun 29 09:04:47 2016 From: tstorai.ext at orange.com (tstorai.ext at orange.com) Date: Wed, 29 Jun 2016 09:04:47 +0000 Subject: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication Message-ID: <9021_1467191088_57738F30_9021_630_2_E7B3C528368E954BA40BD6EB6827CE420A5EF4@OPEXCLILM21.corporate.adroot.infra.ftgroup> Hello, We are using FreeIPAv3 with SSSD with Hortonworks Cluster : - ipa-admintools-3.0.0-47 - ipa-client-3.0.0-47 - sssd-ipa-1.11.6-30 According with the following documentation, our users are automatically authenticated to Kerberos at every login : https://www.freeipa.org/page/Kerberos "When SSSD project is used, the ticket is get for a user automatically as he authenticates to client machine." It's working pretty well but some of our users are using nominative accounts for ssh connection then access to Hadoop with an applicative keytab... We are agreed than we have to perform a kinit at every connection but when theses users work on several sessions they lose the applicative account ticket :( To resume : 1 User1 connect to the system with nominative account Nominative Kerberos Ticket 2 User1 use the applicative keytab to access to Hadoop Applicative Kerberos Ticket 3 User1 open a new session to the system with nominvative account Nominative Kerberos Ticket --> Applicative Kerberos Ticket is lose Impact : --> Failed developpement --> Force the user to re-execute a kinit We would know if it is possible to disable the automatic authentication in provide with SSSD? Thanks. Regards, Thibault _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Thu Jun 30 12:50:31 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 30 Jun 2016 14:50:31 +0200 Subject: [Freeipa-users] FreeIPA (directory service) Crash several times a day In-Reply-To: <5775146B.6000104@redhat.com> References: <784da53eb961923c346a2f6a14e4e934@mdfive.dz> <5774F0AF.5010407@redhat.com> <9b5b49d0143f82b1cf3f17691a7c471a@mdfive.dz> <5775146B.6000104@redhat.com> Message-ID: <57751597.4090303@redhat.com> On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: > > On 06/30/2016 02:27 PM, dev at mdfive.dz wrote: >> Hi, >> >> Please find strace on a core file : http://pastebin.com/v9cUzau4 > the crash is in an IPA plugin, ipa_pwd_extop, > to get a better stack you would have to install also the debuginfo for > ipa-server. but tje stack matches the error messages you have seen [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file encoding.c, line 171]: generating kerberos keys failed [Invalid argument] [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, line 225]: key encryption/encoding failed they are from the function sin the call stack. Looks like the user has a password with a \351 char: cred = {bv_len = 15, bv_val = 0x7fc7880013a0 "d\351sertification"} does the crash always happen with a bind from this user ? > and then someone familiar with this plugin should look into it >> >> Regards >> >> >> On 2016-06-30 12:13, Ludwig Krispenz wrote: >>> can you get a core file ? >>> http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes >>> >>> >>> On 06/30/2016 11:28 AM, dev at mdfive.dz wrote: >>>> Hi, >>>> >>>> The Directory Services crashes several times a day. It's installed >>>> on CentOS 7 VM : >>>> >>>> Installed Packages >>>> Name : ipa-server >>>> Arch : x86_64 >>>> Version : 4.2.0 >>>> >>>> # ipactl status >>>> Directory Service: STOPPED >>>> krb5kdc Service: RUNNING >>>> kadmin Service: RUNNING >>>> ipa_memcached Service: RUNNING >>>> httpd Service: RUNNING >>>> pki-tomcatd Service: RUNNING >>>> ipa-otpd Service: RUNNING >>>> ipa: INFO: The ipactl command was successful >>>> >>>> >>>> Before each crash, I have these messages in >>>> /var/log/dirsrv/slapd-XXXXX/errors : >>>> >>>> [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file >>>> encoding.c, line 171]: generating kerberos keys failed [Invalid >>>> argument] >>>> [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file >>>> encoding.c, line 225]: key encryption/encoding failed >>>> >>>> >>>> Any help? >>>> Best regards >>>> >>> >>> -- >>> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, >>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>> Managing Directors: Charles Cachera, Michael Cunningham, Michael >>> O'Neill, Eric Shander > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From andreas.ladanyi at kit.edu Thu Jun 30 12:51:02 2016 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Thu, 30 Jun 2016 14:51:02 +0200 Subject: [Freeipa-users] FreeIPA doesnt start Message-ID: Hi, i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 When i want to start IPA with ipactl start i run into the situation starting pki-tomcat take a long time and ipactl aborts the starting process and shutdown services. So IPA doesnt start. ipactl start: Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service ...hangs... Failed to start pki-tomcatd Service Shutting down Aborting ipactl systemctl status shows the errors: ipa.service loaded failed failed Identity, Policy, Audit kadmin.service loaded failed failed Kerberos 5 Password-changing and Administration pki-tomcatd at pki-tomcat.service loaded failed failed PKI Tomcat Server pki-tomcat Which logfiles are important to analyse this issue of IPA ? Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5326 bytes Desc: S/MIME Cryptographic Signature URL: From ladner.danila at gmail.com Thu Jun 30 13:02:03 2016 From: ladner.danila at gmail.com (Danila Ladner) Date: Thu, 30 Jun 2016 09:02:03 -0400 Subject: [Freeipa-users] Freeipa and spacewalk integration. In-Reply-To: <20160630100913.GB10043@redhat.com> References: <20160630100913.GB10043@redhat.com> Message-ID: Thank you for reaching out. The problem has been fixed. I have forgotten to restart tomcat6 to disable tomcat auth. User error!!! On Thu, Jun 30, 2016 at 6:09 AM, Jan Pazdziora wrote: > On Wed, Jun 29, 2016 at 03:33:34PM -0400, Danila Ladner wrote: > > Hello Folks. > > > > I am stuck at this task integrating spacewalk freeipa authorization. > > > > I have followed this docs from spacewalk to enable web authentication > with > > FreeIPA: > > > > https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA > > > > I did all the steps above and trying to authenticate with the user I do > not > > have in the internal spacewalk database, but ssd ifp with sssd_dbus > should > > help me with that. > > [...] > > > I did enabled sssd and sssd_ifp logs and see all the lookups go through > if > > you need them i can provide them. > > The problem is it seems on the step where spacewalk can't create a new > user > > based on Organization Unit name. > > I am a little bit lost and firstly asked Spacewalk community but no one > was > > able to help me. > > If anyone has any additional information where can I troubleshoot > further, > > i'd appreciate it. I have integrated Jenkins UI with LDAP/IPA auth and it > > works just fine, so I am sure it is not IPA backend, but something in > > particular with spacewalk httpd modules, but still can't figure out what > > exactly is the issue. > > If anyone have some information or done similar integration, i'd > appreciate > > if you can share it. > > What Spacewalk version and what OS and version is this? > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jun 30 13:14:42 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Jun 2016 09:14:42 -0400 Subject: [Freeipa-users] How to unset a user's kerberos principal expiration date? In-Reply-To: References: Message-ID: <57751B42.90307@redhat.com> David Kupka wrote: > On 29/06/16 19:05, Roderick Johnstone wrote: >> Hi >> >> If I set a kerberos principal for a user to expire on a given date using: >> ipa user-mod --principal-expiration=DATE >> is it possible to later remove this expiration date rather than just set >> it to a time far in the future? >> >> Thanks >> >> Roderick Johnstone >> > > Hello Roderick, > AFAIK the only way to remove principal expiration at the time is remove > krbPrincipalExpiration attribute from the user entry in DS. > > $ kinit admin > Password for admin at EXAMPLE.ORG > $ ldapmodify -Y GSSAPI > SASL/GSSAPI authentication started > SASL username: admin at EXAMPLE.ORG > SASL SSF: 56 > SASL data security layer installed. > dn:uid=tuser,cn=users,cn=accounts,dc=example,dc=org > changetype: modify > delete: krbprincipalexpiration > modifying entry "uid=tuser,cn=users,cn=accounts,dc=example,dc=org" > > I think that it makes sense to expose this in API. Could you please file > RFE (https://fedorahosted.org/freeipa/newticket)? > You just need to pass in a blank value: $ ipa user-mod --principal-expiration= rob From rcritten at redhat.com Thu Jun 30 13:16:49 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Jun 2016 09:16:49 -0400 Subject: [Freeipa-users] How to migrate users with md5 and sha512 passwords In-Reply-To: References: Message-ID: <57751BC1.3000701@redhat.com> Joanna Delaporte wrote: > I am migrating an NIS domain to IPA. I have attempted to follow the > instructions > for > NIS account crypted password migration, but I haven't yet successfully > used password authentication to log in to remote machines. > > The instructions expect I would migrate DES-encrypted passwords, but I > have a mixture of md5 and sha512-encrypted passwords. Do I need to > follow a different process, or am I chasing the wrong problem? > > This is my first IPA realm. If you have crypt-compatible passwords ($6$) then just pass it in as {crypt}$6$... and it should work fine. You can ONLY set a pre-hashed password in migration mode AND when adding the user. You can't add the user then set a hashed password. rob From andreas.ladanyi at kit.edu Thu Jun 30 13:17:32 2016 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Thu, 30 Jun 2016 15:17:32 +0200 Subject: [Freeipa-users] FreeIPA doesnt start In-Reply-To: References: Message-ID: Here are some more infos. journal -xe tells me some error: INFO: Initializing ProtocolHandler ["http-bio-8443"] Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" unsupported by NSS Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" unsupported by NSS ...... org.apache.jasper.servlet.TldScanner scanJars INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list o ....... org.apache.catalina.startup.ClassLoaderFactory validateFile WARNING: Problem with JAR file [/var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar], exists: [false], canRead: [false] org.apache.catalina.startup.ClassLoaderFactory validateFile roblem with JAR file [/var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar], exists: [false], canRead: [false] org.apache.catalina.startup.ClassLoaderFactory validateFile WARNING: Problem with JAR file [/var/lib/pki/pki-tomcat/lib/tomcat7-websocket.jar], exists: [false], canRead: [false] org.apache.catalina.startup.ClassLoaderFactory validateFile Problem with JAR file [/var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar], exists: [false], canRead: [false] org.apache.catalina.startup.Catalina stopServer SEVERE: Could not contact localhost:8005. Tomcat may not be running. org.apache.catalina.startup.Catalina stopServer SEVERE: Catalina.stop: java.net.ConnectException: Connection refused ..... pki-tomcatd at pki-tomcat.service: Control process exited, code=exited status=1 > Hi, > > i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 > > When i want to start IPA with ipactl start i run into the situation > starting pki-tomcat take a long time and ipactl aborts the starting > process and shutdown services. So IPA doesnt start. > > ipactl start: > > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting ipa_memcached Service > Starting httpd Service > Starting pki-tomcatd Service > > ...hangs... > > Failed to start pki-tomcatd Service > Shutting down > Aborting ipactl > > > systemctl status shows the errors: > > ipa.service > loaded failed failed Identity, Policy, Audit > kadmin.service > loaded failed failed Kerberos 5 Password-changing and Administration > pki-tomcatd at pki-tomcat.service > loaded failed failed PKI Tomcat Server pki-tomcat > > > Which logfiles are important to analyse this issue of IPA ? > > > Andreas > > > > -- Karlsruher Institut f?r Technologie (KIT) Fakult?t f?r Informatik ATIS ? Abteilung Technische Infrastruktur Dipl.-Ing. Andreas Ladanyi - Systemadministrator - Am Fasanengarten 5, Geb?ude 50.34, Raum 013 76131 Karlsruhe Telefon: +49 721 608 - 4 3663 Fax: +49 721 608 - 4 6699 E-Mail: andreas.ladanyi at kit.edu www.atis.informatik.kit.edu www.kit.edu KIT - Universit?t des Landes Baden-W?rttemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5326 bytes Desc: S/MIME Cryptographic Signature URL: From opensauce17 at gmail.com Thu Jun 30 13:30:16 2016 From: opensauce17 at gmail.com (opensauce .) Date: Thu, 30 Jun 2016 15:30:16 +0200 Subject: [Freeipa-users] AES reverse encryption plugin on userPassword attribute Message-ID: Hi All, I need to store user passwords with reverse encryption for an application. I know the AES plugin is enabled and available : # AES, Password Storage Schemes, plugins, config dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config cn: AES nsslapd-pluginDescription: AES storage scheme plugin nsslapd-pluginEnabled: on nsslapd-pluginId: aes-storage-scheme nsslapd-pluginInitfunc: aes_init nsslapd-pluginPath: libpbe-plugin nsslapd-pluginType: reverpwdstoragescheme nsslapd-pluginVendor: 389 Project nsslapd-pluginVersion: 1.3.4.0 nsslapd-pluginarg0: nsmultiplexorcredentials nsslapd-pluginarg1: nsds5ReplicaCredentials nsslapd-pluginprecedence: 1 objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject How do I apply this plugin to the userPassword attribute of a single or multiple users? Thanks Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomek at pipebreaker.pl Thu Jun 30 13:36:22 2016 From: tomek at pipebreaker.pl (Tomasz Torcz) Date: Thu, 30 Jun 2016 15:36:22 +0200 Subject: [Freeipa-users] FreeIPA doesnt start In-Reply-To: References: Message-ID: <20160630133621.GA675967@mother.pipebreaker.pl> On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote: > Hi, > > i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 > > When i want to start IPA with ipactl start i run into the situation > starting pki-tomcat take a long time and ipactl aborts the starting > process and shutdown services. So IPA doesnt start. Sounds like https://www.happyassassin.net/2016/06/21/notes-on-a-couple-of-freeipa-bugs-host-group-sudo-rules-and-failure-to-start-with-recent-pki-core-on-older-upgraded-installs/ -- Tomasz Torcz "Funeral in the morning, IDE hacking xmpp: zdzichubg at chrome.pl in the afternoon and evening." - Alan Cox From sbose at redhat.com Thu Jun 30 13:38:03 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 30 Jun 2016 15:38:03 +0200 Subject: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication In-Reply-To: <9021_1467191088_57738F30_9021_630_2_E7B3C528368E954BA40BD6EB6827CE420A5EF4@OPEXCLILM21.corporate.adroot.infra.ftgroup> References: <9021_1467191088_57738F30_9021_630_2_E7B3C528368E954BA40BD6EB6827CE420A5EF4@OPEXCLILM21.corporate.adroot.infra.ftgroup> Message-ID: <20160630133803.GG26752@p.Speedport_W_724V_Typ_A_05011603_00_009> On Wed, Jun 29, 2016 at 09:04:47AM +0000, tstorai.ext at orange.com wrote: > Hello, > > We are using FreeIPAv3 with SSSD with Hortonworks Cluster : > > - ipa-admintools-3.0.0-47 > > - ipa-client-3.0.0-47 > > - sssd-ipa-1.11.6-30 > > > According with the following documentation, our users are automatically authenticated to Kerberos at every login : > https://www.freeipa.org/page/Kerberos > "When SSSD project is used, the ticket is get for a user automatically as he authenticates to client machine." > > It's working pretty well but some of our users are using nominative accounts for ssh connection then access to Hadoop with an applicative keytab... > We are agreed than we have to perform a kinit at every connection but when theses users work on several sessions they lose the applicative account ticket :( If you use credential cache collections (type DIR: or KEYTAB:) SSSD would only update the individual cache matching the user principal stored in IPA. The caches for other principals would persist. But if the principal in the applicative keytab is from the same Kerberos realm you still might need to use the 'kswitch' command to set the primary principal. But it should be sufficient to call it only once because the information is stored in the collection and not overwritten by SSSD. If this does not work the affected users can add something like: export KRB5CCNAME=$HOME/my_cc_cache to their .bashrc (or related config file of other shells). Then at least in the shell all commands, like e.g. ssh, would use my_cc_cache with the credential from the kinit with the keytab. HTH bye, Sumit > > To resume : > 1 > > User1 connect to the system with nominative account > > Nominative Kerberos Ticket > > 2 > > User1 use the applicative keytab to access to Hadoop > > Applicative Kerberos Ticket > > 3 > > User1 open a new session to the system with nominvative account > > Nominative Kerberos Ticket --> Applicative Kerberos Ticket is lose > > > Impact : > --> Failed developpement > --> Force the user to re-execute a kinit > > We would know if it is possible to disable the automatic authentication in provide with SSSD? > > Thanks. > > Regards, > > Thibault > > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > Thank you. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From sbose at redhat.com Thu Jun 30 13:48:35 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 30 Jun 2016 15:48:35 +0200 Subject: [Freeipa-users] How to deactivate automatic kinit at ssh login ? In-Reply-To: References: Message-ID: <20160630134835.GH26752@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, Jun 30, 2016 at 08:54:16AM +0200, bahan w wrote: > Hello ! > > I'm using freeipa 3.0.0-47. > > I send you this mail concerning the automatic kinit at ssh login ? I wanted > to know if it was possible to deactivate it on a specific server ? > > The reason is that I have some of my users who often use another ticket > that their own and this feature can be annoying for them. Please have a look at my response to ' [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication' (https://www.redhat.com/archives/freeipa-users/2016-June/msg00480.html) HTH bye, Sumit > > BR. > > Bahan > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From andreas.ladanyi at kit.edu Thu Jun 30 13:51:40 2016 From: andreas.ladanyi at kit.edu (Andreas Ladanyi) Date: Thu, 30 Jun 2016 15:51:40 +0200 Subject: [Freeipa-users] FreeIPA doesnt start In-Reply-To: References: Message-ID: <1a3a278f-74b6-5d47-83b4-2b3d5a7e60b2@kit.edu> > > org.apache.catalina.startup.ClassLoaderFactory validateFile > WARNING: Problem with JAR file > [/var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar], exists: > [false], canRead: [false] > org.apache.catalina.startup.ClassLoaderFactory validateFile > roblem with JAR file > [/var/lib/pki/pki-tomcat/lib/tomcat-jsp-2.2-api.jar], exists: [false], > canRead: [false] > org.apache.catalina.startup.ClassLoaderFactory validateFile > WARNING: Problem with JAR file > [/var/lib/pki/pki-tomcat/lib/tomcat7-websocket.jar], exists: [false], > canRead: [false] > org.apache.catalina.startup.ClassLoaderFactory validateFile > Problem with JAR file > [/var/lib/pki/pki-tomcat/lib/tomcat-el-2.2-api.jar], exists: [false], > canRead: [false] rpm -qa | grep tomcat tomcatjss-7.1.3-1.fc23.noarch tomcat-servlet-3.1-api-8.0.32-5.fc23.noarch tomcat-8.0.32-5.fc23.noarch tomcat-jsp-2.3-api-8.0.32-5.fc23.noarch tomcat-el-3.0-api-8.0.32-5.fc23.noarch tomcat-lib-8.0.32-5.fc23.noarch ls -la /var/lib/pki/pki-tomcat/lib/ insgesamt 20 drwxrwx---. 2 pkiuser pkiuser 4096 28. Jun 15:59 . drwxrwx---. 8 pkiuser pkiuser 4096 22. Mai 2015 .. lrwxrwxrwx. 1 pkiuser pkiuser 41 28. Jun 15:59 annotations-api.jar -> /usr/share/tomcat/lib/annotations-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 38 28. Jun 15:59 catalina-ant.jar -> /usr/share/tomcat/lib/catalina-ant.jar lrwxrwxrwx. 1 pkiuser pkiuser 37 28. Jun 15:59 catalina-ha.jar -> /usr/share/tomcat/lib/catalina-ha.jar lrwxrwxrwx. 1 pkiuser pkiuser 34 28. Jun 15:59 catalina.jar -> /usr/share/tomcat/lib/catalina.jar lrwxrwxrwx. 1 pkiuser pkiuser 46 28. Jun 15:59 catalina-storeconfig.jar -> /usr/share/tomcat/lib/catalina-storeconfig.jar lrwxrwxrwx. 1 pkiuser pkiuser 41 28. Jun 15:59 catalina-tribes.jar -> /usr/share/tomcat/lib/catalina-tribes.jar lrwxrwxrwx. 1 pkiuser pkiuser 45 28. Jun 15:59 commons-collections.jar -> /usr/share/tomcat/lib/commons-collections.jar lrwxrwxrwx. 1 pkiuser pkiuser 38 28. Jun 15:59 commons-dbcp.jar -> /usr/share/tomcat/lib/commons-dbcp.jar lrwxrwxrwx. 1 pkiuser pkiuser 38 28. Jun 15:59 commons-pool.jar -> /usr/share/tomcat/lib/commons-pool.jar lrwxrwxrwx. 1 pkiuser pkiuser 35 28. Jun 15:59 jasper-el.jar -> /usr/share/tomcat/lib/jasper-el.jar lrwxrwxrwx. 1 pkiuser pkiuser 32 28. Jun 15:59 jasper.jar -> /usr/share/tomcat/lib/jasper.jar lrwxrwxrwx. 1 pkiuser pkiuser 36 28. Jun 15:59 jasper-jdt.jar -> /usr/share/tomcat/lib/jasper-jdt.jar lrwxrwxrwx. 1 pkiuser pkiuser 36 22. Mai 2015 log4j.properties -> /etc/pki/pki-tomcat/log4j.properties lrwxrwxrwx. 1 pkiuser pkiuser 43 28. Jun 15:59 tomcat7-websocket.jar -> /usr/share/tomcat/lib/tomcat7-websocket.jar lrwxrwxrwx. 1 pkiuser pkiuser 36 28. Jun 15:59 tomcat-api.jar -> /usr/share/tomcat/lib/tomcat-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 39 28. Jun 15:59 tomcat-coyote.jar -> /usr/share/tomcat/lib/tomcat-coyote.jar lrwxrwxrwx. 1 pkiuser pkiuser 37 28. Jun 15:59 tomcat-dbcp.jar -> /usr/share/tomcat/lib/tomcat-dbcp.jar lrwxrwxrwx. 1 pkiuser pkiuser 43 28. Jun 15:59 tomcat-el-2.2-api.jar -> /usr/share/tomcat/lib/tomcat-el-2.2-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 43 28. Jun 15:59 tomcat-el-3.0-api.jar -> /usr/share/tomcat/lib/tomcat-el-3.0-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 40 28. Jun 15:59 tomcat-i18n-es.jar -> /usr/share/tomcat/lib/tomcat-i18n-es.jar lrwxrwxrwx. 1 pkiuser pkiuser 40 28. Jun 15:59 tomcat-i18n-fr.jar -> /usr/share/tomcat/lib/tomcat-i18n-fr.jar lrwxrwxrwx. 1 pkiuser pkiuser 40 28. Jun 15:59 tomcat-i18n-ja.jar -> /usr/share/tomcat/lib/tomcat-i18n-ja.jar lrwxrwxrwx. 1 pkiuser pkiuser 37 28. Jun 15:59 tomcat-jdbc.jar -> /usr/share/tomcat/lib/tomcat-jdbc.jar lrwxrwxrwx. 1 pkiuser pkiuser 36 28. Jun 15:59 tomcat-jni.jar -> /usr/share/tomcat/lib/tomcat-jni.jar lrwxrwxrwx. 1 pkiuser pkiuser 44 28. Jun 15:59 tomcat-jsp-2.2-api.jar -> /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 44 28. Jun 15:59 tomcat-jsp-2.3-api.jar -> /usr/share/tomcat/lib/tomcat-jsp-2.3-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 37 28. Jun 15:59 tomcat-juli.jar -> /usr/share/tomcat/lib/tomcat-juli.jar lrwxrwxrwx. 1 pkiuser pkiuser 48 28. Jun 15:59 tomcat-servlet-3.0-api.jar -> /usr/share/tomcat/lib/tomcat-servlet-3.0-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 48 28. Jun 15:59 tomcat-servlet-3.1-api.jar -> /usr/share/tomcat/lib/tomcat-servlet-3.1-api.jar lrwxrwxrwx. 1 pkiuser pkiuser 37 28. Jun 15:59 tomcat-util.jar -> /usr/share/tomcat/lib/tomcat-util.jar lrwxrwxrwx. 1 pkiuser pkiuser 42 28. Jun 15:59 tomcat-util-scan.jar -> /usr/share/tomcat/lib/tomcat-util-scan.jar lrwxrwxrwx. 1 pkiuser pkiuser 42 28. Jun 15:59 tomcat-websocket.jar -> /usr/share/tomcat/lib/tomcat-websocket.jar lrwxrwxrwx. 1 pkiuser pkiuser 39 28. Jun 15:59 websocket-api.jar -> /usr/share/tomcat/lib/websocket-api.jar For example: ls -la /usr/share/tomcat/lib/tomcat-jsp-2.2-api.jar -> File is not available ls -la /usr/share/tomcat/lib/tomcat-jsp-2.3-api.jar -> File is ok. > org.apache.catalina.startup.Catalina stopServer > SEVERE: Could not contact localhost:8005. Tomcat may not be running. > org.apache.catalina.startup.Catalina stopServer > SEVERE: Catalina.stop: > java.net.ConnectException: Connection refused > > ..... > > pki-tomcatd at pki-tomcat.service: Control process exited, code=exited > status=1 > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5326 bytes Desc: S/MIME Cryptographic Signature URL: From ladner.danila at gmail.com Thu Jun 30 14:32:18 2016 From: ladner.danila at gmail.com (Danila Ladner) Date: Thu, 30 Jun 2016 10:32:18 -0400 Subject: [Freeipa-users] Best practices on enrolling existing hosts. Message-ID: Hello folks. What are the best practices on enrolling existing hosts in infrastructure into FreeIPA What do we do with local users which are present on the hosts and overlap with users in FreeIPA, should we remove local users? What happens to the files, directories owned by them? Is it usually a manual process? I was thinking creating some salt states since we have around 800 hosts to remove local accounts, just not sure how i can remap files and directories to be owned by ipa users, IPA users have same usernames but apparently different GIDs and UIDs. Would be useful to hear some insights on what folks do in the implementation process. Thank you, Danila Ladner. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Thu Jun 30 14:43:00 2016 From: simo at redhat.com (Simo Sorce) Date: Thu, 30 Jun 2016 10:43:00 -0400 Subject: [Freeipa-users] Best practices on enrolling existing hosts. In-Reply-To: References: Message-ID: <1467297780.3121.63.camel@redhat.com> On Thu, 2016-06-30 at 10:32 -0400, Danila Ladner wrote: > Hello folks. > What are the best practices on enrolling existing hosts in infrastructure > into FreeIPA > What do we do with local users which are present on the hosts and overlap > with users in FreeIPA, should we remove local users? What happens to the > files, directories owned by them? Is it usually a manual process? It is usually a manual process as host by host you need to determine if the local user is actually the same user in the central system or another user by the same name. In latest FreeIPA we have ID Views, which allows you to remap posix attibutes (including name, uidnumber and gidumber) exactly for cases like this where pre-existing users may have incompatiblee nameing or numbering attributes/schemes. > I was thinking creating some salt states since we have around 800 hosts to > remove local accounts, just not sure how i can remap files and directories > to be owned by ipa users, IPA users have same usernames but apparently > different GIDs and UIDs. > Would be useful to hear some insights on what folks do in the > implementation process. In this case the admin would manually (or script) create a view for a (group of) machine(s) and load the overrides in the ID View, and then apply the ID View to the machine(s) Docs here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/id-views.html Also here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html note that ID Views are not confined just to AD trust environments this second doc is just to have a wider view of the feature. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From rob.verduijn at gmail.com Thu Jun 30 14:45:09 2016 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Thu, 30 Jun 2016 16:45:09 +0200 Subject: [Freeipa-users] what is the best way to create a search account In-Reply-To: <20160630115925.GB1478857@mother.pipebreaker.pl> References: <20160630115925.GB1478857@mother.pipebreaker.pl> Message-ID: thanx 2016-06-30 13:59 GMT+02:00 Tomasz Torcz : > On Thu, Jun 30, 2016 at 01:22:34PM +0200, Rob Verduijn wrote: > > Hello, > > > > > > What would be the most appropriate way to create a search account so > that a > > third party tool (wildfly) can use it to search the ipa domain for > > credentials ? > > I guess http://www.freeipa.org/page/HowTo/LDAP#System_Accounts > > > -- > Tomasz Torcz "Funeral in the morning, IDE hacking > xmpp: zdzichubg at chrome.pl in the afternoon and evening." - Alan Cox > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peljasz at yahoo.co.uk Thu Jun 30 14:56:58 2016 From: peljasz at yahoo.co.uk (lejeczek) Date: Thu, 30 Jun 2016 15:56:58 +0100 Subject: [Freeipa-users] how to make fIPA stick to only... Message-ID: ... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. From frenaud at redhat.com Thu Jun 30 15:25:31 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Thu, 30 Jun 2016 17:25:31 +0200 Subject: [Freeipa-users] Where should the CA Location In-Reply-To: References: Message-ID: <05a64751-cca7-3d8e-d1bb-042538ee92d2@redhat.com> Hi, it looks like the NSS db for slapd-ABX-com does not contain the full cert chain. You can run certutil -L -d /etc/dirsv/slapd-ABX-com and check if there is a certificate for your issuer, and if it has the C,, flags at least. For instance, in my setup I am using ca2/server certificate for slapd, and this certificate was issued by ca2: $ certutil -L -d /etc/dirsrv/slapd-xxx Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ca2/server u,u,u ca2 C,, Flo. On 06/29/2016 12:26 PM, barrykfl at gmail.com wrote: > It is 3.0 version cannot use those commands. > > 2016-06-25 2:06 GMT+08:00 Florence Blanc-Renaud >: > > Hi > > Disclaimer: I'm new on this mailing list but willing to share > experience :) > > Did you use "ipa-cacert-manage install -t C,," to install your > external CA certificate? This command copies the certificate in > cn=certificates,cn=ipa,cn=etc,dc=xxx > > After this, you can use ipa-certupdate which will put the CA cert in > all the needed NSS databases and update the nickname where needed. > > Flo. > > > On 06/23/2016 04:54 AM, barrykfl at gmail.com > wrote: > > Hi : > > I renew External CA cert below ...seem server-cert ok. > > But ca CERT FAIL.. > I ALREADY PASTE ON > /etc/httpd/alias > /etc/dirsrv/slapd-PKI-IPA > /etc/dirsv/slapd-ABX-com > /var/lib/pki-ca/alias 's CA conf > > any idea? > > ABX-COM...[23/Jun/2016:10:42:32 +0800] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape > Portable > Runtime error -8179 - Peer's Certificate issuer is not recognized.) > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > From joannadelaporte at gmail.com Thu Jun 30 15:30:07 2016 From: joannadelaporte at gmail.com (Joanna Delaporte) Date: Thu, 30 Jun 2016 10:30:07 -0500 Subject: [Freeipa-users] Fwd: How to migrate users with md5 and sha512 passwords In-Reply-To: References: <57751BC1.3000701@redhat.com> Message-ID: My first time posting. I didn't realize I needed to reply-all to include the group. Oops! ---------- Forwarded message ---------- From: Joanna Delaporte Date: Thu, Jun 30, 2016 at 10:21 AM Subject: Re: [Freeipa-users] How to migrate users with md5 and sha512 passwords To: Rob Crittenden Hi Rob, Thanks for the clarification on the migration being able to handle standard crypt passwords of the standard hash types. I seem to have one user that worked and one that didn't. I'm migrating about 4000 users, but I only have two users' passwords to test. The password that hasn't worked is about 20 chars long in cleartext. Do you know if there is a character length limit for the passwords? Today I'll be deleting and re-adding those two users a few times while I try to figure out what I am missing. What is the best way to make sure the client has an updated password accessible to sssd? I looked through the RHEL 7 Domain Identity, Auth, and Policy Guide and didn't find a recommended procedure for refreshing sssd cache. Should I restart the sssd service on the IPA client when I delete/readd a user with a crypt password? I do have sshd set with ChallengeResponseAuthentication yes. Thanks! Joanna On Thu, Jun 30, 2016 at 8:16 AM, Rob Crittenden wrote: > Joanna Delaporte wrote: > >> I am migrating an NIS domain to IPA. I have attempted to follow the >> instructions >> >> for >> NIS account crypted password migration, but I haven't yet successfully >> used password authentication to log in to remote machines. >> >> The instructions expect I would migrate DES-encrypted passwords, but I >> have a mixture of md5 and sha512-encrypted passwords. Do I need to >> follow a different process, or am I chasing the wrong problem? >> >> This is my first IPA realm. >> > > If you have crypt-compatible passwords ($6$) then just pass > it in as {crypt}$6$... and it should work fine. > > You can ONLY set a pre-hashed password in migration mode AND when adding > the user. You can't add the user then set a hashed password. > > rob > > -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelaporte at gmail.com -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelaporte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From christophe.trefois at uni.lu Thu Jun 30 15:56:56 2016 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Thu, 30 Jun 2016 15:56:56 +0000 Subject: [Freeipa-users] SRV records? Message-ID: <6E154351-84D2-4D32-B5D4-91A1977CEDC1@uni.lu> Hi, I am getting a bit confused about what is possible / advised to do and how to setup SRV records for our existing setup. Currently, it looks like his: ipa1.domain.ltd ipa2.domain.ltd ipa3.domain.ltd I believe the installed domain and realm is domain.ltd (we added some other realm domains later on). And we use ipa1 for external user access, ipa2 for services, and ipa3 for backup (not accessed directly). We now want to create SRV records for this setup. How would they look like? The problem I have is that domain.ltd is also the university?s AD domain and, according to the docs, it is not recommended to do this, in any fashion. Would it be however, feasible, to do this via a FreeIPA-FreeIPA migration? Could you please share any piece of information, or dadvice on this? Thank you so much, ? Christophe -------------- next part -------------- An HTML attachment was scrubbed... URL: From frenaud at redhat.com Thu Jun 30 16:01:27 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Thu, 30 Jun 2016 18:01:27 +0200 Subject: [Freeipa-users] How to reisnatll the ca or the dogtag system In-Reply-To: References: Message-ID: Hi, the message "LDAP Server Down" seems to indicate that the LDAP server is not started. You can restart it using: systemctl restart dirsrv at REALM.service Flo. On 06/29/2016 03:58 AM, Barry wrote: > Hi: > > Errors occur ...cert ni problem ..seem ca error and cannot tract cert. > thx > > ipa-replica-prepare c03.abc.com --ip-address > 192.168.1.73 > Directory Manager (existing master) password: > > preparation of replica failed: cannot connect to > u'ldapi://%2fvar%2frun%2fslapd-WISERS-COM.socket': LDAP Server Down > cannot connect to u'ldapi://%2fvar%2frun%2fslapd-ABC.COM.socket': LDAP > Server Down > File "/usr/sbin/ipa-replica-prepare", line 490, in > main() > > File "/usr/sbin/ipa-replica-prepare", line 274, in main > conn.connect(bind_dn=DN(('cn', 'directory manager')), > bind_pw=dirman_password) > > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > connect > conn = self.create_connection(*args, **kw) > > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", > line 846, in create_connection > self.handle_errors(e) > > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", > line 736, in handle_errors > error=u'LDAP Server Down') > > [root at central ~]# ipa-replica-prepare central03.wisers.com > --ip-address 192.168.1.73 > Directory Manager (existing master) password: > > preparation of replica failed: cannot connect to > u'ldapi://%2fvar%2frun%2fslapd-ABC.COM.socket': LDAP Server Down > cannot connect to u'ldapi://%2fvar%2frun%2fslapd-ABC-COM.socket': LDAP > Server Down > File "/usr/sbin/ipa-replica-prepare", line 490, in > main() > > File "/usr/sbin/ipa-replica-prepare", line 274, in main > conn.connect(bind_dn=DN(('cn', 'directory manager')), > bind_pw=dirman_password) > > File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in > connect > conn = self.create_connection(*args, **kw) > > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", > line 846, in create_connection > self.handle_errors(e) > > File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", > line 736, in handle_errors > error=u'LDAP Server Down') > > > From lslebodn at redhat.com Thu Jun 30 16:16:37 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 30 Jun 2016 18:16:37 +0200 Subject: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication In-Reply-To: <20160630133803.GG26752@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <9021_1467191088_57738F30_9021_630_2_E7B3C528368E954BA40BD6EB6827CE420A5EF4@OPEXCLILM21.corporate.adroot.infra.ftgroup> <20160630133803.GG26752@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160630161636.GD18449@10.4.128.1> On (30/06/16 15:38), Sumit Bose wrote: >On Wed, Jun 29, 2016 at 09:04:47AM +0000, tstorai.ext at orange.com wrote: >> Hello, >> >> We are using FreeIPAv3 with SSSD with Hortonworks Cluster : >> >> - ipa-admintools-3.0.0-47 >> >> - ipa-client-3.0.0-47 >> >> - sssd-ipa-1.11.6-30 >> >> >> According with the following documentation, our users are automatically authenticated to Kerberos at every login : >> https://www.freeipa.org/page/Kerberos >> "When SSSD project is used, the ticket is get for a user automatically as he authenticates to client machine." >> >> It's working pretty well but some of our users are using nominative accounts for ssh connection then access to Hadoop with an applicative keytab... >> We are agreed than we have to perform a kinit at every connection but when theses users work on several sessions they lose the applicative account ticket :( > >If you use credential cache collections (type DIR: or KEYTAB:) SSSD According to versions of sssd, it looks like el6. And KEYRING collection ccache is not on el6. I'm not sure about DIR collection ccache. >would only update the individual cache matching the user principal >stored in IPA. The caches for other principals would persist. But if the >principal in the applicative keytab is from the same Kerberos realm you >still might need to use the 'kswitch' command to set the primary >principal. But it should be sufficient to call it only once because the >information is stored in the collection and not overwritten by SSSD. > >If this does not work the affected users can add something like: > > export KRB5CCNAME=$HOME/my_cc_cache ^ Is FILE: considered as default or it need to be written as well for KRB5CCNAME LS From simo at redhat.com Thu Jun 30 16:20:23 2016 From: simo at redhat.com (Simo Sorce) Date: Thu, 30 Jun 2016 12:20:23 -0400 Subject: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication In-Reply-To: <20160630161636.GD18449@10.4.128.1> References: <9021_1467191088_57738F30_9021_630_2_E7B3C528368E954BA40BD6EB6827CE420A5EF4@OPEXCLILM21.corporate.adroot.infra.ftgroup> <20160630133803.GG26752@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160630161636.GD18449@10.4.128.1> Message-ID: <1467303623.3121.70.camel@redhat.com> On Thu, 2016-06-30 at 18:16 +0200, Lukas Slebodnik wrote: > On (30/06/16 15:38), Sumit Bose wrote: > >On Wed, Jun 29, 2016 at 09:04:47AM +0000, tstorai.ext at orange.com wrote: > >> Hello, > >> > >> We are using FreeIPAv3 with SSSD with Hortonworks Cluster : > >> > >> - ipa-admintools-3.0.0-47 > >> > >> - ipa-client-3.0.0-47 > >> > >> - sssd-ipa-1.11.6-30 > >> > >> > >> According with the following documentation, our users are automatically authenticated to Kerberos at every login : > >> https://www.freeipa.org/page/Kerberos > >> "When SSSD project is used, the ticket is get for a user automatically as he authenticates to client machine." > >> > >> It's working pretty well but some of our users are using nominative accounts for ssh connection then access to Hadoop with an applicative keytab... > >> We are agreed than we have to perform a kinit at every connection but when theses users work on several sessions they lose the applicative account ticket :( > > > >If you use credential cache collections (type DIR: or KEYTAB:) SSSD > According to versions of sssd, it looks like el6. > And KEYRING collection ccache is not on el6. > I'm not sure about DIR collection ccache. Correct RHEL6 has no support for keyring ccaches, only RHEL7. > >would only update the individual cache matching the user principal > >stored in IPA. The caches for other principals would persist. But if the > >principal in the applicative keytab is from the same Kerberos realm you > >still might need to use the 'kswitch' command to set the primary > >principal. But it should be sufficient to call it only once because the > >information is stored in the collection and not overwritten by SSSD. > > > >If this does not work the affected users can add something like: > > > > export KRB5CCNAME=$HOME/my_cc_cache > ^ > Is FILE: considered as default or it need to be > written as well for KRB5CCNAME If no ccache type is specified the krb5 libs default to the FILE ccache type. Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Thu Jun 30 16:25:02 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 30 Jun 2016 18:25:02 +0200 Subject: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication In-Reply-To: <20160630161636.GD18449@10.4.128.1> References: <9021_1467191088_57738F30_9021_630_2_E7B3C528368E954BA40BD6EB6827CE420A5EF4@OPEXCLILM21.corporate.adroot.infra.ftgroup> <20160630133803.GG26752@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160630161636.GD18449@10.4.128.1> Message-ID: <20160630162502.GX2228@hendrix> On Thu, Jun 30, 2016 at 06:16:37PM +0200, Lukas Slebodnik wrote: > On (30/06/16 15:38), Sumit Bose wrote: > >On Wed, Jun 29, 2016 at 09:04:47AM +0000, tstorai.ext at orange.com wrote: > >> Hello, > >> > >> We are using FreeIPAv3 with SSSD with Hortonworks Cluster : > >> > >> - ipa-admintools-3.0.0-47 > >> > >> - ipa-client-3.0.0-47 > >> > >> - sssd-ipa-1.11.6-30 > >> > >> > >> According with the following documentation, our users are automatically authenticated to Kerberos at every login : > >> https://www.freeipa.org/page/Kerberos > >> "When SSSD project is used, the ticket is get for a user automatically as he authenticates to client machine." > >> > >> It's working pretty well but some of our users are using nominative accounts for ssh connection then access to Hadoop with an applicative keytab... > >> We are agreed than we have to perform a kinit at every connection but when theses users work on several sessions they lose the applicative account ticket :( > > > >If you use credential cache collections (type DIR: or KEYTAB:) SSSD > According to versions of sssd, it looks like el6. > And KEYRING collection ccache is not on el6. > I'm not sure about DIR collection ccache. It is there, but it was never formally tested and there might be bugs. Also, I'm not sure about /run on RHEL-6, you might want to manually specify another directory for the DIR cache (DIR:/tmp?) From joannadelaporte at gmail.com Thu Jun 30 17:00:13 2016 From: joannadelaporte at gmail.com (Joanna Delaporte) Date: Thu, 30 Jun 2016 12:00:13 -0500 Subject: [Freeipa-users] How to migrate users with md5 and sha512 passwords In-Reply-To: <57751BC1.3000701@redhat.com> References: <57751BC1.3000701@redhat.com> Message-ID: I figured it out. The problem was the user's UID being too low. In the client's /var/log/secure log, I found this: sshd[25010]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "user1" The user that was failing to authenticate via password had a UID lower than 1000. When I allowed IPA to set a random UID, the login with migrated password worked (although it didn't prompt to reset password for this user and I'm still figuring out NFSv4 access for users). The NIS domain I am migrating from is several years old, from the era when it was normal to have users start in the 500s. So, I need to migrate UIDs simultaneously. On Thu, Jun 30, 2016 at 8:16 AM, Rob Crittenden wrote: > Joanna Delaporte wrote: > >> I am migrating an NIS domain to IPA. I have attempted to follow the >> instructions >> >> for >> NIS account crypted password migration, but I haven't yet successfully >> used password authentication to log in to remote machines. >> >> The instructions expect I would migrate DES-encrypted passwords, but I >> have a mixture of md5 and sha512-encrypted passwords. Do I need to >> follow a different process, or am I chasing the wrong problem? >> >> This is my first IPA realm. >> > > If you have crypt-compatible passwords ($6$) then just pass > it in as {crypt}$6$... and it should work fine. > > You can ONLY set a pre-hashed password in migration mode AND when adding > the user. You can't add the user then set a hashed password. > > rob > > -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelaporte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From pgb205 at yahoo.com Thu Jun 30 18:21:04 2016 From: pgb205 at yahoo.com (pgb205) Date: Thu, 30 Jun 2016 18:21:04 +0000 (UTC) Subject: [Freeipa-users] ipa trust-fetch-domains failing. References: <193259965.1531799.1467310864326.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <193259965.1531799.1467310864326.JavaMail.yahoo@mail.yahoo.com> Ben, do you mind sharing your solution as I am affected by the exact same error when fetching AD domains. thanks On Sat, Apr 30, 2016 at 9:16 AM, Ben .T.George??wrote: when i am running?ipa trust-fetch-domains "kwttestdc.com.kw" , i am getting below error in error_log [Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed to call com.redhat.idm.trust.fetch_domains helper.DBus exception is org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken..[Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO: [jsonserver_session] admin IDM LOCAL: trust_fetch_domains(u'kwttestdc.com.kw', rights=False, all=False, raw=False, version=u'2.156'): ServerCommandError On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George??wrote: Hi? Anyone please help me to fix this issue. i have created new group in AD( 4 hours back) and while i was mapping this group as --external, i am getting below error. [root freeipa sysctl.d]# ipa group-add --external ad_admins_external --desc "KWTTESTDC.com.KW?AD Administrators-External"----------------------------------Added group "ad_admins_external"----------------------------------? Group name: ad_admins_external? Description:?KWTTESTDC.com.KW?AD Administrators-External[root freeipa sysctl.d]# ipa group-add-member ad_admins_external --external "KWTTESTDC\test admins"[member user]:[member group]:? Group name: ad_admins_external? Description:?KWTTESTDC.com.KW?AD Administrators-External? Failed members:? ? member user:? ? member group: KWTTESTDC\test admins: Cannot find specified domain or server name-------------------------Number of members added 0------------------------- On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George??wrote: Hi while issuing?ipa trust-fetch-domains, i am getting below error. i have created new security group in AD and i want to add this to external group. [root freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from trusted fo ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?rest failed. See details in the error_log help me to fi/expalin more about this error Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From mitra.dehghan at gmail.com Thu Jun 30 19:34:19 2016 From: mitra.dehghan at gmail.com (Mitra Dehghan) Date: Fri, 1 Jul 2016 00:04:19 +0430 Subject: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users. In-Reply-To: References: Message-ID: Dear Christian Thanks for your explanation about shell builtin. I changed directory permissions and now it works! Mitra On Tue, Jun 28, 2016 at 4:17 PM, Christian Heimes wrote: > On 2016-06-28 09:08, Mitra Dehghan wrote: > > > > Hello, > > > > I want to know how can I give directory permissions on a client to a > > domain user in FreeIPA. > > > > > > I'm using "runasuser" feature in sudo policy to give my domain users > > permission to run local services on client. > > > > Here is an example: > > I have a service on my client called "/abc/" located at "/home/abc/" and > > locally run by local user called "/abc/" > > > > I have used runasuser feature in sudo policy rules to let domain users > > (say: /usr at mydomain.dc/) run the service. /usr/ can run scripts, read > > and edit files and stop/start services, using /abc/'s permissions and > > without any problem. > > > > But the problem I have faced is, when I want "/usr/" to traverse > > subdirectories under "//home/abc//" it doesn't work. > > I have defined sudocmd for cd command and added it as allow-command to > > appropriate sudorule. my sudocmd definitions are like this: > > > > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/' > > / > > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/m/' > > / > > /ipa sudocmd-add --desc="ttttttt" 'cd /home/abc/n/q/'/ > > cd is a builtin command of your shell. It has to be because it changes > the current working directory the shell's process. sudo doesn't work for > shell builtins. You have to find another way to accomplish your task. > > By the way are you familiar how r,w,x work for directories? 'r' is used > for listing the content of a directory, 'w' for creating/removing files > (except for +t directories) and 'x' is used to check if a user is > allowed to enter a directory. You can allow users to enter a directory > w/o actually seeing its content. > > Christian > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- m-dehghan -------------- next part -------------- An HTML attachment was scrubbed... URL: From joannadelaporte at gmail.com Thu Jun 30 19:47:59 2016 From: joannadelaporte at gmail.com (Joanna Delaporte) Date: Thu, 30 Jun 2016 14:47:59 -0500 Subject: [Freeipa-users] IPA and NFSv4 with krb5 security Message-ID: I need some pointers for getting NFSv4 to use krb5 authorization in my IPA realm. My realm is new. I have just migrated some users from an NIS domain to the IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS server and client, and automaps using the recommended methods in the RHEL 7 Storage and Domain Auth/Policy guides. In the exports file on the nfsserver, as long as I have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount. However, when I remove sys, I no longer am able to mount. I have root_squash set. Automount hangs when I restart it, while trying to mount the first NFS directory. If I try to mount on the command line, I get this: root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt mount.nfs4: access denied by server while mounting arcturus:/ If I take out sec=krb5, it works. It just rolls back to sec=sys (confirmed with mountstats). I am not seeing anything related to the mount attempts on the nfsserver logs, but I'm not sure I am looking in the right logs. I don't see anything happening in the ipaserver's krb5kdc.log, or httpd error or access logs. What am I missing? Thanks! Joanna -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelaporte at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From piolet.y at gmail.com Thu Jun 30 20:05:18 2016 From: piolet.y at gmail.com (Youenn PIOLET) Date: Thu, 30 Jun 2016 22:05:18 +0200 Subject: [Freeipa-users] IPA and NFSv4 with krb5 security In-Reply-To: References: Message-ID: Hi, First questions (sorry if it's obvious): - Do you have a valid token on the client? (obtained with kinit) - Did you import the keytab for NFS service on the server? - Did you put "domain = yourdomain.tld" in your NFS server config file? On your client? - Depending on your (ipa? nfs?) version you may have to enable weak crypto (I saw this everywhere but never had to do it for a reason I still ignore) I'm far from being the most informed people on this list, but I think it may be the first things to check. Hope this helps, Regards -- Youenn Piolet piolet.y at gmail.com 2016-06-30 21:47 GMT+02:00 Joanna Delaporte : > I need some pointers for getting NFSv4 to use krb5 authorization in my IPA > realm. > > My realm is new. I have just migrated some users from an NIS domain to the > IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS > server and client, and automaps using the recommended methods in the RHEL 7 > Storage and Domain Auth/Policy guides. > > In the exports file on the nfsserver, as long as I > have sec=krb5p:krb5i:krb5:sys in my options, I can successfully automount. > However, when I remove sys, I no longer am able to mount. I have > root_squash set. > > Automount hangs when I restart it, while trying to mount the first NFS > directory. > > If I try to mount on the command line, I get this: > root$ mount -t nfs4 -o rw,sec=krb5,vers=4.0 arcturus:/ /mnt > mount.nfs4: access denied by server while mounting arcturus:/ > > If I take out sec=krb5, it works. It just rolls back to sec=sys (confirmed > with mountstats). > I am not seeing anything related to the mount attempts on the nfsserver > logs, but I'm not sure I am looking in the right logs. > > I don't see anything happening in the ipaserver's krb5kdc.log, or httpd > error or access logs. > > What am I missing? > > Thanks! > Joanna > > > > -- > > > Joanna Delaporte > Linux Systems Administrator | Parkland College > joannadelaporte at gmail.com > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: